DOCS-693 - SCIM provisioning (#5174)

* Stub out articles

* Start Okta draft

* Continue

* Continue Okta

* Finish Okta draft

* Start Entra ID draft

* Draft for Microsoft Entra ID

* Add release note

* OneLogin draft

* Add roles doc for Microsoft Entra ID

* Add process to 'About SCIM provisioning'

* Fix typos

* Updates from Kevin Keech review

* Remove RSS logo

* Updates from review by Gahana Jain

* Update scim API URL

* Change release note date to May 9 2025

* Change release note date to May 8 2025

Author: jpipkin1

blog-service/2025-05-08-manage.md

@@ -0,0 +1,14 @@
+---
+title: SCIM Provisioning (Manage)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - manage
+  - saml
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to announce provisioning for Sumo Logic using SCIM (System for Cross-domain Identity Management). Now you can automatically provision and deprovision users in Sumo Logic with an identity provider like Microsoft Entra ID, Okta, or OneLogin.
+
+[Learn more](/docs/manage/security/scim/).

docs/api/index.md

@@ -196,14 +196,19 @@ Use the Sumo Logic Application Programming Interfaces (APIs) to interact with ou
 </div>
 <div className="box smallbox card">
   <div className="container">
-  <a href="/docs/api/scan-budget"><img src={useBaseUrl('img/icons/general/calendar.png')} alt="Thumbnail icon" width="50"/><h4>Scan Budget</h4></a>
+  <a href="/docs/api/scan-budget"><img src={useBaseUrl('img/icons/operations/data-volume.png')} alt="Thumbnail icon" width="50"/><h4>Scan Budget</h4></a>
   </div>
 </div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/api/scheduled-views"><img src={useBaseUrl('img/icons/general/calendar.png')} alt="Thumbnail icon" width="50"/><h4>Scheduled Views</h4></a>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/api/scim-user"><img src={useBaseUrl('img/icons/general/session.png')} alt="Thumbnail icon" width="50"/><h4>SCIM User</h4></a>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">  
   <a href="/docs/api/search-job"><img src={useBaseUrl('img/icons/search.png')} alt="Thumbnail icon" width="50"/><h4>Search Job</h4></a>

docs/api/scim-user.md

@@ -0,0 +1,40 @@
+---
+id: scim-user
+title: SCIM User Management APIs
+sidebar_label: SCIM User
+description: Use HTTP endpoints to manage your SCIM configuration.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+import ApiIntro from '../reuse/api-intro.md';
+import ApiRoles from '../reuse/api-roles.md';
+
+<img src={useBaseUrl('img/icons/general/session.png')} alt="Thumbnail icon" width="50"/>
+
+The SCIM User Management API allows you to provision users to Sumo Logic from [SCIM provisioning providers](/docs/manage/security/scim/).
+
+## Documentation
+
+<ApiIntro/>
+
+| Deployment | Documentation URL                                                   |
+|:------------|:---------------------------------------------------------------------|
+| AU         | https://api.au.sumologic.com/docs/#tag/scimUserManagement  |
+| CA         | https://api.ca.sumologic.com/docs/#tag/scimUserManagement  |
+| DE         | https://api.de.sumologic.com/docs/#tag/scimUserManagement  |
+| EU         | https://api.eu.sumologic.com/docs/#tag/scimUserManagement  |
+| FED        | https://api.fed.sumologic.com/docs/#tag/scimUserManagement |
+| IN         | https://api.in.sumologic.com/docs/#tag/scimUserManagement  |
+| JP         | https://api.jp.sumologic.com/docs/#tag/scimUserManagement  |
+| KR         | https://api.kr.sumologic.com/docs/#tag/scimUserManagement  |
+| US1        | https://api.sumologic.com/docs/#tag/scimUserManagement     |
+| US2        | https://api.us2.sumologic.com/docs/#tag/scimUserManagement |
+
+## Required role capabilities
+
+<ApiRoles/>
+
+* Security
+    * Manage SAML
+* User Management (all role capabilities)
+

docs/manage/security/saml/set-up-saml.md

@@ -36,15 +36,15 @@ The provisioning process works as follows:
 
 This section has key information about SAML in Sumo.
 
-## Access keys are not controlled by SAML
+### Access keys are not controlled by SAML
 
 This means that if a user has been turned off on the SSO side, their access keys would still be valid. For this reason, administrators should audit users regularly and disable access keys when necessary.
 
-## SAML does not provide a deprovisioning mechanism 
+### SAML does not provide a deprovisioning mechanism 
 
 This means that if a user is deleted or disabled in the SSO database, it will not be reflected in Sumo Logic. However, these users would no longer be able to login to Sumo Logic via SSO. Administrators can delete these users from the **Administration > Users and Roles > Users** page in Sumo Logic. For information about what happens when a user is deleted, and transferring a deleted user's content to another user, see [Delete a User](../../users-roles/users/delete-user.md).
 
