The System for Cross-domain Identity Management (SCIM) API is a free Single Sign-On (SSO) add-on that enables automatic provisioning of User Profiles on an Identity Provider (IDP) into Vonage Business or other cloud-based applications.
For example, an IT department may want to use a Single Source of Truth for their user information, their IDP, and have the ability to sync users to Vonage Business, add existing users, and change user's names and email addresses.
Only Super Users and Administrators can set up SCIM. The SCIM API is disabled by default but is available for the account once SCIM is enabled.
NOTE: Only OneLogin, Okta, and Azure are supported at this time.
Set Up SCIM
Add SCIM Provisioning User
- Sign in to the Admin Portal.
- Add an Account Administrator to the account to use as the SCIM Provisioning User, or continue with the Super User on the account. See Manage Your Users for details.
NOTES:
- If you are using an Account Admin user type, automatic synchronization is prevented for other Account Admins or Super Users on the account.
- This user is used for synchronization so the username or password should not be changed. If changed, the IDP Admin must reconfigure and synchronize again.
- This user must have their SSO disabled.
Enable SCIM
When enabled, One Way Provisioning is active and user profiles can only be edited using the IDP, not the VBC Admin Portal. Users must be set up on the IDP in the SCIM application.
- Sign in to the Admin Portal.
- Click Account.
- Click the User Provisioning and go to the Provisioning panel.
- Mark the option for Enable SCIM User Provisioning and then click Save.
- Check Users can only be added via SCIM, if applicable. Enabling this option removes the ability to add users through Admin Portal.
- Check Disable new user welcome emails, if applicable. Enabling this option disables New User Email for users generated via SCIM. Users created manually via Admin Portal will continue to receive welcome kit emails.
Set Up Okta
Add Vonage Application to Okta
- Verify that users are created and assigned to groups. See Single Sign-On for details.
- Go to the Okta Portal and click Applications.
- Click Add Application, then search for Vonage and then select the Vonage tile.
NOTE: Only add the Vonage App, do not add the Vonage Business App; if your account already uses SSO, use your existing SSO Vonage App. - Click Add.
- Edit the Application Label, if desired, and document SCIM Setup to easily tell Vonage Applications apart when using SSO.
- Click Next and go to Single Sign-On Options.
- Click Done.
- Go to the Provisioning section and click Configure API Integration.
- Mark the checkbox for Enable API Integration and then click Authenticate with Vonage.
- Sign in to the Vonage Admin Portal with the SCIM Provisioning User Profile you created earlier.
NOTE: When you are redirected back to the Okta page, confirm that Vonage was verified successfully by reviewing the confirmation pop-up on the screen. - Click Save.
Set Up Vonage Application
- Go to the Provisioning section in the Okta Portal and click To App.
- Click Edit and then mark the following options:
Options | Action |
Create Users | Adds the user as an End User in the Admin Portal but does not assign an extension. NOTES:
- Extensions must be assigned by the SU or AA using normal operating procedures.
- If the system finds a username match between IDP and VBC, instead of creating a new record, the records are linked. If the match is not found, a new user is created.
- Any changes to First Name, Last Name, username, and email address in IDP updates the VBC user record.
- Welcome Kit Email is sent at user creation.
- If SSO is enabled, the Password Reset link is not included.
- If SSO is not enabled, the Password Reset link is sent.
|
Update User Attributes | Updates the First and Last name, Email, and Username. Changes are reflected immediately in the customer's Vonage Business service. |
Deactivate Users | The user’s profile in the Admin Portal is unlinked from automatic provisioning. All user profile fields become editable in the Admin Portal. The user is not automatically deleted from VBC. |
- Click Save.
- Click Assignments.
- Click the Assign button and then add People/Groups to grant access to synchronize with VBC.
- Go to the User Profile page in the Vonage Admin Portal and verify the following:
- Hover over the User icon and confirm the message The user is managed by Company Directory.
- Synchronized users are unable to change their basic profile, except their password, unless SSO is enabled.
Set Up OneLogin
Set Up Azure
Add Vonage Application to Azure
- Verify that users are created and assigned to groups. See Single Sign-On for details.
- Go to the Azure Portal and go to the Menu ( three lines at top-left).
- Click Azure Active Directory, then click Enterprise Application on the left-hand side of the page.
- Click New Application and then select the Vonage tile.
- Enter a name, if desired, and then click Create.
NOTE: If your account already uses SSO, use your existing SSO Vonage App
Enable User Provisioning in Azure
- Ensure VBC usernames match the Active Directory usernames; this avoids the creation of duplicate users.
- Confirm the users have their email address profile field populated; provisioning cannot complete if missing.
- Select Provisioning, then click Get Started.
- Go to the Provisioning Mode dropdown and select Automatic.
- Click Admin Credentials and click Authorize; a Vonage sign-in page opens.
- Sign in with your SCIM Provisioning User credentials; you are returned to the Azure page.
- Confirm connection by selecting Test Connection.
NOTE: If properly connected, a pop-up displays in the right-hand corner of the page advising the connection was successful. - Click Save.
- Select the X at the top right side of the page
Set Up Vonage Application
- Go to Users and Groups on the left side of the page in the Azure Portal.
- Assign Users and Groups to the application that you would like to have provisioned.
NOTE: It takes about 40 minutes to sync changes with the Vonage Admin Portal.
Options | Action |
Create | Adds the user as an End User in the Admin Portal but does not assign an extension. NOTES:
- If the system finds a username match between IDP and VBC, instead of creating a new record, the records are linked. If the match is not found, a new user is created.
- Welcome Kit Email is sent at user creation; if SSO is enabled and the Single Sign-On Enforcement is enabled, the New User email does not include a Password Reset link.
|
Update | Any changes to First Name, Last Name, Username, or Email address in IDP automatically updates the VBC User profile. This also applies to existing IDP/VBC linked users. |
Delete | The user’s profile in the Admin Portal is unlinked from automatic provisioning. All user profile fields become editable in the Admin Portal. The user is not automatically deleted from VBC. NOTE: The user’s session is NOT revoked. The user can continue working with the application until the session expires. |
- Go to the User Profile page in the Vonage Admin Portal and verify the following:
- Hover over the User icon and confirm the message The user is managed by Company Directory.
- Synchronized users are unable to change their basic profile, except their password, unless SSO is enabled.
Troubleshoot Issues
General Issues | Confirm that SCIM is enabled in your VBC account |
Error Messages Display | View the Audit Log on the SSO page in the VBC Admin Portal for additional information. |
Okta Errors |
- Sign in to Okta.
- Click on Dashboard (on top).
- Click Tasks to view failures.
|
Azure Errors |
- Sign in to Azure.
- Go to Vonage Application, then Provisioning.
- Click View Provisioning Logs.
|
Users/Changes Not Synchronizing | Verify the following:
- Usernames do not contain spaces, less than 6 characters, or more than 50 characters.
- Usernames only contain letters, numbers, or the following characters:
- Colon
- Parentheses
- Underscore
- @ sign
- Dash
- Comma
- Period
- First/Last name does not contain spaces, less than 1 character, or more than 45 characters.
- First/Last name only contains letters, numbers, or the following characters:
- Colon
- Parentheses
- Dash
- Comma
- Period
- Apostrophe
|
Changes are not synchronizing for AA or SU on the account | If SCIM Provisioning User is an Account Admin user type, synchronization for other Account Admins or Super Users is outside of the user's permissions. |