Automatic user provisioning (SCIM) overview

Overview

Hoxhunt supports System for Cross-domain Identity Management (SCIM 2.0), which is an industry-standard protocol for automated exchange of user identity information between different domains or IT systems.

NOTE: This feature is currently only available for Azure AD, Okta and OneLogin. If you are using another Identity Provider, please contact Hoxhunt Support before setting up the user provisioning.

With SCIM, your Identity Provider (IdP) sends employee data (identity information) to Hoxhunt to keep user data up to date whenever the user-associated data is changed on your side. Changes made to the assignment group will automatically provision or de-provision on Hoxhunt side.

Depending on your Identity Provider (IdP), please select a suitable configuration guide:

Azure AD SSO and SCIM configuration

Okta SSO and SCIM configuration

OneLogin SSO and SCIM

 

SCIM_KB.png

Figure 1. Overview of Azure AD user provisioning to Hoxhunt.

Features

One-way synchronization

User provisioning with Hoxhunt works only one way - from your identity provider to Hoxhunt.

Automatic synchronization

How often provisioning is run depends on whether you are using Azure AD or Okta. For example for Azure AD, provisioning occurs every 40 minutes, and for Okta provisioning occurs immediately (JIT).

Easy migration from manual user management to SCIM

If you have started Hoxhunt service with manual user management, switching to SCIM provisioning will automatically link your existing Hoxhunt users with your Identity Provider's user directories.

Automatically provision new employees to Hoxhunt

Automatically create new accounts into Hoxhunt for new employees when they join your organization or a specific Hoxhunt user group.

Synchronize various user attributes to Hoxhunt

Ensure that the user details such as country and department information are kept up to date in Hoxhunt whenever there are respective changes in your user directory or HR system.

Govern access

Control, monitor and audit who has been provisioned into Hoxhunt.

Automatically remove employees from Hoxhunt who have left the company

Automatically deactivate accounts in Hoxhunt when people leave your organization or a specific Hoxhunt user group (see User soft deletion below).

User soft deletion

As a fail-safe mechanism, Hoxhunt supports a soft delete feature for automatically provisioned users. This ensures that if a user is accidentally unassigned from Hoxhunt SCIM application on your side, the user's Hoxhunt data is not immediately deleted.

    • User account is soft deleted if:
      • User is unassigned from the Hoxhunt SCIM application in your identity provider
      • Group that user belongs to is unassigned from the Hoxhunt SCIM application in your identity provider
      • User is deleted from your identity provider

When any of the above criteria is met, your Hoxhunt SCIM application will ask Hoxhunt system to deactivate the user in Hoxhunt. Hoxhunt will mark the User as soft-deleted and will eventually delete the user’s data after 90 days have passed. If the user is re-activated or re-assigned in Hoxhunt SCIM application before the 90 days have passed, the soft deletion is canceled.

 

Important notes

SCIM can only control users within the assignment scope

Existing Hoxhunt users who are not included in your provisioning scope are left untouched, and are not controlled by SCIM. If you wish to remove these users, please remove them via Admin portal or ask assistance from Hoxhunt Support.

Provisioning doesn't automatically invite or auto-start new users to Hoxhunt training

Simply provisioning a new user to Hoxhunt doesn't automatically trigger an invite or auto-start for Hoxhunt training. Please use Hoxhunt Admin portal to enrol the new users or contact Hoxhunt Support to arrange a periodic activation schedule.

 

Was this article helpful?

3 out of 4 found this helpful

Have more questions? Submit a request