Automatic User Provisioning via SCIM
For cloud customers who do not use Microsoft Entra ID or Okta as Identity Provider, this guide provides instructions to test whether your custom SCIM implementation is compatible with iGrafx Process360 Live.
Requirements
Before you begin, ensure you have the following:
Administrator access to the iGrafx Process Design module in the iGrafx Cloud
A custom SCIM-compatible identity provider (requires SCIM 2.0 protocol)
Create your SCIM directory and Secret token in iGrafx Process Design
The Admin user performing these steps requires Manage user directories server permission:
Log into iGrafx Process360 Live Process Design
Go to Administration → User Management → Directories
Click Add new directory
Enter a name for the directory
Select directory type: SCIM
Click Create directory
Write down your SCIM secret token and SCIM Tenant URL for later use
Note: To view your SCIM Tenant URL or generate a new token, click edit on the SCIM directory and then generate new token
Configure Your Identity Provider
Create or configure an application integration that will connect to iGrafx
Set the SCIM Connector Base URL to your SCIM tenant URL (see above)
Set Authentication Method to: HTTP Header with Bearer token
Use your SCIM secret token for the token value
Set Unique Identifier Field for users to: userName
Enable the following provisioning actions:
Create Users
Update Users
Deactivate Users
Optional: Provision Groups and Group Membership
Define the user attribute mappings as follows:
iGrafx Attribute | Mapping Type | Source Attribute (IDP) | Target Attribute |
|---|---|---|---|
Username | Direct |
|
|
Enabled | Expression |
|
|
Direct |
|
| |
First Name | Direct |
|
|
Last Name | Direct |
|
|
Note: Delete any extra default mappings that your provider may create as they could cause problems during user provisioning or are ignored.
Optional - to provision groups and group memberships (requires Group creation, updates, and deletions):
Mapping Type | Source Attribute (IDP) | Target Attribute |
|---|---|---|
Direct |
|
|
Direct |
|
|
Assign Users and Groups for Provisioning
Assign the users and groups you want to provision to the SSO/SCIM application in your identity provider.
Confirm that provisioning syncs users/groups to iGrafx. We recommend to start the test with pushing an empty group and/or a single user. Note: Usernames need to be unique in iGrafx. If a user with that name already exists, the user will be skipped during provisioning.
SCIM provisioning typically runs on a schedule (e.g. every 40 minutes for Azure). Check your provider’s logs for sync status.
✅ Provisioned users will be automatically created, updated, or disabled in iGrafx based on your identity provider’s settings. Disabled users do not consume a license.
The synchronization is a one-way-street. If you make manual changes to the users in iGrafx, Process Design will not communication these changes back to your identity provider (including disabling or deletion of the user).
Troubleshooting guide
User is skipped
Usernames need to be unique in iGrafx. If a user with that name already exists, the user will be skipped during provisioning. Delete the local user and start the provisioning again. The user will be recreated in the SCIM directory.
Error in Provisioning logs
StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the ‘Response property of this exception for details. Web Response: {schemas":
["urncietf:params:scim:api:messages:2.0:Error"l. status : 400","scimType":"invalidSyntax, "detail":"A n error occurred during your editing session. Send a screenshot of this error to iGrafx Support for further help by going to Help > Contact Support."].Contact our Support team and provide a screenshot of the Provisioning logs including the time stamp.