Vault SCIM Server configuration

This topic describes how to configure an OAuth2 Client app to access the SCIM server using appropriate administrative rights and scopes. Reasons to send requests to the SCIM server include managing users and groups (inbound provisioning) and creating PAM objects in CyberArk Privilege Cloud.

SCIM Server Overview

To send requests to the CyberArk Identity SCIM server, you need a user with access to an OAuth2 Client app. Once this is established, the authenticated user can use the OAuth2 Client app to retrieve a Bearer Token. This Bearer Token validates the user to the SCIM server when it's include in the REST request.

This allows third-party applications to manage objects through the SCIM server using HTTP requests such as GET, POST, PUT. Supported requests depend on the object. Supported objects are:

  • Users
  • Groups
  • PAM objects

Creating a SCIM User

Create a user that is an OAuth confidential client to access the OAuth2 Client app.

  1. Log in to the Admin Portal with an administrative account.
  2. Click Core Services > Users > Add User.
  3. Give your user a login name, display name, and password.
  4. In the Status section in the account information page, select Is OAuth confidential client in order to change your user's permission settings, then click Create User.

Create a role for the SCIM user

Create a new role for the previously created SCIM user. You will later deploy the OAuth2 Client app to this role.

  1. Click Core Services > Roles > Add Role.
  2. Enter a suitable name for the SCIM role (e.g. SCIM Client) and save the role. Remember the name of the role as you will need it later.
  1. On the Administrative Rights page, add the appropriate administrative rights, depending on what you plan to use the client app for.

    Add the Vault Management right to allow users in this role to read and manage PAM objects in CyberArk Privilege Cloud. Adding any other management with the Vault Management will override the Vault component and you will not be able to view any Vault objects.

  1. Navigate to the Members page, then click *Add to add a new member to the role, then type the username created previously to find your user.
  1. Click Save after adding your user.

Add and configure the OAuth2 Client Application

  1. Log in to the Admin Portal with administrative credentials.

  2. Click Web Apps > Add Web Apps > Custom, then click Add next to OAuth2 Client.

  3. Add a distinctive name to your Application ID and personalize it by including a description and optionally a logo.

  4. On the General Usage page, make sure that the Client ID Type is Confidential, Must be OAuth Client (users with the OAuth role can access the application).

  5. On the Tokens page, select Client Creds.

  6. On the Scope page, add a new scope by clicking Add and enter a name for the scope.

  7. Under Allowed Rest APIs, click Add and then enter scim* in the REST Regex Box.

  8. Navigate to the Permissions page, then add the role you created previously and click Save.

    The application is now deployed.

Create a Bearer Token

Copy the bearer token so you can authenticate with the app when you test the endpoints.

  1. On the OAuth2 Client app, select Actions > Create Bearer Token and enter the OAuth 2.0 Client user information.
    This is the username and password for the SCIM user you configured previously.
  2. Copy the Bearer Token listed.
    If you lose the token, you will need to recreate it. Include the Bearer Token in REST requests to authenticate your access to the SCIM endpoints.