- \n
- A 探花大神 administrator account.<\/li>\n\n\n\n
- 探花大神 SSO Package or higher or SSO add-on feature.<\/li>\n\n\n\n
- A user account in SpaceIQ with administrator permissions.<\/li>\n\n\n\n
- Your SpaceIQ Instance ID.<\/li>\n<\/ul>\n\n\n\n
<\/a>Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- SpaceIQ SCIM API is based on version 2.0 of the SCIM standard.<\/li>\n\n\n\n
- The following operations are supported for users:\n
- \n
- Create users<\/li>\n\n\n\n
- Remove users<\/li>\n\n\n\n
- Update users<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Attribute Considerations<\/strong><\/p>\n\n\n\n
- \n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details.<\/li>\n\n\n\n
- The department will be defined as a department in the case of neither organization nor division being available, otherwise the department will be used as a team if the organization is present.<\/li>\n\n\n\n
- The following attributes are not supported by 探花大神:\n
- \n
- manager<\/li>\n\n\n\n
- division<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Creating a new 探花大神 Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the 探花大神 Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nIf this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure 探花大神<\/strong><\/h3>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Replace any instances of YOUR_INSTANCE_ID with your SpaceIQ instance ID.<\/li>\n\n\n\n
- Add or change any attributes.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Download the certificate<\/strong><\/h4>\n\n\n\n
- \n
- Find your application in the Configured Applications<\/strong> list and click anywhere in the row to reopen its configuration window.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click IDP Certificate Valid > Download certificate<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nThe certificate.pem will download to your local Downloads<\/strong> folder.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure SpaceIQ<\/strong><\/h3>\n\n\n\n
- \n
- Login to your SpaceIQ tenant as an administrator.<\/li>\n\n\n\n
- Navigate to your Profile Name > Integrations > Settings > Integrations<\/strong>.<\/li>\n\n\n\n
- Next to Third Party Integrations, click the READ MORE<\/strong><\/strong> and then click Custom SAML & SCIM<\/strong>.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab, enter the following information:\n
- \n
- SAML Identity Provider Issuer <\/strong>– copy and paste the 探花大神 IdP Entity ID<\/strong>.<\/li>\n\n\n\n
- SAML CallBack Endpoint URL<\/strong> – copy and paste the 探花大神 IDP URL<\/strong>.<\/li>\n\n\n\n
- X.509 Certificate<\/strong> – paste the contents of the certificate you downloaded in the previous section.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click Activate<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to 探花大神, you need to authorize user access to that application. You can authorize user access from the Application Configuration<\/strong> panel or from the Groups Configuration<\/strong> panel. <\/p>\n\n\n\n
To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the <\/a>探花大神 Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Select the User Groups<\/strong> tab. If you need to create a new group of users, see Get Started: User Groups<\/a>.<\/li>\n\n\n\n
- Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To learn how to authorize user access from the Groups Configuration<\/strong> panel, see Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n
Validating SSO user authentication workflow(s)<\/strong><\/h2>\n\n\n\n
IdP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Access the 探花大神 User Console<\/a><\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- 探花大神 asserts the user’s identity to the SP and is authenticated without the user having to log in to the application<\/li>\n<\/ul>\n\n\n\n
SP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Go\u00a0to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
This varies by SP.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Login redirects the user to 探花大神 where the user enters their 探花大神 credentials<\/li>\n\n\n\n
- After the user is logged in successfully, they are redirected\u00a0back to the SP and automatically logged in<\/li>\n<\/ul>\n\n\n\n
Configuring the Identity Management Integration<\/strong><\/h2>\n\n\n\n
To configure SpaceIQ<\/strong><\/h3>\n\n\n\n
- \n
- Click your Profile Name<\/strong> in the top right corner.<\/li>\n\n\n\n
- Click Settings<\/strong>. The Settings screen displays.<\/li>\n\n\n\n
- From the left menu, click Integrations<\/strong>.<\/li>\n\n\n\n
- From the Third Party Integrations area, click the READ MORE <\/strong>link. The Integrations screen displays.<\/li>\n\n\n\n
- From the left menu, click Provisioning & SSO<\/strong>.<\/li>\n\n\n\n
- For Custom SAML & SCIM, click the Activate <\/strong>button.<\/li>\n\n\n\n
- Select the Provisioning <\/strong>tab.<\/li>\n\n\n\n
- Copy the SCIM Bearer Token. This value will be entered into the Token Key<\/strong> field in the 探花大神 Identity Management<\/strong> tab. <\/li>\n\n\n\n
- Copy the SCIM Endpoint: <\/strong>https:\/\/api.spaceiq.com\/scim<\/kbd><\/li>\n<\/ol>\n\n\n\n
To configure 探花大神<\/strong><\/h3>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the Identity Managemen<\/strong>t tab.<\/li>\n\n\n\n
- Click Configure<\/strong>.<\/li>\n\n\n\n
- You\u2019re presented with two fields:\n