-## Only one certificate for each SAML configuration is currently supported
+### Only one certificate for each SAML configuration is currently supported
 
 Only one token-signing ADFS X.509 for each SAML configuration is currently supported. When you need to do a certificate refresh on the ADFS server, you must update the Sumo certificate afterwards.
 

docs/manage/security/scim/about-scim-provisioning.md

@@ -0,0 +1,69 @@
+---
+id: about-scim-provisioning 
+title: About SCIM Provisioning
+sidebar_label: About
+description: Learn about provisioning users into Sumo Logic using SCIM. 
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+You can utilize Sumo Logic [SCIM User Management APIs](/docs/api/scim-user/) to automatically provision and deprovision users in Sumo Logic when users are created or removed within your identity provider. Sumo Logic can be integrated with any identity provider that is [SCIM 2](https://scim.cloud/) compliant.
+
+## Directions for specific providers
+
+This article contains general guidance on setting up identity providers to provision with Sumo Logic.
+
+See the following articles for directions to configure specific providers:
+* [Provision with Microsoft Entra ID](/docs/manage/security/scim/provision-with-microsoft-entra-id/)
+* [Provision with Okta](/docs/manage/security/scim/provision-with-okta/)
+* [Provision with OneLogin](/docs/manage/security/scim/provision-with-onelogin/)
+
+## General process to configure provisioning for Sumo Logic
+
+Although the process will differ depending on your provider, following are the general steps to configure your provider to provision with Sumo Logic. 
+
+### Prerequisites
+
+#### Create an access key
+
+Before configuring a provider, create an [access key](/docs/manage/security/access-keys/). (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from the provider into Sumo Logic.
+
+When you create the access key, copy its access ID and access key values. You will enter these when you set up provisioning to use one of the following authorization methods:
+* Basic authentication
+   * Username: Access ID
+   * Password: Access key
+* Bearer token<br/>Use [Base64 encoding](https://www.base64encode.org/) to Base64 encode `<access ID>:<access key>`.
+
+#### Set up SAML
+
+[Set up SAML for single sign-on](/docs/manage/security/saml/set-up-saml/) in the Sumo Logic instance where you will provision users. This will allow connection to Sumo Logic for provisioning. Copy the single sign-on URL (Assertion Consumer URL) and entity ID from your Sumo Logic SAML configuration to set up single sign-on in your provider.
+
+<img src={useBaseUrl('img/security/provision-sumo-logic-saml-settings.png')} alt="ACS and entity ID from Sumo Logic" style={{border: '1px solid gray'}} width="800" />
+
+### Step 1: Create an app
+
+Create an application in your provider. You will configure this app in the following steps.
+
+### Step 2: Set up single sign-on
+
+Set up single sign-on for the app to connect to Sumo Logic. Copy the Assertion Consumer URL and entity ID from the SAML configuration in Sumo Logic to use in the configuration. (See [Set up SAML](#set-up-saml) above.)
+
+### Step 3: Set up roles
+
+Set up roles in your app to match roles in Sumo Logic (for example, Administrator and Analyst). When users assigned these roles in your app are provisioned, the roles are automatically assigned to the provisioned users in Sumo Logic.
+
+### Step 4: Assign users to your app
+
+Assign users to your app. All users assigned to the app will be provisioned.
+
+### Step 5: Set up provisioning
+
+When you set up provisioning for the app, provide a Sumo Logic access key to authorize access to Sumo Logic. (See [Create an access key](#create-an-access-key) above.) 
+
+For the SCIM base URL, provide the Sumo Logic [API endpoint for your deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for the [SCIM User Management APIs](/docs/api/scim-user/) using the format `<api-endpoint>/v1/scim/`. For example, `https://api.sumologic.com/api/v1/scim/`. 
+
+### Step 6: Verify provisioning
+
+Test provisioning to ensure that users assigned to the app are provisioned correctly into Sumo Logic. Verify in your provider's logs and in the Sumo Logic UI. 
+
+

