User Provisioning with SCIM 2.0

Peakon provides an API dedicated to automatic provisioning and de-provisioning of employees – keeping Peakon survey participation in sync with any system supporting the SCIM 2.0 protocol, including Microsoft Azure Active Directory, Okta, OneLogin and more. This method allows multiple systems to update and sync employee records.

About SCIM 2.0

SCIM 2.0 specifies a standardized REST protocol for unidirectional provisioning of users over HTTP. Your existing identity management system can be configured to automatically synchronize changes made to its database to a third party application like Peakon.
In the SCIM protocol, the central identity management system is called the /identity provider/ and the third party application is called a /service provider/. By configuring Peakon as a service provider with your existing identity management system, your organization will be able to take full advantage of automatic account provisioning.

Supported operations

Peakon supports the following set of operations in the SCIM 2.0 protocol:

• Creating users
• Updating users
• Deleting users
• Activating/deactivating users
• Bulk operations for users

📘

Group operations operations are not supported

Operations relating to the Group resource in the SCIM 2.0 protocol are currently not supported in Peakon.

Configuration

IT administrators can configure this by first clicking on Administration in the bottom left corner of the Peakon dashboard, choosing Integrations, and then selecting Employee Provisioning from the list of integrations. Click the yellow Enable button and you’ll be taken to the page you see in the screenshot below.

From this page use the SCIM URL and OAuth Bearer Token below to configure your SCIM 2.0 Identity Provider to automatically sync changes to Peakon.
For full documentation of our employee provisioning API, review the SCIM 2.0 API Reference.

On-premise vs. Azure Active Directory

User provisioning through SCIM 2.0 is only available through the hosted AD version called Azure Active Directory . If you are currently using an on-premise Active Directory solution it will need to first be configured to sync its data to Azure Active Directory using Azure AD Connect, as described in this article.

When configuring Azure AD for provisioning, it is important to only enable syncing of /Users/, but disable /Groups/. Peakon does not support SCIM groups at this time, so it will not reflect groups as defined in Azure AD.

Troubleshooting

I am using Azure AD and users are not being created/updated as expected? 
/Answer: Check that you have configured Azure AD to use the base SCIM URL without the//scim/v2/path at the end, as Azure appends this automatically./

External Documentation

The following sections of the SCIM 2.0 specification are relevant to the above operations for anyone looking to create a custom integration with the Peakon SCIM API.

• SCIM 2.0 API specification
• Retrieving a user
• Creating a user
• Updating a user
• Deleting a user
• Filtering users
• Resource pagination