With a subscription to Holaspirit Enterprise Plan, you can sync Holaspirit directly with your identity provider to enable automated provisioning and de-provisioning of your users.
🚀 SCIM User Provisioning is included with Holaspirit Enterprise plan.
About User Provisioning
Automated user provisioning allows for a direct sync between your identity provider and your Holaspirit organization. You no longer need to manually create user accounts when someone joins the company or moves to a new team.
Automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. We automatically remove people when they leave the company.
Configuration
SCIM User Provisioning is available on Holaspirit.
It works well with SAML. But they can also be used separately.
If you’d like to provision users with SCIM, you must complete these two steps:
First step: Copy your provisioning key from Administration -> Users -> Provisioning
Second step: Configure SCIM in your IdP with the information:
SCIM URL (or Tenant URL):
https://app.holaspirit.com/api/scim/2.0
Secret Token (Bearer): The provisioning key from the first step
Note: If no license is available in the subscription, the user account will be created as inactive. Admin can change the user's privilege later on.
Limitations
Soft-deleted is not implemented: Use hard delete or suspend
Groups are not implemented: Send only Users
Attribute Mappings
In your IdP configuration you will have an "Attribute Mappings" section, that will tell which fields should be sent to Holaspirit.
Here is the list of fields that we will saved on Holaspirit:
email
user.firstname
user.lastname
language
timezone
phones[type=work].value
addresses[type=work].value (will be saved to "Locations")
active (only available when updating a member, possible values: "true" or "false") when set to "false" the member will be suspended
If other fields are sent, we will ignore them silently.
Troubleshooting
If you experience this error:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}
You should change the mapping of the User as below.
emails[type eq "work"].value
needs to be mapped to userPrincipalName
that is, if userPrincipalName
is where the email is.