TerraTrue offers seamless user group management by integrating with your Identity Provider (IdP) using SCIM (System for Cross-domain Identity Management). This integration allows for centralized management of user permissions, access groups, and review teams, streamlining the process and enhancing security. This guide will help you configure and manage user groups in TerraTrue using SCIM Sync.
Prerequisites
- Ensure you have administrative access to both TerraTrue and your Identity Provider.
- Verify that your Identity Provider (IdP) supports the SCIM v2 protocol.
- SCIM must be configured for Users provisioning.
SCIM Configuration
- If you haven’t enabled SCIM in your org, the following help center articles and references can help you configure SCIM for users provisioning:
- Make sure that your SCIM integration with your IdP is working properly for user provisioning, de-provisioning and updates
Mapping User Groups via SCIM Identity Provider
In order to map Permissions, Access Groups, and Review Teams to your Identity Provider (IdP), you must first configure TerraTrue groups – Permissions, Review Teams, and Access Groups – in TerraTrue– that map to groups in your IdP.
TerraTrue Groups Configuration
Permissions
- TerraTrue roles and its’ permission are predefined by TerraTrue. With SCIM, you may assign users to various roles and their permissions directly in your IdP. Setup instructions and details to what permissions are available in each role can be found in configuring permissions and roles.
- User permissions that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP.
- In order to keep the current assignments in TerraTrue, you will need to reflect those in IdP groups. Otherwise, the assignments would be removed when the users sign in with SSO.
- User permissions that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP.
- When Groups sync with SCIM is enabled, permissions cannot be assigned directly in TerraTrue.
-
- However, everyone permission in your Identity and Access Management, which allows you to provide permissions for every existing user in your org, is still configurable directly in TerraTrue
-
Review Team
- Ensure that your Review Teams in TerraTrue are configured in TerraTrue by going to Org Settings > Review Teams so that the groups can be available to map. Set up instructions for creating and editing Review Teams are available for your reference.
- Note: Review Team memberships that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP.
Access Groups
- Ensure that your Access Groups in TerraTrue are configured in TerraTrue by going to Org Settings > Access Groups so that the groups can be available to map. Set up instructions for creating and editing Access Groups are available for your reference.
- Note: Access Group memberships that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP.
TerraTrue Group Mapping
After ensuring groups in your SCIM match the TerraTrue groups, you’ll need to map your IdP groups to TerraTrue groups.
- Go to Org Settings > Authentication > User Group Mappings
- Switch on the “Enable Group Sync with Identity Provider” then select SCIM as your provisioning method.
- Sort or filter by the group type (Permissions, Review Teams, Access Groups)
- Go to your IdP and create a corresponding group for each Permission, Access Group and Review Team whose memberships will be managed from it.
- Note: Reflect the current memberships set in TerraTrue for each corresponding group in the IdP otherwise you can potentially lock your access to TerraTrue.
- Enter the IdP group name to the corresponding TerraTrue group.
- “Save & Apply Changes” to persist configurations.
Identity Provider Configuration
Microsoft Entra
This feature is coming soon with the new version of the TerraTrue application in MS Entra Gallery. Please contact TerraTrue support to be an early adopter.
Okta
- In Okta Administrator UI, go to the TerraTrue application.
- Go to the Push Groups tab and click on the Refresh App Groups button. A successful message is displayed.
- Click on the Push Group button and then choose the Find Groups by Name option
- Note: Before proceeding, please ensure that all current memberships in TerraTrue are accurately reflected in the corresponding groups in Okta. Otherwise, members may be inadvertently removed, which could potentially lock you out of TerraTrue.
- Enter the name of one TerraTrue group and click on the name when it is displayed.
- Note: Our SCIM implementation does not support pushing new groups or deleting existing groups from Okta to TerraTrue. Any attempts to perform these operations will fail. Groups must be created in TerraTrue and then linked to Okta groups.
- Click on Save & Add Another button and repeat this process for all groups. Fore more info, please refer to Configure Group Linking.
OneLogin
This feature is coming soon with the new version of the TerraTrue application in OneLogin App Catalog
JumpCloud
This feature is not currently compatible with JumpCloud.
Test SCIM Sync
Next you’ll need to ensure groups are correctly configured in your IdP (Identity Provider).
- Test SCIM Sync
- Initial Sync
- Trigger an initial sync from your IdP to ensure user groups are correctly mapped and synchronized with TerraTrue.
- Verify Sync
- Check TerraTrue to verify that the user groups and memberships are accurately reflected.
- Ensure permissions and access are correctly assigned based on the synced groups.
Managing SCIM Sync
Once groups are synced, TerraTrue will automatically synchronize memberships based on your IdP settings. Changes in group memberships in your IdP will automatically sync with TerraTrue. Test the sync with SCIM to ensure group memberships are correctly synced. If you encounter any issues, check the logs in your IdP for error messages and TerraTrue Org History. You may also reach out to TerraTrue support for assistance with troubleshooting and resolving any sync issues.