SCIM
To enable SCIM support, you first need to generate an API key for a Superuser. As a superuser, go to the user menu near the upper-right, and choose "Manage API keys." Click "Create New Token." Copy the token and paste that in as a "Bearer Token" on your SCIM client's configuration pages. Sometimes this means you may have to add the word "Bearer" with a space and then your API token. The full authorization header should look something like:
Authorization: Bearer abcdefghijklmnopqrstuvwxyz1234567890
The SCIM client will be able to create users from your directory, and Snipe-IT will try to map every field it can to the appropriate field within Snipe-IT.
The Snipe-IT SCIM URL’s will start with https://your_servername/scim/v2/ - in most SCIM providers, you need to just place that prefix of https://your_servername/scim/v2 and the SCIM protocol will handle the rest for you.
Snipe-IT can only sync Users, not Groups
Snipe-IT only has built-in mappings for Users, but not yet for the Groups section. Snipe-IT cannot sync Groups via SCIM at this time.
Fields that Snipe-IT Cannot Handle (yet)
- displayName
- Mobile Phone Number
- Manager
Unsupported HTTP Verbs
DELETE is not supported by the underlying library yet
Azure SCIM and User Databases
If you restore from a backup, or regenerate your Users table somehow, you may need to delete your provisioning profile and re-create it. This is because Azure will "remember" your old user ID's and will refuse to "learn" the new ones. The only way to make it "forget" is to delete your provisioning profile and re-create it.
All supported mappings into Snipe-IT
| SCIM Name | Snipe-IT Users field | Data Type | Required? |
|---|---|---|---|
| userName | username | string | YES |
| givenName | First Name | string | YES |
| familyName | Last Name | string | |
| emails.work.value | string | ||
| active | Activated | boolean | |
| phoneNumbers.work.value | Phone | string | |
| addresses.work.streetAddress | Address | string | |
| addresses.work.locality | City | string | |
| addresses.work.region | State | string | |
| addresses.work.postalCode | ZIP | string | |
| addresses.work.country | Country | string | |
| title | jobtitle | string | |
| preferredLanguage | locale | string | |
| (Enterprise Namespace):employeeNumber | employee_num | string | |
| department | (Lookup by name to set department_id) | string |
Environment Variables
In your .env file, you can specify two new environment values that modify how Snipe-IT's SCIM server works.
| Name | Description | Default value |
|---|---|---|
SCIM_TRACE | When set to true, all SCIM requests and responses will be logged to a scim.log file in the storage/logs directory | false |
SCIM_STANDARDS_COMPLIANCE | When set to true, Snipe-IT tries to more closely follow the SCIM specifications. Definitely needed for OneLogin. When set to false, Snipe-IT maintains its original behavior. (This seems to rarely need to be changed) | true |
SCIM support did not previously support changing email addresses via Azure and some other SCIM clients. Since v6.2, that has been fixed, but if you were depending on the previous behavior, you may get unexpected results.
Okta Notes
If you get an error message of "User Account is Inactive" when trying to synchronize the 'login enabled' checkbox, make sure to enable "Deactivate Users" in the "Provisioning Settings" within the App settings on Okta. Read more in their support document here: https://support.okta.com/help/s/article/Smartsheet-provisioning-error-Automatic-provisioning-of-user-to-app-Smartsheet-failed-User-account-is-inactive?language=en_US
Updated 5 months ago