System for Cross-Domain Identity Management (SCIM) is an open standard protocol for automating the exchange of user identity information between identity domains and IT systems. With Learnster, it can be used to provision and synchronize user information between your directory service and Learnster.
This article assumes that you are using Azure AD as your directory service but Learnster's SCIM integration will also work with other services that have SCIM support like, for instance, Okta.
SCIM can, for instance:
be used to automatically create users in Learnster when their accounts are created in Azure AD.
automatically configure user attributes based on attributes in Azure AD.
manage the users all the way to off-boarding, where users can automatically be deleted from Learnster when removed from Azure AD.
You can read more about Microsoft's SCIM implementation here: SCIM synchronization with Azure Active Directory
Set up Azure AD SCIM for Learnster
1. If you already have an Azure AD Enterprise application for Learnster (for SSO for instance), you can reuse the same Azure AD app. In this case, please find your Learnster app in Azure AD, open it and skip to step 4 in this guide.
If you don't have a Learnster Azure AD app or want to use separate Azure AD applications for different functions, start by by going to Enterprise applications and click the + New application button.
2. On the next page, choose + Create your own application.
3. Enter the name of the application and choose "Integrate any other application you don't find in the gallery" and click Next.
4. Click Provision User Accounts.
5. Click Get started.
6. On the "Provisioning" page, select Automatic as Provisioning Mode and fill in the Tenant URL and Secret Token fields.
...you will find both the Tenant URL and Secret Token values in Learnster Studio under Settings/Integrations...
..turn on Enable Azure SCIM and copy the Tenant URL and Secret Token and paste them into Azure AD. The next step is to click the Test Connection button and then to save your configuration.
7. You can control whether both users and groups and also which users and groups should be provisioned under provisioning settings.
β Please note that before enabling the provisioning for your whole organization, you should perform a test with a test user or a small sub-group of users to make sure that you have configured the provisioning correctly. This is especially important in so-called "brownfield" scenarios where you already have users in Learnster. If you already have user accounts in Learnster, make sure to always test how SCIM will affect your existing user accounts. If you are not an Azure AD SCIM guru already, you can read how to set up a user subset in this article.
Azure AD Users Mapping
Azure AD Users are provisioned as Learnster user accounts. Learnster supports the following user attribute mappings:
Azure Active Directory User | Learnster User | Comment |
userPrincipalName | User primary email |
|
userPrincipalName | Unique user identifier (SSO) | New in v14 |
IsSoftDeleted | Is user active |
|
displayName | Full name |
|
jobTitle | Title |
|
Secondary email |
| |
preferredLanguage | Not used |
|
givenName | First name |
|
surname | Last Name |
|
givenName | Not used |
|
physicalDeliveryOfficeName | Company | Removed in v14, Company in Learnster is now mapped to companyName in AD |
physicalDeliveryOfficeName | Office | New in v14 |
streetAddress | User address street |
|
city | User address city |
|
state | Not used |
|
postalCode | User address postal code |
|
country | Country |
|
telephoneNumber | Phone number | Please see comment below* |
mobile | Phone number | Please see comment below* |
facsimileTelephoneNumber | Not used |
|
mailNickname | SCIM external id |
|
employeeId | Not used |
|
companyName | Company | New in v14, please see comment below** |
department | Not used |
|
manager | Direct Manager | New in v14 |
*β Please note that Learnster only accepts phone numbers formatted according to the E.164 standard. Please remove mapping of telephoneNumber and mobile if phone numbers in your directory service does not comply with the E.164 standard. Please also note that telephoneNumber and mobile are represented as an array in SCIM (see SCIM Data Mapping for more info) and can hold multiple numbers. Learnster only supports one phone number per user. If an array with more than one number is provided, Learnster will use the first number in the array.
** β Please note that Azure AD does not use companyName SCIM mapping by default. If you want to use companyName and map it to Company in Learnster you need to add this mapping manually in Attribute Mapping settings. When doing this, if you have an active provisioning running, you will have to click "Restart provisioning" for AD to start using your new Attribute Mapping settings.
Please see this article for in-depth attributes mapping information: SCIM Data Mapping.
Azure AD Groups Mapping
Azure AD Groups are mapped as Tags in Learnster. Tags are automatically created in Learnster for provisioned AD Groups and group members are automatically tagged with the corresponding group tags. Azure AD Groups are mapped as follows:
Azure Active Directory Group | Learnster Tag |
displayName | Tag name (A numbered suffix is automatically added to the tag name if it already exists to avoid conflicts) |
objectId | SCIM external id |
members | Members (as users in Learnster) are automatically tagged with the tag |
Attribute Mapping
You can control what attributes should be provisioned under Attribute Mapping settings in Azure AD (please note, Azure AD will show more mappings by default than are actually used, view mappings above to see which ones are used):
8. It's recommended to configure a notification email under Settings.
9. Once you're ready with your configuration, don't forget to enable it under Status/Provisioning Status. Please note that it's always recommended to test user provisioning with a smaller subset of users before you put it into production. You can learn how to set up a setup Azure AD to synchronize a subset of users in this article.
