User Provisioning Overview and Options
User Provisioning is an identity management process that ensures user accounts are created, given proper permissions, changed, disabled, and deleted. This can be completed via:
- SCIM (System for Cross-domain Identity) is an open standard that allows for the automation of user management. Note that SCIM provisioning requires the use of SAML SSO.
- SSO (Single Sign-On) allows a user to log in once to their network and thereby gain access to several network-connected programs, eliminating the need to log into each system individually.
SCIM Overview
Part of hiring new employees is provisioning the applications they need to do their jobs and then, during their time at your company, ensuring security and user accounts are up to date. When they leave your company, their access needs to be quickly revoked from the applications. Using SCIM instead of manually managing this process is less time-consuming and more accurate, as a manual process is more error-prone.
SCIM provides a defined schema for representing users and a RESTful API to update the database for those users. Also, you can set up the SSO Identity Provider (IdP) to synchronize passwords to ensure that a user’s IdP password and the User Provisioning password match.
Additionally, user profile attributes can be mapped user attributes from the source application SpaceIQ and the User Provisioning Service user profile. The SCIM Integrations listed below has been enhanced to support user-defined custom attributes, which will enable the User Provisioning Service to import the attributes into SpaceIQ.
To find more about the SCIM defined schema, see System for Cross-domain Identity Management: Core Schema.
SpaceIQ User Provisioning Options
We recommend the following options for user provisioning:
Option | Employee Data | User Data | SpaceIQ Login |
---|---|---|---|
Option 1 – SCIM Integration and User access via SSO | Takes the User data and populates the Employee data. | Takes the User data from SSO Identity Provider. | User logins via SSO |
Option 2 – Multiple SCIM Integrations and User access via SSO | Takes the Employee data from HR System. | Combination of User data from different User Provisioning Services. | User logins via SSO |
Option 3 – Custom SCIM Integration and SSO | Takes the Employee data from a third-party HR system. | Takes the User data from SSO Identity Provider. | User logins via SSO |
Option 4 – SCIM Integration and User access via Manual Login | Takes Employee data via SCIM Integration. | The employee's email address is part of the user's credentials. | User logins manually. |
Option 5 – Employee data transfer via SFTP and User access via SSO | Takes Employee data via SFTP. | Takes the User data from SSO Identity Provider. | User logins via SSO |
Option 6 – Employee data manually imported and User access via SSO | Takes Employee data from manual upload. | Takes the User data from SSO Identity Provider. | User logins via SSO |
Option 7 – Employee data manually imported and User access via Manual Login | Takes Employee data from manual upload. | The employee's email address is used as part of the user's credentials. | SpaceIQ User logins in manually |
Option 1 – SCIM Integration and User access via SSO
User Data and Employee Data
User data can be transferred via the SCIM synchronization then SpaceIQ will use this data to populate the Employee data. Also, your employees will log into SpaceIQ via SSO.
SpaceIQ has the following SCIM integrations available, or you can use the Custom SAML & SCIM Integration (see Option 3).
- Microsoft Azure and Azure Custom Attributes Mapping
- Okta and Okta Custom Attributes Mapping
- OneLogin
User Access
For the SSO overview and setup, see SSO Overview.
For how your employees will use SSO to access SpaceIQ, see SSO (Single Sign On) and SiQ.
Option 2 – Multiple SCIM Integrations and User access via SSO
User Data and Employee Data
Employee data and User data are taken from a combination of integrations such as:
- Two or more SCIM Integrations
- HR System and an SSO Integration
- SCIM Integration and an SFTP data transfer
Also, your employees will log into SpaceIQ via SSO.
User Access
For the SSO overview and setup, see SSO Overview.
For how your employees will use SSO to access SpaceIQ, see SSO (Single Sign On) and SiQ.
Option 3 – Custom SCIM Integration and SSO
User Data and Employee Data
SpaceIQ offers a number Third-party Integration Applications pre-integrated to allow customers to seamlessly integrate employee provisioning and authentication. You will find there are other vendors whose platforms are not yet formally integrated.
The Custom SAML and SCIM integration allow providers without a pre-integration process to integrate through SAML and SCIM into SpaceIQ as long as their specific vendor’s platform supports a common “custom integration” feature.
For more details, see Custom SAML & SCIM Integration.
User Access
For the SSO overview and setup, see SSO Overview.
For how your employees will use SSO to access SpaceIQ, see SSO (Single Sign On) and SiQ.
Option 4 – SCIM Integration and Users access via Manual Login
User Data and Employee Data
With this option, your IT team will need to:
- Set up the SCIM User Provisioning.
Then your SpaceIQ Admin will need to:
- Notify the employee that they will log in to SpaceIQ manually and inform them their email address is used to reset their password.
User Access
For how your employees will log manually access SpaceIQ, see Manual Login and SiQ.
Option 5 – Employee data transfer via SFTP and User access via SSO
Employee Data and User Data
With this option, your IT team will need to set up a process for:
- Extract the Employee data from the ERP System to a flat file such as a .CSV file. Note a script can be used to automate the extraction to be completed, for example, daily.
- Use SFTP to transfer the file.
- SpaceIQ will automatically import the Employee data into SpaceIQ.
For how to set up SFTP, see SFTP Employee Import.
User Access
For the SSO overview and setup, see SSO Overview.
