SCIM Provisioning
This feature is only available in ArangoGraph Enterprise.
ArangoGraph provides support to control and manage members access in ArangoGraph organizations with the System for Cross-domain Identity Management (SCIM) provisioning. This enables you to propagate to ArangoGraph any user access changes by using the dedicated API.
To enable the SCIM feature, get in touch with the ArangoGraph team via Request Help, available in the left sidebar menu of the ArangoGraph Dashboard.
About SCIM
SCIM, or the System for Cross-domain Identity Management specification, is an open standard designed to manage user identity information. SCIM provides a defined schema for representing users, and a RESTful API to run CRUD operations on these user resources.
The SCIM specification expects the following operations so that the SSO system can sync the information about user resources in real time:
GET /Users
- List all users.GET /Users/:user_id
- Get details for a given user ID.POST /Users
- Invite a new user to ArangoGraph.PUT /Users/:user_id
- Update a given user ID.DELETE /Users/:user_id
- Delete a specified user ID.
ArangoGraph organization administrators can generate an API key for a specific organization. The API token consists of a key and a secret. Using this key and secret as the Basic Authentication Header (Basic Auth) in SCIM provisioning, you can access the APIs and manage the user resources.
To learn how to generate a new API key in the ArangoGraph Dashboard, see the API Keys section.
When creating an API key, it is required to select an organization from the list.
Enable SCIM provisioning in Okta
To enable SCIM provisioning, you first need to create an SSO integration that supports the SCIM provisioning feature.
- To enable SCIM provisioning for your integration, go to the General tab.
- In the App Settings section, select Enable SCIM provisioning.
- Navigate to the Provisioning tab. The SCIM connection settings are displayed under Settings > Integration.
- Fill in the following fields:
- For SCIM connector base URL, use
https://cloud.arangodb.com/api/scim/v1
- For Unique identifier field for users, use
userName
- For SCIM connector base URL, use
- For Supported provisioning actions, enable the following:
- Import New Users and Profile Updates
- Push New Users
- Push Profile Updates
- From the Authentication Mode menu, select the Basic Auth option. To authenticate using this mode, you need to provide the username and password for the account that handles the SCIM actions - in this case ArangoGraph.
-
Go to the ArangoGraph Dashboard and create a new API key ID and Secret.
Make sure to select one organization from the list and do not set any value in the Time to live field. For more information, see How to create a new API key.
- Use these authentication tokens as username and password when using the Basic Auth mode and click Save.