ThousandEyes Support for SCIM

ThousandEyes is now able to add, update and delete users from identity providers who support the standards, dramatically decreasing time to provision users into ThousandEyes and perform ongoing user management.

Operation

ThousandEyes has made available two SCIM API endpoints to receive user addition, update and deletion requests:

- For SCIM 1.1 based API calls.
(or )
- For SCIM 2.0 based API calls.

The operation of SCIM is simple: a Service Provider is able to map attributes from its local user database, and generate SCIM API calls to one of our endpoints in order to generate, update or delete the users on ThousandEyes end:

The structure of those calls must be compliant to the SCIM 1.1 or 2.0 protocol and schema, and also need to be compliant with our currently supported operations, discussed below.

Requirements

In order to leverage ThousandEyes SCIM API endpoints, a ThousandEyes user having a role with the following permissions is required:

View Users
Edit Users
API Access

Both SCIM 1.1 and 2.0 endpoints require the user to authenticate either with HTTP Basic Authentication using your Basic Authentication Token or an OAuth Bearer Token, both of which can be created in Manage > Account Settings > Organization Settings > Security and Authentication.

By default, users added through SCIM to ThousandEyes will be assigned the Regular User role in all account groups of the organization where they are created. This default assignment can be changed in the SCIM Settings Section of the Security and Authentication screen. Once the users have been created in ThousandEyes, their individual roles can be freely modified at Manage > Account Settings > Users and Roles > Users.

In the example above, the "SCIM API User Role" within the "Support" Account Group will be granted to all the newly pushed SCIM users. All roles and account groups can be used, as long as the API user making the SCIM API calls has permissions to grant them. Lacking those privileges will cause the SCIM provisioning process to fail.

Supported Features

As of now, there is no support for SCIM Group creation or mapping, meaning that the SCIM /vX/Groups endpoint has no functionality.
Operations on /Bulk endpoints are not supported.

Below is the list of endpoints and their supported operations:

/Users
- GET - list users
/Users/{id}
- GET / PUT (update)
- POST (create)
- DELETE (delete)
- PATCH (not supported)
/Schemas/{type}
- accepted "type" values: "users" or "groups"
- GET - returns schemas for provided type
/ServiceProviderConfigs
- GET (returns supported configurations)

/Users
- GET - list users
/Users/{id}
- GET / PUT (update)
- POST (create)
- DELETE (delete)
- PATCH (update)

Configuration

From ThousandEyes' perspective, the only needed configuration is creating an API user with the necessary privileges to create the accounts you will be importing. Only two attributes from ThousandEyes will be populated:

Name (not mandatory)
Email (mandatory and unique)

From the Service Provider's perspective, the trick is in the mapping of values from the Provider's directory to ThousandEyes' user database. From the provided attributes in the POST data from your provider, we parse for a valid email (our primary user identifier) in the following attributes in the provided order:

emails - primary:true or first element of the email list.
username

Making sure that a valid and unique email is passed on either of those two attributes to ThousandEyes is key to creation of a new user through SCIM.

Providers that supply a SCIM application usually provide a template where values can be mapped from the local database to what will be sent through SCIM. As an example, here is a basic structure of a SCIM 1.1 call template:

{  
  "schemas": \[  
    "urn:scim:schemas:core:1.0"  
  \],  
  "username": "{$PROVIDER\_DB\_FIELD\_TO\_BE\_MAPPED\_TO\_USERNAME}",  
  "name": {  
    "formatted": "{$PROVIDER\_DB\_FIELD\_TO\_BE\_MAPPED\_TO\_NAME}"  
  },  
  "emails": \[  
    {  
      "value": "{$PROVIDER\_DB\_FIELD\_TO\_BE\_MAPPED\_TO\_EMAIL}",  
      "primary": true  
    }  
  \],  
  "externalId": "{$PROVIDER\_SUPPLIED\_EXTERNAL\_ID",  
  "active": true  
}

Microsoft Azure Active Directory

PreviousSAML JIT Provisioning NextHow to Configure SCIM with Azure Active Directory

Last updated 1 month ago