Splashtop supports users/groups provisioning from your identity provider via SCIM, please follow the below steps to set up.
Step 1: Configure Provisioning - Admin Credentials
1. Go to the created SAML app, click Provisioning to set up.
Note: How to create a SAML app
2. Add Admin Credentials.
Enter Tenant URL and API Token, then click Save.
- Tenant URL: Cope the Base URL in SCIM configuration from your Gateway.
- Secret Token: Copy the API Token in SCIM configuration from your Gateway.
For more detailed information, please refer to How to generate the SCIM provisioning token
Step 2: Configure Provisioning - Set up ssoName attribute
1. Go to Mappings, then click Provision Azure Active Directory Users.
2. Check Show advanced options, then click on Edit attribute list for customappsso. 3. Add an attribute, Enter Name, Type and set as Required. Then click Save.
Name: urn:ietf:params:scim:schemas:extension:Splashtop:2.0:User:ssoName
Type: String
Required: Yes
4. Click Add new mapping, then enter Mapping type, Constant Value and Target attribute.
Mapping type: Constant
Constant Value: Your SSO method name on Gateway
Target attribute: Select the attribute you just created (urn:ietf:params:scim:schemas:extension:Splashtop:2.0:User:ssoName)
Then click Ok on the Edit Attribute window, then Save.
Step 3: Configure Provisioning - Make sure the Provisioning Status is On
Please make sure the Provisioning Status is on in your SAML app. Provisioning interval is fixed at 40 minutes in Azure.
Step 4: Add user/group to the created app
After SSO and Provisioning configured, you can click Add user to add users to the created enterprise application so the users can be automatically provisioned.
Notes
- All successfully provisioned users will be given the member role.
- Updating Username via SCIM provisioning is supported.
- Only if there are users in the provisioned group, the provisioned group will be created in Gateway.
- For security concerns, SCIM Provisioning API has a limit of 1000 calls per minute.
- The user xxx is skipped due to not assigned to the application:
- Make sure the target user is assigned to the application created on Azure.
- Check Source Object Scope (It is under Created application / Edit Provisioning / Mappings / Provision Azure Active Directory Users), and see if there are some filters preventing the users from being provisioned.