What's New in API7 Enterprise 3.2.11: Supporting SCIM and SSO Role Mapping

Zhihuang Lin

Zhihuang Lin

May 17, 2024


User identity management and access control have become increasingly important with the advancement of digitalization. API7 Enterprise 3.2.11 version provides users with a more efficient and convenient identity management and Single Sign-On (SSO) login experience by supporting SCIM (System for Cross-domain Identity Management) and SSO role mapping.

Supporting SCIM: Cross-domain Identity Management and Synchronization

As a standardized user identity management protocol, SCIM greatly simplifies the exchange of user identity information between different systems. API7 Enterprise 3.2.11 version now supports the SCIM standard, making operations such as creating, updating, deleting, and querying user identity information more convenient.

With SCIM, enterprises can directly manage user information on the Identity Provider (IdP), whether it is creating accounts for new employees or disabling accounts for departing employees, all can be done on a single platform and automatically synchronized. This cross-domain management approach not only improves management efficiency but also ensures the accuracy and integrity of user data.

On the Organization Settings page, a new configuration option related to SCIM has been added, which is initially set to the closed state. Click the Enable button in the upper right corner to activate SCIM.

SCIM Provisioning

Once enabled, the system will display the URL of the SCIM endpoint and a copy box for the SCIM Token. This SCIM endpoint provides a set of RESTful APIs that allow identity providers (IdPs) to exchange user identity information, supporting operations such as adding, deleting, and updating user information for various IdPs.

  • The SCIM token is an essential credential used for authentication at the SCIM endpoint. Please note that the token will be displayed once after enabling SCIM for the first time and will not be shown again if you leave the current page. Therefore, be sure to copy and save the token promptly to ensure smooth operations in subsequent steps.

  • The API7 SCIM endpoint URL is the access point for our SCIM standardized API.

SCIM Provisioning

To ensure the singularity of user data sources, users synchronized to the platform through SCIM will be marked with an SCIM label.

Users with SCIM labels

Users with the SCIM label are not supported for deletion within the platform. Such users cannot be directly deleted within API7 Enterprise and must be deleted through the IdP and synchronized to API7 Enterprise. Similarly, when a user is disabled in the IdP, they will not be able to log in to API7 Enterprise.

Login Page of Users with SCIM labels unenabled

Supporting SSO Role Mapping: Enhancing the SSO login experience

In the API7 Enterprise 3.2.11 version, the introduction of SSO role mapping further enhances the convenience of SSO login. By introducing role mapping, the system can automatically assign corresponding application access permissions based on the user's identity and permissions in the IdP. As a result, users do not need to set permissions separately in API7 Enterprise, thus improving work efficiency and user experience.

On the Organization Settings page, when adding a new login option, regardless of the selected provider, a Role Mapping switch has been added at the bottom of the configuration form. After enabling this switch, the form for configuring role mapping will be displayed.

Role Mapping in API7 Enterprise

  • Internal Role: These are built-in roles within the API7 Enterprise and are used to control user access permissions and operational scope. In role mapping, we can map roles from external IdPs to these internal roles to assign corresponding permissions to users during login.

  • Mapped Role Attribute: The identifier of the user role information returned by the IdP, used to locate the role data of the user in the IdP's response. Assuming a specified attribute name, such as "role" or "groups", the system will extract role data from the IdP's response based on this attribute name.

  • Operation: Used to determine how to match the IdP's role data with the API7 built-in roles. It supports various methods such as exact match, fuzzy match, and array match. For example, if the role value returned by the IdP is a string array, we can choose "Exact Match in Array" to find a matching item.

  • Mapped Role Value: The specific value in the IdP that represents the user's role, which needs to be specified here. These values will be matched with the built-in roles in API7 Enterprise. For example, if the IdP has a role value called "Idp Super Admin", you can map it to the built-in role "Super Admin" in API7 Enterprise.

The role mapping feature supports adding multiple mapping configurations, and the built-in roles can be selected repeatedly to meet various complex mapping requirements. Once role mapping is enabled, if there are changes in the user's role information in the IdP, these changes will be updated according to the new mapping rules the next time the user logs in. Users will be promptly notified if their roles change due to mapping.

Notification of Role Mapping

The role mapping configurations are displayed on the details page of the login options. Users can view detailed configurations and perform corresponding operations on this page.

Role Mapping Configurations

What's Next?

We will continue to optimize identity management and access control features and explore more integration solutions to meet the ever-growing security needs of enterprises. We also look forward to your feedback to further enhance our product. If you have any questions or suggestions, please feel free to contact us through our support channels. Thank you for your continuous support and attention to API7 Enterprise.

API7 Enterprise