docs/manage/security/scim/index.md

@@ -0,0 +1,38 @@
+---
+slug: /manage/security/scim
+title: SCIM Provisioning
+description: Learn how to provision users in Sumo Logic using SCIM. 
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+Learn how to provision and deprovision users in Sumo Logic using SCIM (System for Cross-domain Identity Management).
+
+This section contains the following articles:
+
+<div className="box-wrapper" >
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/manage/security/scim/about-scim-provisioning"><img src={useBaseUrl('img/icons/general/session.png')} alt="icon" width="40"/><h4>About SCIM Provisioning</h4></a>
+  <p>Learn about provisioning users in Sumo Logic using SCIM.</p>
+  </div>
+</div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/manage/security/scim/provision-with-microsoft-entra-id"><img src={useBaseUrl('img/icons/general/session.png')} alt="icon" width="40"/><h4>Provision with Microsoft Entra ID</h4></a>
+  <p>Learn how to provision users in Sumo Logic with Microsoft Entra ID (formerly Azure Active Directory).</p>
+  </div>
+</div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/manage/security/scim/provision-with-okta"><img src={useBaseUrl('img/icons/general/session.png')} alt="icon" width="40"/><h4>Provision with Okta</h4></a>
+  <p>Learn how to provision users in Sumo Logic with Okta</p>
+  </div>
+</div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/manage/security/scim/provision-with-onelogin"><img src={useBaseUrl('img/icons/general/session.png')} alt="icon" width="40"/><h4>Provision with OneLogin</h4></a>
+  <p>Learn how to provision users in Sumo Logic with OneLogin</p>
+  </div>
+</div>
+</div>

