The system for cross-domain identity management (SCIM) is used to connect identified users in your company with all of your company's software tools using a single identity provider (IdP) as the centralized user management platform. Setting up SCIM in Pendo allows you to control access and user permissions for the groups configured in your IdP without having to add users individually.
Note: SCIM is available for Premium customers or as an add-on. Contact your Pendo representative for more information.
Your Pendo organization admin can connect your Pendo organization to your SCIM provider and enable SCIM user management for any Pendo subscriptions in that organization. Those users can then use Security Assertion Markup Language (SAML) single sign-on (SSO) to access Pendo.
SCIM provisioning can be used in combination with custom roles and permissions, if available, for granular control of the access granted to each group. Enable SCIM for specific subscriptions and the access granted to groups in those subscriptions to precisely control Pendo access across your company.
Glossary of acronyms and initialisms
Term |
Description |
|
IdP |
Identity Provider |
A service that manages end-user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to service providers to authenticate end users. Examples: Google, Azure, Okta. |
SAML |
Security Assertion Markup Language |
An XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and service provider. The SAML standard addresses issues that are unique to the SSO solution. See the Wikipedia SAML article for a more detailed explanation. |
SCIM |
System for cross-domain identity management |
An open standard for securely managing user identity information across multiple domains with application-level provisioning protocols. SCIM provides a defined schema for representing users and groups, and a way of running operations on those user and group resources. |
SSO |
Single Sign-On |
A system in which the user signs in to the IdP once, and can then access multiple systems without being prompted to sign in for each one. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign-in. This centralizes access control to the SAML admin. |
SAML with SCIM for Pendo
IdPs have separate processes to configure SAML and SAML with SCIM. When the IdP doesn’t have Pendo SCIM as an integration in their marketplace, you must create a custom app integration on the IdP platform that uses SAML with SCIM. The new app integration replaces any existing SAML-only integration.
The process is led by Pendo, with direct support from your Pendo representative, rather than the Pendo Support team. We provide the necessary information to complete the app setup in the IdP and configure Pendo to work with the new IdP app integration and metadata file.
Once SCIM is enabled on your Pendo subscription, you can’t manually add or remove teammates from within Pendo.
Permissions
SCIM settings are accessed from Settings > Organization Settings. Organization settings are only accessible to organization (org) admins. Org Admin is a permissions level above the subscription admin level that controls settings and integrations that impact multiple subscriptions. SCIM setup is self-service and an org admin with access to your IdP can complete the entire configuration without assistance.
Prerequisites
To set up SCIM with Pendo, you must:
- Be a Pendo organization admin.
- Have an active subscription with Okta. For more information, see SAML configuration with Okta for Pendo. At this time, we only support Okta as your IdP.
- SAML enforced in your Pendo subscription. Contact Pendo Support to configure SAML for your subscription. For more information, see SAML Single Sign-On (SSO) overview.
We also recommend that you first download a CSV of Users and their roles so that you have a record of user permissions before your team makes changes from your identity provider. To do this, navigate to Settings > Users in Pendo, and select the download icon in the top right of the Users table.
Important: Enabling SCIM removes individual user access controls from the Pendo UI. Users cannot be invited or deleted in Pendo User settings. Access is controlled entirely in the identity provider.
Enable SCIM for the organization
The organization must be connected to your IdP with an integration key before any subscription can use SCIM. Enabling SCIM for the organization doesn't impact user access. Granting or restricting user access is controlled in subscription-level SCIM settings.
- In Pendo, go to Settings > Organization Settings.
- Open the SSO tab and turn on SCIM Provisioning using the toggle in SCIM Settings. Pendo then automatically provides the base URL and API key required to connect Pendo with your identity provider.
- Copy the Base URL and API Key and paste them somewhere to be used later.
- In your identity provider, use the base URL and API key to integrate with Pendo.
This configuration is unique for each provider. Okta provides detailed instructions for adding SCIM provisioning in their Add SCIM provisioning to app integrations article. For further instructions, see the Set up SAML with SCIM for Okta article.
Prepare user groups for SCIM provisioning
After the integration is connected, prepare your user groups for SCIM provisioning with Pendo in your identity provider:
- Add Pendo to your user groups. All users in a subscription can view data but controls for sharing reports and managing guides are more granular.
- Verify that users should have access to your Pendo subscriptions, data, and guides.
- Push user groups to Pendo.
