SCIM (short for System for Cross-domain Identity Management) helps automate user provisioning between our iLMS platform and your Identity Provider (IDP). This article will walk you through both pieces step-by-step.

[iLMS] Enable SCIM Provisioning

Step 1: Enable SCIM Provisioning

1.  Log in to your organization in iLMS with an admin account
2. Navigate to Settings > Directory Services > SCIM User Provisioning
3. Toggle the button to Enable SCIM User Provisioning 

Step 2: Generate, Regenerate, & Copy SCIM Token

1. Select the button to Generate SCIM Token
2. Copy the token and paste it in a safe place, as you'll need it once we get to the Identity Provider (IDP) portion of the process

Step 3: Copy Tenant URL

1. Copy the Tenant URL and paste it in a safe place, as you'll need it once we get to the Identity Provider (IDP) portion of the process

[Identity Provider] SCIM Provisioning Setup

Choose your IDP below for specific instructions on configuring SCIM User Provisioning. Please know that while we are working to provide instructions for as many of the most common IDPs as we are able, we have not provided instructions for all of them. If your IDP is not represented below, you can use the instructions below as a general guide. If you require further assistance, contact Technical Support.

Microsoft Entra ID

This guide outlines the steps to configure SCIM with Microsoft Entra ID. SCIM enables you to manage users and groups in the iLMS application directly through Microsoft Entra ID. If you encounter any issues with Entra ID’s provisioning, please consult Microsoft support.

Prerequisites

• A Microsoft Entra subscription is required for SCIM provisioning
• Ensure iLMS SCIM settings are configured before proceeding

Step 1: Set Up SCIM in Microsoft Entra ID

1. Log in to the Microsoft Entra ID portal.
2. Navigate to Enterprise applications under the Applications menu.
3. Click + New application and then + Create your own application.
4. Name the application, select Non-gallery, and click Create.
5. Open the Provisioning menu and click Get started.
6. Set Provision Mode to Automatic.
7. Enter the Tenant URL and Secret Token provided by iLMS, then click Test Connection and Save.

Step 2: Configure User Attribute Mapping

Some attribute mappings are configured by default in Microsoft Entra ID, but we have to provide custom attributes mapping for some fields as per organization’s fields setting in iLMS.

We have to configure following custom attributes manually. Mapping related to region attribute is required. But other attribute mappings are optional as per organization’s fields setting in ILMS.

Required Custom Attributes

• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:region

Optional Custom Attributes

• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField1 
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField2 
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField3 
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField4 
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:manager.id

Steps to Add Custom Attributes

1. Go to Provisioning > Mappings and select Provision Microsoft Entra ID Users.
2. Ensure user provisioning is enabled and all Target Object Actions are selected.
3. Click Show advanced options > Edit attribute list for customappsso. 

4. Add these attributes to the list:

5. Save the attribute list.

Mapping Attributes

Once we add the required attributes, we have to provide mapping between attributes & Entra ID fields. 

Edit Attribute has the following fields:

• Mapping Type - Mapping type indicates how the target value is calculated. Direct mappings use a source value (Entra ID field value) as is. Constant mappings always use a specified value. Expression mappings allow for transformations from attributes in the source object. 
• Source Type - Attribute that will be read from the source object. If a value is returned, it will be written to the target attribute.
• Default value if null - If the source attribute contains no value, then write the value specified here instead.
• Target attribute - Select the custom field that you want to map to the Azure field you selected. 
• Apply this mapping - We recommend you select Always. 

Note: Make sure that you provide the correct mappings for the following attributes as iLMS application allows only preconfigured values for those attributes while syncing users. You can assign the hardcoded values to all users by selecting Constant in Mapping type dropdown & providing Constant Value. Or you can provide the mapping with Entra ID Profile fields by selecting Direct in Mapping type dropdown. 

• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:region 
• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division 
• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:departnment

Region

There is no Entra ID Profile Field to map to region attribute, so we are assigning constant mapping for the region attribute.

