AssignmentPro supports identity synchronization using a user API service called SCIM2. Existing user accounts can now be synchronized with client's corporate identity provider (IdP) to ensure access to AssignmentPro is correct. This means that updates to user information, deprovisioning, or changes in roles can be automatically updated in AssignmentPro (user records and security roles are automatically updated if a person moves teams or leaves their company).
SCIM2 relies on an open standard of SCIM (System for Cross-domain Identity Management). AssignmentPro has implemented only the Update Operation on the user endpoint.
Steps involved in setting up
The API accepts requests and sends responses in JSON and leverages JWT (JSON Web Tokens) to authenticate calls made to it. For a JWT to be properly built, a GUID and Secret Key will need to be generated for an API Subscriber
Below is a high level overview of the steps needed to configure a Client's webserver to use the API, as well as the actions that need to be taken in AssignmentPro.
Step 1: Configure client sites to use the API SCIM - please contact your Equus representative. Configuration is completed by the Equus Development Team.
In AssignmentPro:
Step 3: Create API Subscriber and generate authentication credentials for API Subscriber. To use SCIM2, the subscriber must registered to the SCIM.
SCIM API relies on a JWT token to authorize the update operations. To obtain that security token, the Client's IdP must use the request token using the shared GUID and Secret Key which was generated when setting up the API SCIM Subscriber.
When the security token is returned, the returned token is pushed into any request that is going to update the user (who is authorizing the request). There is a token expiry time of 15 minutes after which any new request using this token will be rejected. To handle the expiration time, the Client's IdP will need to track the validity of their tokens and decide when to request new tokens.
When a valid token is obtained by the Client's IdP, an update request can be pushed into the user on AssignmentPro using the user's id as the key to the user to be updated. The token should be used on the Authorization header to validate the Body of the request.
Once set up, the following are supported:
Things to note
There are 3 main logging areas for the SCIM Requests: API_EVENT, API_EVENT_DETAILS, LOG_EVENTS
API_EVENT will log all the requests regarding API, GET and PATCH (Update Operations) - however all the security-based information such as username/password will be obfuscated (on the Token Request), API_EVENT will not hold any sensitive information in the requests to ensure PII concerns
API_EVENT_DETAILS will log all the payloads from the requests - this includes header and body details - but with some obfuscation to sensitive data:
The header will hide the Authorization header
The body will hide all the Authentication Part and the request token
LOG_EVENTS will log any unhandled exception that occurs on a SCIM API Request - with more detail on the exception details, despite the fact that the error is still logged as well in the API_EVENT/API_EVENT_DETAILS Tables