This guide details how you can use SCIM provisioning on Dutchie POS using your own internally managed enterprise Azure or Okta.

Here you’ll find steps for:

Things to consider

  • Certain features need to be enabled in the Backoffice to set up SCIM. Contact your Dutchie Administrator to ensure these features are enabled.
  • For SCIM provisioning, the Location that you generate the token in is where the users will be created. Please ensure you are generating the token for the right location. 

Important

When provisioning in Azure and creating groups in Okta, its best to use a UAT environment and work in preview mode. We recommend using a test enterprise app and assigning only a few employees while testing so that impact is kept to a minimum. Not following these best practice coul result in misconfiguring your production environment disrupting operations.

Generate bearer token in the Backoffice for SCIM Provisioning

  1. Go to Settings > Integrations.
  2. Click the SSO card. 
  3. Select the SCIM Provisioning tab. 
  4. Click the Bearer tab and Generate Token.
    2023-03-28_10-37-53.png

Configure Dutchie POS Azure Active Directory

Once you generate a token you can configure the SCIM endpoint and auth token Within your directory service. The steps below apply to Microsoft Azure AD Configuration. 

Create new application

  1. Go to the Default Directory Overview.
  2. Click Enterprise applications and select New applications. 
  3. Select + Create your own application. 
  4. Name the application. Ex. Dutchie POS SSO. 

Existing applications

  1. Go to the Default Directory Overview.
  2. Click Enterprise applications and select All Applications 
  3. Enter SCIM in the search. 
  4. Select the existing SCIM application you want to use. 

Configure provisioning credentials

  1. Click Provisioning on the left side panel.
  2. From the Provisioning page, select Provisioning under Manage on the side panel.
  3. In Tenant URL enter the Public API URL you want to point to, In this case, https://api.pos.dutchie.com/scim/v2  
  4. Click the Test Connection button to confirm your credentials can be used for provisioning. 
  5. If your connection is approved, click Save.

Provision Azure active directory users and groups

Once your connection is approved, you can start provisioning users and groups for your location. Please note: If you use attributes that means you are not using groups to provision, and if you use group endpoints, you should not send attributes. 

Attributes for user endpoints:

urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Lsps

urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Locations

urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Groups

Provision users

  1. Go to Users and groups on the side panel. 
  2. Under Mappings, click Provisions Azure Active Directory Users.
  3. Check Show advanced options box.
  4. Click the Edit Attribute list for customappsso link. 
  5. Add the attributes and click Save.
  6. After selecting Attributes, click Add New Mapping to map the attributes to your Azure AD field.
  7. Fill out the Edit Attribute fields. 
    Mapping type: Expressions
    Target attributes:
    urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Lsps

urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Locations

urn:ietf:params:scim:schemas:extension:leaflogix:2.0:User:Groups 

  1. Click Ok

Provision groups in Azure

When provisioning a group, the group needs to be created in the LSP/Location in Dutchie and linked to the SCIM Group Name. The steps below detail how to create a SCIM group in Azure and link the SCIM Group in Dutchie:

Create SCIM group

  1. Go to Groups > All groups in Microsoft Azure.
  2. Select New group.
  3. Enter a Group name and Group description.
    Structure: urn:LSP_Name:Location_Name:GroupName
    Example:
    urn:LL Training Co.:LL Dispensary:Budtenders
    In this example LL Training Co. is the LSP/Location, LL Dispensary is the Location and 

Budtenders is the GroupName. 

  1. Click Create. 
  2. Click Refresh on the All groups page to see the newly created group. 

Add members

  1. Select the newly created group. 
  2. Select Members on the side navigation. 
  3. Click Add members
  4. Enter any members you want to add in the search and check the box next to their name.
  5. Click Select to add members to the group.  

Provisioning

  1. In your SCIM environment, go to Provision on Demand.
  2. Enter the group in the search and select designated users.
  3. Click Provision. 
  4. Once the group has been Provisioned in Azure you can check Dutchie Backoffice to see the newly created group and users are now linked. 

View permission groups  

  1. Go to Settings > Users.
  2. Click the Permissions groups tab to see a list of all linked groups.
  3. Click the Users tab to see a list of all linked users.
     

SCIM Preview for Groups

Create a SCIM Preview group in Okta

SCIM Preview groups have to be created in Okta before linking them in Dutchie Backoffice. To create a group:

  1. Go to Directory > Groups in your Okta environment.
  2. Click the Add group button and enter a group name and description.
    Note: Your group name has to follow the urn:LL Training Co.:LL* format
  3. Click Save. 
  4. Select Application from the side Navigation. 
  5. Click app3.
  6. Under the Assignments tab, click Group and select Assign to Groups from the Assign dropdown.
  7. Select Assign next to the group name. 
  8. Click the Save and Go Back button then click Done. 

Once you have assigned to groups you are ready to push the group which will allow you to link it to Dutchie. 

  1. Under the Push Groups tab, select Find groups by name from the Push Groups dropdown.
  2. Enter the group name and click Save. 
  3. You will get an error in Okta letting you know that the SCIM is in preview mode. The SCIM Preview Groups tab is now available in the Dutchie Backoffice. 
     
  4. In order to make this group active and available in the Dutchie Permission groups. You’ll need to disable SCIM Preview mode:
      1. In Dutchie go to the IDP 1 tab under the SSO integration. 
      2. Uncheck the Use SCIM Preview Mode box and click Update. 
      3. Return to your Okta push environment.
      4. Click the Error dropdown and select Activate group push to make the group Active.
          
      5. In Dutchie, go to Users > Permission groups and find the created Group in the Permission groups list.

Configure IDP

A group in the Identity Provider (IP) represents a single group inside a LSP. Multiple IP groups will be needed in the IP to map each group in every LSP. However, it is possible to map a single IP group to multiple locations using the URN format. You can also use a single API Key to create and update groups to multiple Locations. There are 2 restrictions to do this:

  1. Use a urn structure like the following:
    urn:LSP_Name:Location_Name:GroupName
    Example:
    urn:LL Training Co.:LL Dispensary:Budtenders
    In this example LL Training Co. is the LSP/Location, LL Dispensary is the Location and Budtenders is the GroupName.
    You can also create the group in multiple locations by using a wildcard (*): In this case the group Budtenders will be updated in  all locations in the LL Training Co. LSP. 
    urn:LL Training Co.:*:Budtenders
  2. All LSPs must have the same Entity ID on their SSO configuration. This means those LSPs are managed by the same IP.