1. Set Mapping Type to Constant
2. Provide the Constant Value. Make sure that this is a preconfigured value as per iLMS configuration. 
3. Select urn:ietf:params:scim:schemas:extension:ilms:2.0:User:region in Target attribute dropdown.
4. Select Always in Apply this mapping dropdown. 
5. Click Ok and Save.

Division

The attribute for division is already present but Entra ID does not provide the default mapping with the field.

1. Click on Add New Mapping  
2. Set Mapping Type to Direct
3. Select employeeOrgData.division in Source attribute dropdown
   • This is the user profile field from Azure.
4. Select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division in Target attribute dropdown.
5. Select Always in Apply this mapping dropdown. 
6. Click Ok and Save.

Department

Entra ID provides the department attribute by default. Ensure all users have the preconfigured values per the iLMS configuration for the department field.

Manager

1. Click on Add New Mapping  
2. Set Mapping Type to Direct
3. Select manager in Source attribute dropdown
4. Select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.id in Target attribute dropdown
5. Select Always in Apply this mapping dropdown. 
6. Click Ok and Save.

Mapping for all other fields is optional. 

Step 3: Configure the Unique Identifiers for Users

Microsoft Entra ID uses the UserPrincipalName field by default to match users between Entra ID and iLMS. However, you must update this to align with the Unique Identifier setting configured in your organization's iLMS application.

iLMS supports Email ID and Employee ID as Unique Identifiers. The Unique Identifier field in iLMS is Email ID by default.

To check the Unique Identifier field in iLMS, navigate to iLMS > Settings > Fields > General.

To configure the Unique Identifier in Microsoft Entra ID, adjust the Matching Precedence property in Microsoft Entra ID to ensure it matches the Unique Identifier setting in iLMS.

1. From within Microsoft Entra ID, Go to Provisioning > Mappings
2. Click on the Provision Microsoft Entra ID Users link
3. Find the userPrincipalName field and click Edit
4. Set the Matching precedence to 2
5. Click OK and Save
6. Locate the field corresponding to your iLMS Unique Identifier (employeeId or mail, based on your configuration)
7. Click Edit
8. In the Match objects using this attribute dropdown, select Yes
9. Set the Matching precedence to 1
10. Click OK and Save
11. Return to the userPrincipalName field and click Edit
12. In the Match objects using this attribute dropdown, select No
13. Click OK and Save

 

Step 4: Sync Users and Groups

SCIM supports user and group synchronization. Note that nested groups are not supported.

1. Go to Enterprise applications and select the iLMS application.
2. Open the Users and groups menu and click Add user/group.
3. Select users or groups to include and click Assign.
   • Tip: Start with a small number of users to test the setup.

Step 5: Start Synchronization

After configuring SCIM and adding users/groups, enable synchronization:

1. Go to Enterprise applications
2. Select the application you created for your iLMS connection
3. Select Provisioning, then click Start Provisioning

Step 6: Verify Synchronization

• Microsoft Entra ID Provisioning Logs are a good way to verify how the sync is happening
  • Before looking at the provisioning logs, first check if the sync has been started or not:
    • Check the Last Cycle Start Time; initially, the Last Cycle Start Time will show Not Started, meaning the sync has not started yet
    • When the process has started/completed, the date will appear 
  • To access the Provisioning Logs:
    1. Under Monitor on the left side, select Provisioning Logs
    2. Details of each activity can be viewed by clicking on that activity

Notes:

• Synchronization occurs every 40 minutes to reflect changes in Microsoft Entra ID.
• Large user groups or memberships may sync in stages.

Okta

This guide explains how to configure SCIM for Okta to manage users and groups in the Inspired eLearning iLMS app. If you encounter any issues with Okta's provisioning, please consult Okta support.

