Automatic user provisioning with an external IDP

XProtect supports identity synchronization between your identity provider and the VMS through System for Cross-site Identity Management (SCIM).

SCIM enables automatic user provisioning when accessing the VMS with an external IDP. Any changes to user permissions are instantly reflected in the VMS without requiring a new login.

To apply SCIM-enabled user provisioning with an external IDP, the identity provider on your system must be configured as an external IDP. For more information, see Add and configure an external IDP.

SCIM exchange and user identity

During SCIM exchange, the users configured in your external IDP are matched with the users of XProtect. The ID property of the user identity is used as the primary identifier. By default, the property has the value of a sub claim, but this can vary depending on the identity provider. A mismatch can result in the user being provisioned twice in the log-in process.

The sub claim is not the same as the claim used as the source of user names created during the configuration of the external IDP.

For more information about how to configure the primary identifier, see SCIM introduction.

Configuration of an Identity Provider (IDP) for SCIM

In general, to configure your Identity Provider (IDP) for SCIM, you configure a client with the SCIM permissions and associate it with an external provider.

If your external IDP is deployed on your local network, you use the URL of the VMS IDP in the external IDP’s SCIM configuration to create the association.

If your external IDP is on a network that cannot communicate directly with the network where your VMS is deployed, you can use the URL provided by a communication tunneling tool as an entry point to your VMS’ IDP.

Contents of user names

To ensure the correct operation of SCIM’s synchronization procedure between your external IDP and the VMS, the names of provisioned identities must comply with naming conventions in XProtect, and they cannot contain any of the following characters: ?, \, /, [, ].

Delete users

To manage user deletions in a way that aligns with their specific policies and requirements, some identity providers may prefer not to delete users permanently from the system. Instead, the users can be disabled which means that they are treated as if they no longer exist.

If a permanent deletion is required in those cases, an XProtect administrator can enable a setting that permanently deletes the users from the VMS after a specified number of days (the default is 30). The setting is enabled, and the time frame can be set through an API. For the steps required to follow, see SCIM introduction.