Available for: Enterprise plan
Set up by: Company-level admin
SCIM (System for Cross-domain Identity Management) provides automated provisioning, user management, and group management for Mural Enterprise plan customers. This allows IT admins to automatically create, update, and deprovision member accounts based on actions performed within the company’s IdP (identity provider).
For more on identity and access management, see our identity and access management overview.
Contents
FAQ.
About Mural’s SCIM API
With Mural’s SCIM API, you can:
Provision (create) user accounts.
Deprovision (deactivate) user accounts.
Manage and update user account attributes (like email or name).
Manage group-based workspace and permissions assignments. (Currently in Beta. Please contact your Mural Customer Success representative to learn more.)
So, if you’re ready to streamline your user management workflows, follow the instructions below.
Note: SAML-based SSO (single sign-on) must be properly set up and be functional in your Enterprise account before you can configure automated provisioning. For help setting up SSO, see our SSO configuration guide.
Configure automatic provisioning with Azure AD
To configure automated provisioning in Azure AD, first make sure that you have SSO configured using the Azure AD Mural Identity app. Then, follow Microsoft’s guide to configure automatic provisioning using the app.
If you previously configured SSO as a custom app in Azure AD, please follow our SSO configuration guide to reestablish SSO before configuring automated SCIM provisioning.
SCIM attribute mapping
If you used the Azure AD Mural Identity app to implement SSO with the default SAML claim mappings, you don’t need to modify your SCIM attribute mappings. Otherwise, update your SCIM attribute mappings to match the SSO SAML claim mappings.
Once automatic provisioning has been implemented, JIT (Just-in-Time) provisioning must be disabled to ensure a smooth experience for your members. Reach out to your Mural Customer Success Representative for assistance. They can also set up a custom landing page for unprovisioned users. Please specify the message and link to display on the custom page when submitting your request.
Configure automatic provisioning with Okta
To configure automated provisioning in Okta, first make sure that you have SSO configured using the Mural Okta integration. Then, follow our provisioning guide to configure automatic provisioning using the integration.
If you previously configured SSO as a custom connection, please follow our SSO configuration guide to reestablish SSO before configuring automated SCIM provisioning.
SCIM attribute mapping
If you used the Okta integration to implement SSO with the default SAML claim mappings, you don’t need to modify your SCIM attribute mappings. Otherwise, update your SCIM attribute mappings to match the SSO SAML claim mappings.
Once automatic provisioning has been implemented, JIT (Just-in-Time) provisioning must be disabled to ensure a smooth experience for your members. Reach out to your Mural Customer Success Representative for assistance. They can also set up a custom landing page for unprovisioned users. Please specify the message and link to display on the custom page when submitting your request.
Configure custom automatic provisioning
If you’re not using Azure AD or Okta as your IdP, you can still configure automatic provisioning using a custom SCIM API connection. SCIM is a common standard and supported IdPs require configurations similar to Azure AD and Okta for automated provisioning to occur. We recommend contacting your IdP’s support team if you require further assistance.
Here are some resources to help:
SCIM connection configuration details:
Tenant/SCIM base URL:
https://api.mural.co/enterprise/v1/scimSecret token/API key/Token: Create a Mural API Key with the SCIM scope selected.
SCIM attribute mapping:
SCIM provisioning can only be configured after SSO for Mural is enabled. Ensure that your SCIM attribute mappings match the SSO SAML claim mappings.
Technical documentation:
Once automatic provisioning has been implemented, JIT (Just-in-Time) provisioning must be disabled to ensure a smooth experience for your members. Reach out to your Mural Customer Success Representative for assistance. They can also set up a custom landing page for unprovisioned users. Please specify the message and link to display on the custom page when submitting your request.
Recommended steps for automation
We recommend manually syncing SCIM provisioning events from your IdP before turning on automated provisioning:
Manually provision a small group of new test users and confirm their ability to sign in to Mural.
Update a test user’s first name, last name, and/or email address. Then, manually sync their provisioning records and confirm if the changes are reflected in Mural.
Manually deprovision a test user and confirm if they are blocked from signing in to Mural again.
If necessary, we provide access to a non-production sandbox environment where you may test your provisioning configurations before deploying them to your primary Mural instances.
Note: Users with numbers or the following characters in their name fields are unable to be provisioned via SCIM: _“!¡?÷?¿/\+=@#$%ˆ&*(){}|~<>;:[]
Keep this in mind when testing and validating the SCIM functionality.
FAQ (frequently asked questions)
If you have any questions on SCIM, look for answers on our SCIM FAQ page.
If at any time you require further support configuring automatic provisioning in your IdP, please contact Mural Support.