Configuring SAML with SCIM-compliant provider

You can configure SAML with SCIM-compliant provider to allow users to authenticate with a central identity provider (IdP) and access multiple applications using SSO. The SCIM provider can manage user identities and permissions with the SCIM API and use SAML for authentication and authorization.

You can configure SAML with SCIM-compliant provider with one of the following methods:

Configuring SAML with SCIM-compliant provider using the your product console

To configure SAML with SCIM-compliant provider, complete the following steps:

  1. Log on to the console as an administrator.

  2. From the navigation menu, click Administer > Identity providers.

  3. Click Create Connection. Select SAML 2.0 as the protocol type and click Next. The New SAML Connection page is displayed.

  4. In the New SAML Connection page, select the Connection details tab. It contains the following options that you are required to fill:

    • Name: A name for the SAML connection.

    • Description: Description of the SAML connection.

  5. Enable This is a SCIM-compliant identity provider toggle option.

    SAML with SCIM dependency

  6. Select the Token attribute-mapping tab. It contains the following options that you are required to fill:

    • Subject
    • Given name
    • Family name
    • Groups
    • Email

    See the following notes:

    • By default, the Token attribute-mapping values are pre-defined if you do not specify the mapping. It is recommended to modify the default values according to the SAML claim. The following default values are displayed if you do not specify the mapping values:

      • Subject : uid
      • Given name : firstName
      • Family name : lastName
      • Groups : blueGroups
      • Email : emailAddress
    • The uniqueSecurityName option is not supported from the product console. If the uniqueSecurityName is required in Token attribute mapping, see Different schema elements for IdP V3.

  7. Select To identity provider tab. Click Download metadata link to download the SAML 2.0 metadata. Once you download the metadata, you can upload that metadata to your identity provider to generate identity provider metadata.

  8. Select From identity provider tab. Upload the identity provider metadata in *.xml file that is supplied by your identity provider.

  9. The SCIM configuration tab is enabled when you choose to configure SAML with SCIM dependency. It contains the following fields:

    SCIM configuration

    Also, you need to configure the SCIM attribute mapping for the user and group resources. By default, these fields are pre-defined as the principalName in both user and group attributes. It is recommended to modify the values based on the SCIM IdP configuration.

    SCIM attribute

  10. Click Create.

Configuring SAML with SCIM-compliant provider using the your product console

Register the IdP V3 with IBM Security Verify that supports SCIM-enabled IdP with SAML. For more information, see IdP V3 registration with IBM Security Verify.

Example of SAML with SCIM-compliant server

SAML with SCIM provisioning server

The QRadar Suite retrieves the users from the IdP with the SCIM request through the foundational services operator.