Push IdP Groups to Pendo
IdP groups are lists of users whose access can be managed collectively. IdP groups are managed in your IdP platform and pushed into Pendo from your IdP after the integration is established.
Add Pendo to the apps available to those groups, and then push groups and users into Pendo. After groups have been pushed into Pendo, you can refresh your IdP groups from the IdP Groups tab in Settings > Organization Settings > SSO.
Enable subscription-level access
Users can’t access a Pendo subscription until SCIM is enabled for the subscription and a role is assigned to their IdP group.
Enabling SCIM at the subscription level is optional. Some subscriptions can use SCIM provisioning while others continue to use manual access control.
Enabling SCIM for a subscription disables manual user controls, including invite, delete, and edit roles and permissions. All access is controlled in the IdP’s settings or subscription access in Pendo SCIM settings.
When you enable SCIM at the subscription level, all users in your IdP groups are granted access to the subscription according to the permissions you assign to members of your IdP groups. Any users who were added to Pendo manually and aren’t in your IdP groups immediately lose access to the Pendo subscription.
In Pendo, go to Settings > Organization Settings > SSO > Subscription Access, and then:
- Find your subscription and select Enable SCIM next to it.
- Select Next: Assign Permissions to choose which groups you want to grant subscription access to.
- Select a group and assign permissions. These are your IdP groups. Repeat until you’ve assigned permissions to each group.
- Select Enable SCIM to complete the SCIM setup.
- To confirm this selection, type “I understand” into the window that appears and then select Enable SCIM.
For more information about roles and permissions in a Pendo subscription, see Roles and permissions. Assigning permissions includes access to Pendo Feedback if your subscription has Feedback enabled.
Manage SCIM at the subscription level
After SCIM is enabled for a subscription, you can edit your groups and permissions:
- Change permissions associated with groups.
- Configure permissions for additional groups.
- Remove permissions for one or more groups.
Access and permissions for your IdP groups are controlled in Subscription Access. In Pendo, go to Settings > Organization Settings > SSO > SCIM Settings > Subscription Access, and then select Manage Access next to the subscription. This relaunches the subscription access workflow, where you can make changes to groups and permissions.
Regenerate an API Key
You might want to regenerate your API key if you periodically cycle through API keys as a security precaution, or get a new IdP and need to build a new integration.
You can deactivate your current API key and create a new key using the Regenerate API Key link under your API key in Pendo, which you can find by navigating to Organization Settings > SSO > SCIM Settings. In the confirmation window that appears, select Yes, Regenerate Key.
Regenerating the API key breaks the integration with your IdP until a new key is configured in the IdP and the connection is re-established. Users still have access to Pendo based on the last push from your IdP.
Manual control remains unavailable and you can’t add or remove users until the connection with your IdP is re-established or SCIM is disabled.
Disable SCIM at the subscription level
Disabling SCIM for a subscription removes access for every IdP group in Settings > Organization Settings > SSO > SCIM Settings > Subscription Access. This restores manual control of user access and permissions in Settings > Users for that subscription.
Manual control of users in a subscription is managed by a subscription admin. Users who currently have access keep their access, and subscription admins can modify individual user access as needed.
To disable SCIM at the subscription level:
- In Pendo, go to Settings > Organization Settings > SSO > SCIM Settings > Subscription Access, and then select Manage Access next to the subscription. This relaunches the subscription access workflow.
- Select Disable SCIM for […]. This launches a confirmation window.
- Select Disable SCIM in the confirmation window.
SCIM provisioning is now removed from the subscription and manual control is restored. You can re-enable SCIM by following the instructions under Enable SCIM at the subscription level.
Delete SCIM configuration for the organization
In Pendo, go to Settings > Organization Settings > SSO > SCIM Settings, and turn off SCIM Provisioning using the toggle. This:
- Deletes the entire SCIM configuration.
- Turns off the API key.
- Turns off the integration with your IdP.
- Turns off SCIM for all subscriptions.
- Reactivates manual user controls.
Any users who can currently access the subscription retains their access unless they’re manually deleted.
This can't be undone. Reactivating SCIM after deleting the organization configuration is a fresh start. The integration with your IdP must be set up again with a new API key, all subscriptions must be enabled, and any user groups must be connected to the appropriate roles and permissions.
Reactivate SCIM for the organization
Reactivating SCIM for the organization after deleting your organization configuration involves starting from the beginning. You must:
- Set up the integration with your IdP, including a new API key.
- Enable all subscriptions.
- Assign the appropriate roles and permissions to user groups.