SCIM: Important information and recommendations
SCIM (System for Cross-domain Identity Management) is a protocol that enables integration of externally managed user data with a system. By implementing this standard in the SoSafe Manager, you can automate the creation and ongoing update of user data, including first name, last name, email address, gender, and user group. This automation ensures that changes such as new hires, name changes, or departures, when updated in Azure Entra ID, are also reflected in the SoSafe database.
To make things short: SCIM eliminates the need for manual user data management.
Requirements and limitations
The SCIM integration with the SoSafe Manager is limited to data from Microsoft Azure Entra ID. On-premise Active Directories are not supported.
It only allows for the connection of a single Azure tenant. All user data must be managed within one Azure tenant, as connections to multiple tenants are not supported.
Once a SCIM connection is established with the SoSafe Manager, user administration must be done solely through Azure Entra ID on the your end. Importing users into the SoSafe database through Excel or CSV files is no longer an option.
The system supports individual email addresses only. Group or shared email addresses are not supported.
To provision Azure security groups, an “Azure Entra ID/Active Directory Premium P1” license or higher is required. Without this license, users must be added to the SoSafe application individually.
Technical recommendations:
Plan user group assignments early. Create your own Azure security groups that will be dynamically populated with the right people. Keep in mind that Azure does not support nested groups, and no individual should belong to multiple groups.
For multilingual setups, assign the "preferredLanguage" attribute to each user with their respective language, using ISO639-1 codes (like "de" or "en"). You can also use combinations like de-DE and en-US (ISO-639 + ISO-3166). Additionally, you can set a default language for users who don’t have a language assigned.
Ensure all domains used in the email addresses are administered by your organization. If you’re using multiple domains, reach out to your SoSafe contact person and provide a list of these domains.
Further recommendations:
To enhance phishing simulation quality, consider including gender and academic degree in the data transfer. These are not default Azure Entra ID data, but can be added via an extension attribute. Let us know the values you choose for gender (such as "m, w, x" or "man, woman, neither"). Do note that the simulation also works without this data. Our use of various data categories is outlined in our Data Processing Agreement.
Currently, we support SCIM connections through Azure Entra ID and Okta AD only. Shibboleth, ADFS, or Multi ADs are not supported.
How to remove users:
To remove an employee from the awareness training, delete them from the SoSafe application in Azure Entra ID.
They will be automatically deactivated in the SoSafe user list within the next synchronization cycle (around 40 minutes) and permanently deleted after 90 days.
To reverse a deletion, add the person back within 90 days. They will be able to pick up where they left off.
After 90 days, the individual will be completely removed from SoSafe’s system. If they are re-added, they will have to start the training from scratch.