Splashtop supports users/groups provisioning from your identity provider via SCIM, please follow the below steps to set up.
Step 1: Configure Provisioning - Enable Provisioning
1. On the created app, go to General tab, click Edit then check SCIM, then click Save.
2. After step 1 you will have a Provisioning tab, go to the tab then click Edit. Then insert below info:
- SCIM connector base URL: Cope the Base URL in SCIM configuration from your Gateway.
- Unique identifier field for users: userName
- Supported provisioning actions: Check options one to five.
- Authentication Mode: Select HTTP Header.
So it will look like this:
3. On the same Provisioning tab, after step 2, go to HTTP Header / Authentication, to insert the token. You can get the token from this article: How to generate the SCIM provisioning token.
After inserting the token, click Test Connector Configuration, there will be a popup telling you the supported actions, which are User Import, Import Profile Updates, Create Users, Update User Attributes, Push Groups and Import Groups.
Then close the popup window then click Save.
4. After step 3, click Edit then enable Create Users, Update User Attributes and Deactivate Users. Leave Sycn Password disabled. Then Save.
Step 2: Configure Provisioning - Create a mapping
1. Also in the Provisioning tab. Click Go to Profile Editor.
2. Click Add attribute.
Then insert below info.
- Data type: Select string
- Display name: ssoName
- Variable name: ssoName
- External name: ssoName
- External namespace: urn:ietf:params:scim:schemas:extension:Splashtop:2.0:User
- Attribute required: Yes
- User permission: Read-Write
Then click Save.
3. Go back to Profile Editor, then click Mappings.
4. Select Okta User to "your created app name".
5. Sroll down to the bottom to find ssoName attribute you just created, then insert the SSO method name created on your Gateway. Pleaser insert with the format "sso method name". Then click Save Mappings.
6. Click Apply updates now.
Step 3: Start provisioning - Assign users/groups to the application and Push Groups
1. Provision users: Go to Assignments tab, click Assign to Assign to People or Assign to Groups.
This will provision users and users in the group.
2. Provision groups:
- Go to Assignments tab, click Assign to Assign to Groups, then assign the groups you would like to provision.
- Go to Push Groups tab, click +Push Groups button to add the group you would like to provision.
After configuring both the groups will be provisioned.
Notes
- All successfully provisioned users will be given the member role.
- Updating Username via SCIM provisioning is supported, go to Directory/People/Profile on Okta admin console to change Username.
- Only if there are users in the provisioned group, the provisioned group will be created in Gateway.
- For security concerns, SCIM Provisioning API has a limit of 1000 calls per minute.
- Add a user to a provisioned Group (under Push Group) is not supported at this time due to Okta's limitation (Okta's official post regarding the limitation: link), which means this action will only provision the user to the default group, instead of the provisioned Group.
The workaround is make sure the user has been added to the group when adding the group to Push Group.
For an existing group under Push Group, remove the group from the Splashtop app on Okta, add all the users you would like to assign to the group, then add the group back to Push Group can work the limitation around.