- \n
- *Base URL<\/strong>: Paste the SCIM Endpoint you copied when configuring SpaceIQ. (e.g.,\u00a0https:\/\/api.spaceiq.com\/scim<\/kbd>)<\/li>\n\n\n\n
- Token Key<\/strong>: Paste the SCIM token you generated when configuring SpaceIQ.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n\n\n\n
- You will receive a confirmation that the Identity Management integration has been successfully verified.<\/li>\n\n\n\n
- You can now connect user groups to the application in 探花大神 to provision the members of that group in SpaceIQ. Learn how to Authorize Users to an Application<\/a>.<\/li>\n<\/ol>\n\n\n\n
Attribute Mappings<\/strong><\/h2>\n\n\n\n
The following table lists attributes that 探花大神 sends to the application. See Attribute Considerations<\/a> for more information regarding attribute mapping considerations. <\/p>\n\n\n\n
Learn about 探花大神 Properties and how they work with system users in our API<\/a>. <\/p>\n\n\n\n
\nSpaceIQ User Attributes<\/h3>\n
\n\n\n
\n \n 探花大神 Attribute <\/th>\n \n 探花大神 UI Field Name <\/th>\n \n SCIM v2 Mapping <\/th>\n \n SpaceIQ Attribute <\/th>\n <\/tr>\n \n \n username <\/td>\n \n Username <\/td>\n \n userName <\/td>\n \n IdP Username <\/td>\n <\/tr>\n \n \n active <\/td>\n \n Status <\/td>\n \n active <\/td>\n \n active <\/td>\n <\/tr>\n \n \n jobTitle <\/td>\n \n Job Title <\/td>\n \n job Title <\/td>\n \n title <\/td>\n <\/tr>\n \n \n email <\/td>\n \n Company Email <\/td>\n \n emails: value <\/td>\n \n Email <\/td>\n <\/tr>\n \n \n firstname <\/td>\n \n First Name <\/td>\n \n name.givenName <\/td>\n \n first_name <\/td>\n <\/tr>\n \n \n lastname <\/td>\n \n Last Name <\/td>\n \n name.familyName <\/td>\n \n last_name <\/td>\n <\/tr>\n \n \n firstname\/lastname <\/td>\n \n First Name\/Last Name <\/td>\n \n name.formatted <\/td>\n \n name <\/td>\n <\/tr>\n \n \n phoneNumbers.value <\/td>\n \n Work Phone <\/td>\n \n phoneNumbers.value <\/td>\n \n phone <\/td>\n <\/tr>\n \n \n addresses.locality <\/td>\n \n Work City <\/td>\n \n addresses.locality <\/td>\n \n location <\/td>\n <\/tr>\n \n \n employeeIdentifier <\/td>\n \n Employee ID <\/td>\n \n externalId <\/td>\n \n external_id <\/td>\n <\/tr>\n \n \n costcenter <\/td>\n \n CostCenter <\/td>\n \n costcenter <\/td>\n \n cost_center <\/td>\n <\/tr>\n \n \n employeeType <\/td>\n \n employeeType <\/td>\n \n userType <\/td>\n \n employment_type <\/td>\n <\/tr>\n \n \n department <\/td>\n \n Department <\/td>\n \n Department <\/td>\n \n department_name <\/td>\n <\/tr>\n \n \n company <\/td>\n \n Company <\/td>\n \n organization <\/td>\n \n department_name <\/td>\n <\/tr>\n <\/table>\n<\/div><\/div>\n\n\n\n Importing Users<\/strong><\/h2>\n\n\n\n
This functionality is helpful if users have already been created in the application but have not been created in 探花大神.<\/p>\n\n\n\n
- \n
- Log in to the 探花大神 Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Search for the application and click to open its configuration panel. <\/li>\n\n\n\n
- Select the Identity Management<\/strong> tab.<\/li>\n\n\n\n
- Click manual import<\/strong>.<\/li>\n\n\n\n
- Select the users you want to create in 探花大神 from the application from the list of users that appear. Users in the list have two import statuses:\n
- \n
- New\u00a0<\/strong>– user has not been imported<\/li>\n\n\n\n
- Imported\u00a0<\/strong>– user has been imported and has an account in 探花大神<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>Tip:<\/strong> Try using the New Users-only filter when selecting users to import. This will move all of your new users to the top of the list, making them easier to identify and select.<\/p><\/div><\/div><\/div>\n\n\n\n
- \n
- Click import<\/strong>.\n
- \n
- If you are importing less than 100 users, your import results will display in real time and you can continue onboarding your users\u00a0<\/li>\n\n\n\n
- If you have more than 100 users being imported, 探花大神 will send you an email when your import is complete<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- \n
- You can now connect and grant users access to all their 探花大神 resources. Learn more in the Authorize Users to an Application<\/a> and Connecting Users to Resources<\/a> articles.<\/li>\n<\/ol>\n\n\n\n
- Imported\u00a0<\/strong>– user has been imported and has an account in 探花大神<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Token Key<\/strong>: Paste the SCIM token you generated when configuring SpaceIQ.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Select the Identity Managemen<\/strong>t tab.<\/li>\n\n\n\n
- Click Settings<\/strong>. The Settings screen displays.<\/li>\n\n\n\n
- Click your Profile Name<\/strong> in the top right corner.<\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- SAML CallBack Endpoint URL<\/strong> – copy and paste the 探花大神 IDP URL<\/strong>.<\/li>\n\n\n\n
- Next to Third Party Integrations, click the READ MORE<\/strong><\/strong> and then click Custom SAML & SCIM<\/strong>.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab and click IDP Certificate Valid > Download certificate<\/strong>.<\/li>\n<\/ol>\n\n\n\n
- Select the SSO<\/strong> tab.<\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- If successful, click:\n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Log in to the 探花大神 Admin Portal<\/a>.<\/li>\n\n\n\n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details.<\/li>\n\n\n\n