SSO and SCIM require a Kisi Organization license. Please contact Kisi Support to learn more.
Kisi Organizations can configure Microsoft Azure to enable System for Cross-domain Identity Management (SCIM) provisioning and deprovisioning for their Kisi members. Before you start, please check that you have set up SSO for your Organization, generated a SCIM token, enabled SCIM for your Organization and added the Kisi Physical Security app in Azure.
SCIM with Azure allow you to:
- Create Users
- Update User Attributes (via PUT and PATCH)
- Deprovision Users
- Create Groups
- Update Group Attributes
- Assign and deassign users to groups
Generating SCIM Token in Kisi
To generate your SCIM Token in Kisi:
- Sign in to your Kisi Organization account
- Under Organization Setup, click on SSO & SCIM
- Toggle On Enable SCIM and click on Generate Token
- Copy the Token (this Token is only shown once)
Setting up SCIM with Azure
To configure SCIM with Azure for your Kisi Organization:
- Sign in to the Azure Portal
- On the left navigation pane, select the Azure Active Directory service
- Click on Enterprise applications
- Under All Applications, click on your Kisi Physical Security application
- Click Get Started in the Provision User Accounts card
- Change provisioning mode from Manual to Automatic
- Add https://api.kisi.io/scim/v2 as the Tenant URL and enter your SCIM token in Secret Token
- Click Test Connection and verify that the test succeeds before clicking Save
- The default mappings and settings should work, but you can now change whether both groups and users should be synchronized. It can also be helpful to add a notification email address that will receive an email if the synchronization fails (this option can be found in Settings)
- Go back to the Enterprise applications, choose the Kisi Physical Security app and click on Users and groups
- Add any groups and users you want to sync with Kisi
- Go back to Provisioning and click on Start provisioning (if it's greyed out it's already running)
Good to know
Azure syncs on a fixed schedule of around 40 minutes. This means that any updates in Azure might take up to 40 minutes before they are propagated to Kisi.
It is possible to sync single users on demand by going to Provisioning > Provision on demand. Groups cannot be synced on demand.