Prerequisites

• An Okta subscription is required for SCIM provisioning
• Ensure iLMS SCIM settings are configured before proceeding

Steps to Set Up SCIM Integration

Step 1: Create an Application in Okta

1. Log in to your Okta portal and go to Applications.
2. Use an existing ILMS app or create a new one:
   1. To create a new app, click Create App Integration.
3. Select your Sign-in method (e.g., SAML 2.0 for this guide).
4. Name your app and complete the sign-in configuration:
   1. Add the Single Sign-On URL and Audience URI.
   2. Choose EmailAddress in the Name ID format dropdown.
   3. Click Next and then Finish.

Step 2: Enable SCIM Provisioning

1. In the app's General Settings, enable SCIM provisioning and click Save.

Step 3: Configure SCIM Connection

1. Go to Provisioning → Integration Settings, then click Edit.
2. Fill in the following fields:
   1. SCIM connector base URL: Paste the Tenant URL from ILMS → SCIM Settings.
   2. Unique identifier field for users: Enter userName.
   3. Supported Provisioning Actions: Enable:
      1. Push New Users
      2. Push Profile Updates
      3. Push Groups
   4. Authentication Mode: Select HTTP Header.
   5. Authorization: Paste the SCIM Token from ILMS → SCIM Settings.
3. Test the configuration by clicking Test Connector Configuration. If errors occur, verify the Tenant URL and SCIM Token.
4. Save the settings once successful.

Step 4: Enable Provisioning Events

1. Go to Provisioning → Settings → To App. Enable the following options:
   1. Create Users
   2. Update User Attributes
   3. Deactivate Users

Add Custom User Attributes

Some attributes require manual configuration based on your organization's needs.

Mandatory Attribute:

• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:region (required)

Optional Attributes:

• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:hireDate
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField1
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField2
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField3
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:customField4
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:manager.displayName
• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:manager.email

Step 5: Add Custom Attributes

1. Navigate to Directory → Profile Editor in Okta.
2. Select your ILMS app and click + Add Attribute.
3. For the region attribute, provide the following:
   1. Data Type: string
   2. Display Name: ilms_region
   3. Variable Name: ilms_region
   4. External Name: region
   5. External Namespace: urn:ietf:params:scim:schemas:extension:ilms:2.0:User
   6. Attribute Required: Yes
4. Click Save and repeat for other attributes as needed by your organization using the following table: 

Map Custom Attributes to Okta Fields

Once attributes are added, map them between attributes and Okta profile fields.

Make sure that you provide the correct mappings for the following attributes as iLMS application allows only preconfigured values for those attributes while syncing users. 

Go to the Register User page in iLMS & expand the dropdowns of Region, Division & Department fields to check the allowed values for these fields.

• urn:ietf:params:scim:schemas:extension:ilms:2.0:User:region 
• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division 
• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department 

Step 6: Map Attributes in Okta

1. Go to Applications → Select your iLMS app → Provisioning.
2. Scroll to the bottom and click Show Unmapped Attributes.
3. For each of the following attributes, click the pencil icon to edit and configure the mapping:
   1. ilms_region: Select Same value for all users from the dropdown to assign a constant value, provide value in the text box, and click Save
   2. division: Select Same value for all users from the dropdown to assign a constant value, provide value in the text box, and click Save
   3. department: Select Same value for all users from the dropdown to assign a constant value, provide value in the text box, and click Save
   4. ilms_manager_displayName: Select Map from Okta Profile from the dropdown for dynamic values, select manager | string from the next dropdown, select Create and Update option for Apply On, and slick Save
   5. ilms_manager_email: Select Map from Okta Profile from the dropdown for dynamic values, select manager | string from the next dropdown, select Create and Update option for Apply On, and slick Save
4. You can also provide mappings for hireDate & customfield attributes; you can either select Same value for all users or Map from Okta Profile as per you organization's requirement.

This process ensures seamless integration of SCIM with Okta to manage your ILMS users and groups effectively.