docs/manage/security/scim/provision-with-microsoft-entra-id.md

@@ -0,0 +1,118 @@
+---
+id: provision-with-microsoft-entra-id 
+title: Provision with Microsoft Entra ID
+sidebar_label: Provision with Microsoft Entra ID
+description: Learn how to provision users in Sumo Logic with Microsoft Entra ID (formerly Azure Active Directory). 
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+This article describes how to provision users in Sumo Logic with Microsoft Entra ID (formerly Azure Active Directory).
+
+## Prerequisites
+
+### Create an access key
+
+Create an [access key](/docs/manage/security/access-keys/). (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from Microsoft Entra ID into Sumo Logic.
+
+When you create the access key, copy its access ID and access key values. You will enter these when you use [Base64 encoding](https://www.base64encode.org/) to Base64 encode `<access ID>:<access key>` to generate a token.
+
+## Configure provisioning with Microsoft Entra ID
+
+### Step 1: Create the app
+
+1. Log in to [Microsoft Azure](http://portal.azure.com/) as an administrator.
+1. Navigate to Microsoft Entra ID. (You can use the search bar to locate it.)
+1. Navigate to **Manage > Enterprise Applications**.
+1. Click **New application**.<br/><img src={useBaseUrl('img/security/provision-azure-new-app.png')} alt="Create new application" style={{border: '1px solid gray'}} width="800" />
+1. Click **Create your own application**.<br/><img src={useBaseUrl('img/security/provision-azure-create-your-own-app.png')} alt="Create your own application" style={{border: '1px solid gray'}} width="400" />
+1. Enter a name for the app, select **Integrate any other application you don't find in the gallery (Non-gallery)**. <br/><img src={useBaseUrl('img/security/provision-azure-name-app.png')} alt="Name your application" style={{border: '1px solid gray'}} width="400" />
+1. Click **Create**. The app displays in Entra ID.<br/><img src={useBaseUrl('img/security/provision-azure-app.png')} alt="App in Entra ID" style={{border: '1px solid gray'}} width="600" />
+
+### Step 2: Set up single sign-on
+
+Follow the directions in [Configure Sumo as an Enterprise App in Azure AD](/docs/manage/security/saml/integrate-sumo-with-azure-ad/#configure-saml-in-sumo-logic) beginning with the step where you select **Set up single sign on**. 
+
+<img src={useBaseUrl('img/security/provision-azure-set-up-sso.png')} alt="Set up single sign on" style={{border: '1px solid gray'}} width="600" />
+
+When you [configure SAML in Sumo Logic](/docs/manage/security/saml/integrate-sumo-with-azure-ad/#configure-saml-in-sumo-logic):
+* Select **Disable Requested Authentication Context**.
+* Do not select the **On Demand Provisioning** checkbox. You will set up provisioning later.
+
+### Step 3: Add roles
+
+Create roles that the users will have in Sumo Logic (for example, `Analyst` and `Administrator`).
+
+1. In the app, select **Manage > Users and groups**.
+1. Select **application registration**.<br/><img src={useBaseUrl('img/security/provision-azure-app-registration.png')} alt="Add users" style={{border: '1px solid gray'}} width="700" />
+1. Click **Create app role**.<br/><img src={useBaseUrl('img/security/provision-azure-create-app-role.png')} alt="Create app role" style={{border: '1px solid gray'}} width="700" />
+1. Create the role:
+   1. In **Display name**, enter the name to be displayed in the UI (for example, `Analyst`).
+   1. For **Allowed member types** select **Both**.
+   1. For **Value** enter the value of the role in Sumo Logic (for example, `Analyst`).
+   1. For **Description** enter a description of the role.
+   1. Click **Apply**.<br/><img src={useBaseUrl('img/security/provision-azure-create-app-role-dialog.png')} alt="Create app role dialog" style={{border: '1px solid gray'}} width="400" />
+
+### Step 4: Assign users to the app
+
+1. In the app, select **Manage > Users and groups**. 
+1. Select **Add user/group**.<br/><img src={useBaseUrl('img/security/provision-azure-add-users.png')} alt="Add users" style={{border: '1px solid gray'}} width="600" />
+1. Under **Users**, click **None Selected**.<br/><img src={useBaseUrl('img/security/provision-azure-add-assignment.png')} alt="Add Assignment" style={{border: '1px solid gray'}} width="400" />
+1. From the list of available users, select users to add to the app and click **Select**.
+1. Under **Select a role** click **None Selected**.
+1. From the list of available roles, select a role (for example, **Analyst**).
+1. Click **Assign**.
+
+### Step 5: Set up provisioning
+
+1. In the app select **Manage > Provisioning**.<br/><img src={useBaseUrl('img/security/provision-azure-provisioning.png')} alt="Connect your application" style={{border: '1px solid gray'}} width="600" />
+1. For **Provisioning Mode**, select **Automatic**.
+1. Enter **Admin Credentials**:
+   1. In **Tenant URL**, enter the [API endpoint for your deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for the [SCIM User Management APIs](/docs/api/scim-user/) using the format `<api-endpoint>/v1/scim/`. For example, `https://api.sumologic.com/api/v1/scim/`.
+   1. For **Secret Token**, use [Base64 encoding](https://www.base64encode.org/) to encode `<access ID>:<access key>` (see [Prerequisites](#prerequisites)). Enter the resulting value into the **Secret Token** field.
+   1. Click **Test Connection**. If successful, a message like this appears: **Testing connection to `<app name>`. The supplied credentials are authorized to enable provisioning**.
+1. Set up mappings:
+   1. Select **Mappings** and **Provision Microsoft Entra Users**.<br/><img src={useBaseUrl('img/security/provision-azure-mappings.png')} alt="Provision mappings" style={{border: '1px solid gray'}} width="600" />
+   1. At the bottom of the **Attribute Mapping** dialog, select **Add New Mapping**.
+   1. Fill out the **Edit Attribute** dialog:
+      1. For **Mapping type** select **Expression**.
+      1. For **Expression** enter `AppRoleAssignments([appRoleAssignments])`.
+      1. For **Target attribute** select `roles[primary eq "True"].value`.
+      1. Click **OK**.<br/><img src={useBaseUrl('img/security/provision-azure-role-attribute.png')} alt="Edit attribute" style={{border: '1px solid gray'}} width="600" />
+   1. On the **Attribute Mapping** dialog, delete all the attributes except:
+      * userName
+      * active
+      * emails[type eq "work"].value
+      * name.givenName
+      * name.familyName
+      * roles[primary eq "True"].value
+   1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-azure-attribute-mappings.png')} alt="Attribute mappings" style={{border: '1px solid gray'}} width="600" />
+1. Click the **Home > `<app name>` | Provisioning** link in the top left corner of the screen. This returns you to the **Provisioning** tab.
+1. Test provisioning:
+   1. In the app, select **Manage > Provisioning**.
+   1. For **Provisioning Status** select **On** to enable provisioning.
+   1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-azure-provisioning-status.png')} alt="Provisioning status" style={{border: '1px solid gray'}} width="600" />
+   1. Select **Overview**.
+   1. Select **Provision on demand**.<br/><img src={useBaseUrl('img/security/provision-azure-provision-on-demand.png')} alt="Provision on demand" style={{border: '1px solid gray'}} width="600" />
+   1. Users assigned the app will be provisioned into Sumo Logic. 
+
+As long as the app's provisioning status is on, the app runs auto provisioning every 40 minutes.
+
+### Step 6: Verify provisioning
+
+Users assigned to the app are provisioned into Sumo Logic. 
+
+1. Verify in Microsoft Entra ID:
+   1. In the app, select **Provisioning** and then select the **Monitoring** tab.
+   1. The tab should show provisioning status. Click **View Provisioning Logs** for details.
+1. Verify in Sumo Logic:
+   1. Log in to the Sumo Logic instance that you linked to the provisioning app in Step 2 when you provided the Assertion Consumer URL and entity ID.
+   1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Users and Roles > Users**. <br/>[**New UI**](/docs/get-started/sumo-logic-ui). In the top menu select **Administration**, and then under **Users and Roles** select **Users**. You can also click the **Go To...** menu at the top of the screen and select **Users**. 
+   1. Search for the users provisioned from Microsoft Entra ID. 
+   1. You should see the users listed, and with the role given to them when you assigned them to the app in Microsoft Entra ID.
+
+## Syncing between Microsoft Entra ID and Sumo Logic
+
+When you modify the name, email, or role of a user assigned the app in Microsoft Entra ID, the changes will be synced to the corresponding user in Sumo Logic.
+
+If you unassign a user from the app in Microsoft Entra ID, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from Microsoft Entra ID.)