For how your employees will use SSO to access SpaceIQ, see SSO (Single Sign On) and SiQ.
Troubleshooting
If you find your employees where they can not log in to SpaceIQ then see User Can't log in to SiQ.
Option 6 – Employee data manually imported and User access via SSO
User Data and Employee Data
With this option, your IT team will need to set up a process for:
- Extract the Employee data from the EFP System to a flat file such as .CSV file.
Then your SpaceIQ Admin will need to:
- Manually import the employees; see Add or Remove Employees via an Employee Import.
- Notify the employee that they will log in to SpaceIQ manually and inform them their email address is used to reset their password.
User Access
For the SSO overview and setup, see SSO Overview.
For how your employees will use SSO to access SpaceIQ, see SSO (Single Sign On) and SiQ.
Option 7 – Employee data manually imported and User access via Manual Login
Employee Data and User Data
With this option, your IT team will need to set up a process for:
- Extract the Employee data from the ERP System to a flat file such as a .CSV file. Note a script can be used to automate the extraction to be completed, for example, daily.
Then your SpaceIQ Admin will need to:
- Manually import the employees, see Add or Remove Employees via an Employee Import.
- Notify the employee that they will log in to SpaceIQ manually and inform them their email address is used to reset their password.
User Access
For how you employees will log manually access SpaceIQ, see Manual Login and SiQ.
SSO Overview
SSO is the most popular method for SpaceIQ's customers. It allows a user to log in once to their network and thereby gain access to several network-connected programs, eliminating the need to sign in to each system individually.
SpaceIQ supports single sign-on(SSO) logins through SAML 2.0 and a SAML 2.0 identity provider can take many forms, such as ADFS or Okta.
Security Assertion Markup Language (SAML) is an XML based open standard data format used to authenticate and authorize data between Identity Providers (IDP) and Service Providers (SP).
Security Assertion Markup Language (SAML) is an XML based open standard data format used to authenticate and authorize data between Identity Providers (IDP) and Service Providers (SP).
SpaceIQ utilizes the SAML 2.0 standard as defined by the OASIS Technical Security Committee via a third-party library called Component Space.
The SAML standard defines the following roles and facilitates communication between them to create the
Single Sign On process:
- User is the person logging into SpaceIQ
- Identity Provider (IDP) is the business
- Service Provider (SP) is SpaceIQ
The SAML 2.0 Single Sign On process can be either IPD initiated, or SP initiated.
When the process is IDP initiated, then the user is taken to the IDP web login.
When the process is SP initiated, the following exchange of data takes place:
- User browses to the Service Provider’s URL.
- Then the user clicks the SSO button.
- The Service Provider communicates with the Identity Provider to authenticate the user’s credentials.
- When access is granted by the Identity Provider, the user is automatically logged into the SpaceIQ product.
Where access is not granted by the Identity Provider, e.g. due to timeout, the user will either:
- Receive a notification from the Identity Provider and will be unable to access the SpaceIQ application.
- Receive a notification from the Identity Provider and be requested to verify their login details.
Work with your SAML 2.0 Identity Provider
You will need to check with your IT team to find out whether or not your business has SSO already set up for other applications.
Either your IT team will use the existing Identity Provider, or they will need to choose a vendor to engage with and then work with the Identity Provider to gather information.
Then your IT team will need to complete the following:
- Install and configure the SSO Identify Provider.
- Activate the SpaceIQ Integration and configure the settings.
SpaceIQ has the following integrations available, or you can use the Custom SAML & SCIM Integration (see Option 3).
SSO (Single Sign On) and SpaceIQ
Depending on how your company has set up the SSO you will complete the SSO via your primary application or directly from the SiQ login screen.
For more details, see How do I Log in to SiQ?
Option 1
Your employee will log from the User Provisioning Service Portal. The employee will complete the following:
- Receive an email notifying them that your SpaceIQ environment is using SSO.
- Log in to the primary application first and locate the SpaceIQ Web App.
- Click the SpaceIQ Web App and you will be automatically authenticated and logged in to SpaceIQ.
Integration Notes:
When your IT team sets up the integration the following fields are used to set up this option:
- {User Provisioning} Portal URL field contains the URL where the employee will find the SpaceIQ Web App.
- SSO Redirect URL field - this field is optional and it contains the URL the employee will be redirected to after they log out.
If your company wants to use Two-Factor Authentication, then refer to Two Factor Authentication Settings.
Option 2
Your employee will log in from the SpaceIQ Web App. The employee will complete the following:
- Receive an email notifying them that your SpaceIQ environment is using SSO.
- In a browser's URL field, enter the https://main.spaceiq.com/
- Clicks the Login with SSO button, and they will be automatically logged in to SiQ.
Manual Login and SpaceIQ
For your employees to manually log into SpaceIQ, your SpaceIQ Admin will need to complete the following:
- Add the Employee into SpaceIQ manually.
- Optional – The Employee will have a default role called Viewer; if they need a different role, then this can be assigned. See Update Employee(s) Manually.
- Send an email to the employee to notify them of their SpaceIQ username.
Then your employee will log in from the SpaceIQ Web App. The employee will complete the following:
- Receive an email notifying them that they must log in manually and reset their password.
- Reset their password.
- Log into SpaceIQ manually.
For more details, see How do I Log in to SiQ?