SCIM Provisioning Settings
This page shows the automated provisioning settings that were configured for your organization.
Authentication
The Authentication section contains information you need to enter to configure automated provisioning with your provider. You can copy the Base URL by clicking the icon.
Tokens
Tokens are an extra security measure. A token can only be displayed once when it is created. However, you can create more than one token. See the procedure to learn how to create a token.
Automated Actions During Provisioning (Optional)
This section lets you see or change the options for granting Antidote access automatically. This setting is optional. The Manage access manually setting is selected by default; leave it as is if you do not want to grant Antidote access automatically. If you would like to use a different setting, click Edit to make the changes. There are three options:
- Manage access manually Choose this option if you do not want to grant Antidote access automatically or if you want to use the SAML authentication settings you have already configured. If this option is also selected under the SAML authentication settings, no users will be automatically granted Antidote access. You can manage access manually from the Users tab in the Client Portal.
- Grant access based on groups Choose this option to grant Antidote access to users according to groups synchronized with automated provisioning. This option is particularly useful if your organization holds multiple subscriptions and you would like to give groups access to different ones. If you have an Antidote Pro subscription, specify the application as well—for example, grant one group access to Antidote Web and another access to both Antidote 12 and Antidote Web. To register synchronized groups, click the appropriate field and type the first letters of the group name, then select it from the list of corresponding groups that appears. To remove a group, click the X beside its name. When a user is removed from a group by SCIM synchronization, Antidote access will be automatically withdrawn from that user. This also applies to users added to a synchronized group; these users will be automatically granted access to the subscription associated with that group.
- Impose access to all users Choose this option to automatically grant Antidote access to all synchronized users. If your organization holds multiple subscriptions, indicate which one you want to use. For Antidote Pro, make sure to specify which application (Antidote 12, Antidote Web or both).
You do not need to send out invitations from the Client Portal for users to activate their Antidote access.
Important — Access management for Antidote through automated provisioning overrides any access configured through Authentication with SAML.
Additional information
Matching SAML and SCIM attributes
The attribute emailaddress configured with SAML and the attribute userName configured with SCIM must use the same email address. Otherwise, a Druide account will be created for each email address, duplicating the user.
To see how to review SAML configuration, read the Entra ID or Google Cloud procedure.
Synchronization delay
How long it takes to update provisioned data depends on your management system’s provider. For example, Entra ID checks if data needs to be synchronized about every 45 minutes, while other systems will perform an update whenever any information is changed.
Restrictions on synchronized accounts and groups
Users and groups managed through automated provisioning are marked as “synchronized” in the Client Portal. Several features of the Client Portal are disabled for synchronized accounts and groups. Depending on how you configured your settings, you may not be able to edit a group or an account, to assign a role or to grant Antidote access.
Main contact
As a safety precaution, the organization’s main contact holds an account that is never subject to automated provisioning. If you need to change your organization’s main contact, reach out to Antidote Support.