Generating a Scope Token for SCIM
WebUI Changes implemented in Artifactory 7.38.x and above
Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.
To implement SCIM with any identity service, you will need to generate an scope token in the JFrog Platform, and then use that token in the identity service setup.
A scope token for SCIM grants the following actions to system:identities:r,w,d
- (r)ead, (w)rite, and (d)elete on Users and Groups.
Note that the generated scoped token can only be used against the API SCIM endpoints. In addition, the generated scoped token cannot be used to regenerate another scoped token.
To generate a scope token:
In the JFrog Platform, navigate to Administration | Authentication Providers | SCIM.
JFrog Cloud New Interface (Beta)
On the taskbar, clickhere.
(Platform Configurations), and select User Authentication > SCIM. To learn more, clickThis displays the SCIM Configurations window.
To connect an identity service with your JFrog Platform, you will need both the SCIM connector base URL and a generated token.Click the copy button next to the URL and paste it into the identify service's SCIM settings.
Click the Generate Token button, and then click the Copy Token button, and paste the token into the identify service's SCIM settings.
Security Note
The token can be revoked at any time via the same page. As with any other security token, it is recommended to revoke the token and recreate it occasionally for security reasons. The identity service configuration should be adjusted accordingly.
- Go to the identity service you will be using with SCIM and follow the steps for that tool. We have used Okta and Azure Active Directory (AD) to verify this capability:
- Go to the identity service (for example, Okta, Azure AD, etc.), and select the relevant provisioning.
- In the Provisioning section, set the following details according to the tool. The steps below are examples of the tools you can use.
Okta
- Go to the Provisioning tab.
- Set the options Create Users, Update User Attributes, and Deactivate Users to the To App settings.
- Go to the Integration page.
- Set the SCIM connector base URL to:
https://<Artifactory_URL>/access/api/v1/scim/v2
In the Unique identifier field for users, enter the userName.
- In the Supported provisioning actions field, select all of the following options:
- Import New Users and Profile Updates
- Push New Users
- Push Profile Updates
- Push Group.
- From the Authentication Mode dropdown, select HTTP Header and then paste the scoped token you created in the JFrog Platform (see Generating a Scope Token for SCIM).
For more information, refer to the Okta tutorial how to configure the SCIM application.
Azure AD
Follow these guidelines by specifying :
- Tenant URL:
https://<Artifactory_URL>/access/api/v1/scim/v2
- Secret: Enter the scoped token for SCIM from your JFrog Platform
The current JFrog Artifactory template app should not be used with Azure AD.
More on Managing Users and Groups with SCIM
Click here to learn more about managing managing users and groups with SCIM in the JFrog Platform.