Skip to main content
All CollectionsSettingsIdentity Provider
SCIM Kno2fy Configuration - Network Admin Guide
SCIM Kno2fy Configuration - Network Admin Guide

Steps for network admins completing SCIM Kno2fy Configuration

Stacy Lane avatar
Written by Stacy Lane
Updated over 7 months ago

If SCIM is enabled for you and the configuration for SSO is complete, network admins will have access to the User Provisioning tab in the Identity Provider (IdP) configuration page.

Supported SCIM IdPs are Microsoft Entra ID and Okta. Only one Identity Provider can be configured per network.

Prerequisites for User Provisioning Sync

  • All your organizations will be associated to your network. When User Provisioning (SCIM) is managed through the IDP, it is required that all users that need access to the network of organizations be synced to Kno2 using SCIM. Users created and/or managed directly out of Kno2 may encounter discrepancies in application behavior.

  • All users synced through SCIM should be incorporated into groups. The groups should align to the organizations they will need access to. It is common practice to have a group for all the admins if they have the same access.

  • Groups will be mapped to the organizations to grant access.

  • User group management should be done in the IdP only, e.g. group name updates and membership.

Additional notes regarding User management

  1. All user management (create and update) should be done in the IdP only, e.g. username updates, name and contact updates, status updates.

    1. Deleting a user from the IdP is treated as a soft delete in Kno2 - access is no longer available and the username is released for future use.

    2. Removing a user from a group = disabling a user from a mapped organization; Send Permissions and Intake Rules are intact and available if a user is re-added.

    3. Disabling a user in the IdP = disabling a user from all organizations; Send Permissions and Intake Rules are intact and available if a user is re-enabled.

Consider removing routing rules and send permissions before doing any of the items above if appropriate.


Configure Identity Provider

Once network features are enabled, log into Kno2 as a Network Administrator and navigate to Settings > Identity Provider.

ID Provider Setting

  1. Select the User Provisioning tab.

  2. Copy the URL into your IdP's provisioning setup.

  3. Select Generate to generate a Secret Token.

  4. Copy the Secret Token into your IdP's provisioning setup.

    1. In Okta, this is referred to as a Bearer Token.

    2. Okta also asks for a unique identifier field = userName.

  5. Test the connection.

  6. Once confirmed, complete your user provisioning setup in your IdP and allow the users and user groups to sync.

Generate Token

Tip: Test the connection without any users to sync. Follow up by testing one group + one user in the group to verify how the groups and users sync over.

A note on Tokens, Syncing

Tokens

In the event that a new token is needed, first Revoke the existing token and then generate a new one. Update your IDP settings accordingly.

The Network Admin has the ability to revoke the token. There is a caching expiration of one minute for the token. Once the minute has passed, the revoked token will no longer be usable and the User will receive a 401 error on the IDP side if a sync is requested.

Syncing

Syncing is a one-way transaction, eg the IdP updates Kno2 with a push and user accounts and groups are brought into Kno2. Kno2 does not update the IdP. All user accounts should be managed in the IdP.

Did this answer your question?