SCIM integration guide for Dutchie POS
This guide details how you can use SCIM provisioning on Dutchie POS using your own internally managed enterprise Azure or Okta.
Here you’ll find steps for:
- Generating a SCIM token and endpoint
- Configuring Dutchie POS Azure Active Directory
- Provisioning Azure active directory users and groups
- Creating and pushing a SCIM groups in Okta
- Configuring IDP
Things to consider
- Certain features need to be enabled in the Backoffice to set up SCIM. Contact your Dutchie Administrator to ensure these features are enabled.
- For SCIM provisioning, the Location that you generate the token in is where the users will be created. Please ensure you are generating the token for the right location.
Important
When provisioning in Azure and creating groups in Okta, its best to use a UAT environment and work in preview mode. We recommend using a test enterprise app and assigning only a few employees while testing so that impact is kept to a minimum. Not following these best practice coul result in misconfiguring your production environment disrupting operations.
Generate bearer token in the Backoffice for SCIM Provisioning
- Go to Settings > Integrations.
- Click the SSO card.
- Select the SCIM Provisioning tab.
- Click the Bearer tab and Generate Token.
Configure Dutchie POS Azure Active Directory
Once you generate a token you can configure the SCIM endpoint and auth token Within your directory service. The steps below apply to Microsoft Azure AD Configuration.
Create new application
- Go to the Default Directory Overview.
- Click Enterprise applications and select New applications.
- Select + Create your own application.
- Name the application. Ex. Dutchie POS SSO.
Existing applications
- Go to the Default Directory Overview.
- Click Enterprise applications and select All Applications
- Enter SCIM in the search.
- Select the existing SCIM application you want to use.
Configure provisioning credentials
- Click Provisioning on the left side panel.
- From the Provisioning page, select Provisioning under Manage on the side panel.
- In Tenant URL enter the Public API URL you want to point to, In this case, https://api.pos.dutchie.com/scim/v2
- Click the Test Connection button to confirm your credentials can be used for provisioning.
- If your connection is approved, click Save.
Provision Azure active directory users and groups
Once your connection is approved, you can start provisioning users and groups for your location. Please note: If you use attributes that means you are not using groups to provision, and if you use group endpoints, you should not send attributes.
Attributes for user endpoints:
urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Lsps
urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Locations
urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Groups
Provision users
- Go to Users and groups on the side panel.
- Under Mappings, click Provisions Azure Active Directory Users.
- Check Show advanced options box.
- Click the Edit Attribute list for customappsso link.
- Add the attributes and click Save.
- After selecting Attributes, click Add New Mapping to map the attributes to your Azure AD field.
- Fill out the Edit Attribute fields.
Mapping type: Expressions
Target attributes:
urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Lsps
urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Locations
urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Groups
- Click Ok.
Provision groups in Azure
When provisioning a group, the group needs to be created in the LSP/Location in Dutchie and linked to the SCIM Group Name. The steps below detail how to create a SCIM group in Azure and link the SCIM Group in Dutchie:
Create SCIM group
- Go to Groups > All groups in Microsoft Azure.
- Select New group.
- Enter a Group name and Group description.
Structure: urn:LSP_Name:Location_Name:GroupName
Example:
urn:LL Training Co.:LL Dispensary:Budtenders
In this example LL Training Co. is the LSP/Location, LL Dispensary is the Location and
Budtenders is the GroupName.
- Click Create.
- Click Refresh on the All groups page to see the newly created group.
Add members
- Select the newly created group.
- Select Members on the side navigation.
- Click Add members
- Enter any members you want to add in the search and check the box next to their name.
- Click Select to add members to the group.
Provisioning
- In your SCIM environment, go to Provision on Demand.
- Enter the group in the search and select designated users.
- Click Provision.
- Once the group has been Provisioned in Azure you can check Dutchie Backoffice to see the newly created group and users are now linked.
View permission groups
- Go to Settings > Users.
- Click the Permissions groups tab to see a list of all linked groups.
- Click the Users tab to see a list of all linked users.
SCIM Preview for Groups
Create a SCIM Preview group in Okta
SCIM Preview groups have to be created in Okta before linking them in Dutchie Backoffice. To create a group:
- Go to Directory > Groups in your Okta environment.
- Click the Add group button and enter a group name and description.
Note: Your group name has to follow the urn:LL Training Co.:LL* format - Click Save.
- Select Application from the side Navigation.
- Click app3.
- Under the Assignments tab, click Group and select Assign to Groups from the Assign dropdown.
- Select Assign next to the group name.
- Click the Save and Go Back button then click Done.
Once you have assigned to groups you are ready to push the group which will allow you to link it to Dutchie.
- Under the Push Groups tab, select Find groups by name from the Push Groups dropdown.
- Enter the group name and click Save.
- You will get an error in Okta letting you know that the SCIM is in preview mode. The SCIM Preview Groups tab is now available in the Dutchie Backoffice.
- In order to make this group active and available in the Dutchie Permission groups. You’ll need to disable SCIM Preview mode:
-
- In Dutchie go to the IDP 1 tab under the SSO integration.
- Uncheck the Use SCIM Preview Mode box and click Update.
- Return to your Okta push environment.
- Click the Error dropdown and select Activate group push to make the group Active.
- In Dutchie, go to Users > Permission groups and find the created Group in the Permission groups list.
-
Configure IDP
A group in the Identity Provider (IP) represents a single group inside a LSP. Multiple IP groups will be needed in the IP to map each group in every LSP. However, it is possible to map a single IP group to multiple locations using the URN format. You can also use a single API Key to create and update groups to multiple Locations. There are 2 restrictions to do this:
- Use a urn structure like the following:
urn:LSP_Name:Location_Name:GroupName
Example:
urn:LL Training Co.:LL Dispensary:Budtenders
In this example LL Training Co. is the LSP/Location, LL Dispensary is the Location and Budtenders is the GroupName.
You can also create the group in multiple locations by using a wildcard (*): In this case the group Budtenders will be updated in all locations in the LL Training Co. LSP.
urn:LL Training Co.:*:Budtenders - All LSPs must have the same Entity ID on their SSO configuration. This means those LSPs are managed by the same IP.