Skip to content

SCIM provisioning using Ping Identity

Permissions

The Lightrun SCIM feature is only available to users on our Enterprise plan; please contact our Support team for more information.

Starting from version 1.43, Lightrun supports using the open standard System for Cross-domain Identity Management (SCIM 2.0) to:

  • Grant users in your company seamless access to the Lightrun Application using their credentials.
  • Add, remove, and assign your users in your organization.
  • Starting with version 1.52, you can provision Lightrun groups through SCIM in addition to managing Lightrun users. This functionality enables you to delegate the management of Lightrun groups to a supported identity provider (IdP). Before migrating group management to SCIM, ensure that the relevant Lightrun groups are preconfigured within the identity provider.

For more information, see SCIM provisioning Overview.

Lightrun supports SCIM provisioning using both HTTP Header authentication and OAuth 2.0 authentication, allowing flexibility based on your security and identity provider requirements.

Prerequisites

  • Enable SSO in the Identity Configuration page located under the Identity and Access Management tab. For more information, see Configure SAML SSO with Ping Identity for your organization.
  • To provision SCIM groups, you need to have RBAC enabled. Supported from version 1.50 and higher.
  • Ensure that the email attribute is mapped to the userName in Ping Identity, or use the userName if it is already in email format.

Configure SCIM using HTTP Header authentication

Prerequisite

Generate a dedicated API Key for your integration with SCIM. For more information, see Lightrun System API Keys.

Set up SCIM in Lightrun

  1. Log in to your Lightrun account.
  2. Navigate to Identity and Access Management > Identity Configuration > Provisioning.
  3. Select Use Identity Provider.
  4. Enable SCIM by selecting SCIM - System for Cross-Domain Identity Management.

  5. Select HTTP Header as your authentication method.

    scim http header ---half

    The required fields are automatically populated for copying into Ping Identity.

  6. In the URL from the SCIM API endpoint field, click Copy to paste into the SCIM BASE URL field in the Provisioning settings in Ping Identity.

  7. Select the Provision existing users to transfer user management to your identity provider. Ensure that these users have been pre-managed through SCIM before proceeding. For more information, see Provisioning Existing Users with SCIM.

  8. Select Sync SCIM groups to enable group synchronization. For more information, see Provisioning Lightrun Groups using SCIM.

    The Enable groups sync dialog opens.

    Enable Sync Group --third

  9. Click Enable.

  10. Click Save.

Proceed to set up Provisioning Lightrun in Ping Identity.

Configure the Lightrun-Ping integration using HTTP in Ping Identity

  1. Sign in to Ping Identity.
  2. In the Administration console, Select Environments.

  3. Under Environments, select the application you created for the SSO integration.

    SCIM Ping environment --half

  4. Navigate to the Integrations section and select Provisioning.

  5. Click + (Plus symbol) next to Provisioning, then select New Connection.

    SCIM Ping New Connection --half

    The Create a New connection page opens.

    SCIM Ping choose new connection --half

  6. In the Identity Store, click Select.

    The Create a New Connection wizard opens.

    SCIM Ping SCIM outbound --half

  7. Scroll down to SCIM Outbound and click Select.

  8. Click Next.

    SCIM Ping create a new connect name --half

  9. Provide a name and description, then click Next.

    The Configure Authentication page opens.

    SCIM Ping SCIM authentication http --half

  10. Paste the SCIM API endpoint URL in the SCIM BASE URL field.

  11. From the Authentication Method list, select OAuth 2 Bearer Token.
  12. In the Oauth Access Request field, paste the API key generated in the Lightrun Management Portal.
  13. From the OAuth Type Header list, select Bearer.
  14. Ensure that the Users Resource value is set to /Users and Groups Resource is set to /Groups.
  15. Click Test Connection.

  16. Click Next.

    scim ping configure preference --half 17. Click Save.

    In the Activation and Summary page, turn on the connection.

  17. Click Save.

Configure SCIM using OAuth authentication

Set up SCIM with Lightrun

  1. Log in to your Lightrun account.
  2. Navigate to Identity and Access Management > Identity Configuration > Provisioning.
  3. Select Use Identity Provider.
  4. Enable SCIM by selecting SCIM - System for Cross-Domain Identity Management.

  5. Select OAuth2 as your authentication method.

    SCIM Ping SCIM authentication OAuth --half

    The required fields are automatically populated for copying into Ping Identity.

  6. Click Copy for each of the following fields to be pasted in the Provisioning settings in Ping Identity.

    • Access token endpoint to Oauth Token Request.
    • Authorization endpoint to Authorization Endpoint.
    • ClientId to Oauth Client ID.
    • ClientSecret to Oauth Client Secret.
    • URL from the SCIM API endpoint to SCIM BASE URL.

  7. Select Provision existing users to transfer user management to an identity provider. Ensure that these users have been pre-managed through SCIM before proceeding. For more information, see Provisioning Lightrun Groups using SCIM.

  8. Select Sync SCIM groups to enable group synchronization. For more information, see Provisioning Lightrun Groups using SCIM.

    The Enable groups sync dialog opens.

    Enable Sync Group --third

  9. Click Enable.

  10. Click Save.

Proceed to set up Provisioning Lightrun in Ping Identity.

Configure the Lightrun-Ping integration Using OAuth2 in Ping Identity

Sign in to Ping Identity. 2. In the Administration console, Select Environments. 3. Under Environments, select the application you created for the SSO integration.

SCIM Ping environment --half

  1. Navigate to the Integrations section and select Provisioning.

  2. Click + (Plus symbol) next to Provisioning, then select New Connection.

    SCIM Ping New Connection --half

    The Create a New connection page opens.

    SCIM Ping choose new connection --half

  3. In the Identity Store, click Select.

    The Create a New Connection wizard opens.

    SCIM Ping SCIM outbound --half

  4. Scroll down to SCIM Outbound and click Select.

  5. Click Next.

    SCIM Ping create a new connect name --half

  6. Provide a name and descripton, then click Next.

    The Configure Authentication page opens.

    scim ping configure OAuth authenication --half

  7. Paste the URL from the SCIM API endpoint into the SCIM BASE URL field.

  8. Ensure that the Users Resource value is set to /Users and Groups Resource is set to /Groups.
  9. Set Authentication Method to OAuth2 Client Credentials.
  10. In the Oauth Token Request field, paste the Access token endpoint URL.
  11. In the Oauth Client ID field, paste the ClientId value.
  12. In the Oauth Client Secret field, paste the ClientSecret value.
  13. From the Auth Type Header list, select Bearer.
  14. Click Test Connection.

  15. Click Next.

    The Configure Preferences dialog opens.

    scim ping configure preference --half

  16. Click Save.

    In the Activation and Summary page, turn on the connection.

  17. Click Save.

Last update: February 20, 2025