Pigment offers various options to control which Members you want to add when preparing to invite them to your Workspace. This article explains how to use and configure identity and provisioning settings for System for Cross-domain Identity Management (SCIM), and email domain restriction settings.
What identity and provisioning settings are available?
Three different options are available to you:
- Restricting domains. This allows Security Admins to control which email domains can be invited into a Workspace.
- Single Sign-on (SSO). This lets Members sign in through their own identity provider. For more information, see Configure Single Sign-On (SSO) with Pigment.
- SCIM provisioning. This is used to systematically manage Members through an identity provider’s directory.
Set up domain restrictions
To configure email domain restriction, you need a Security Admin account type.
This setting only impacts new invitations to the Workspace, and doesn’t impact existing Workspace Members.
To set up domain restrictions, and to authorize specific domains in your Workspace, do the following:
- In the Workspace Settings, click Members management.
- Click More options and then Identity & provisioning settings.
- Toggle on Restrict domains.
- Click + Add domain to add each new domains you want to authorize.
This opens the Add a new email domain pane.The Pigment Support email account, support@gopigment.com, by-passes the authorized domains list.
- Enter the domain name and click Add domain.
The format you enter is the domain name. For example, if you want to add a Member whose email is joe@gopigment.com, you enter the domain: gopigment.com - (Optional) To remove an authorized domain, click the Delete icon listed beside it.
- When you’ve entered the required domain names, click Done.
What is SCIM?
SCIM is an industry standard to provide cross-provider identity management. It defines a standard schema of user attributes, ensuring all services processing a SCIM request can consistently interpret the data and understand how to use the provided values.
How does SCIM integrate with Pigment?
Pigment leverages SCIM to enable our customers' IT teams to manage Member access directly through their identity provider solution:
- Create or invite new Members in Pigment
- Update a Member’s name
- Deactivate a Member
- Reactivate a deactivated Member
- Find and list Members in Pigment using their email address
We do not support Group provisioning, nor any specific Role attribution for users yet.
When SCIM is enabled, Member management moves entirely to your identity provider. This means you can no longer manually invite or deactivate Members directly within Pigment. Instead, all Member provisioning, updates, and deactivations need to be handled through your identity provider.
Set up SCIM provisioning in Pigment
Before you begin
To set up SCIM for your Pigment Workspace, check the following:
- You have already configured SAML SSO with your identity provider for Pigment.
- Your identity provider must support SAML 2.0 with a Core User Schema.
- You must have Security Admin access to Pigment.
Supported Identity Providers
Pigment’s automatic provisioning can be used with any identity provider which supports SCIM for user management. We provide guidelines for setting up SCIM with these identity providers:
- Okta
- OneLogin
- Microsoft Entra ID
If your identity provider supports SCIM provisioning but is not listed above, reach out to Pigment Support team for assistance.
Enable SCIM and generate an API Token
The first step in setting up SCIM with Pigment is to enable the SCIM setting and generate an API token within Pigment's Identity & Provisioning settings.
- In the Workspace Settings, click Members management.
- Click More options and then Identity & provisioning settings.
- Review the Single Sign-On status.
If this is not activated, contact Pigment Support. - Toggle on SCIM Provisioning.
- Click + Add token to generate a new API token.
- Choose an expiration based on your security policies
- Make a note of the generated URL and API token.
These are both required by your identity provider.
About API tokens
Tokens are private to the Workspace rather than the Member who created them. This means that even if the Member who generated the token is deactivated, the token remains valid until its designated expiration date.
Multiple tokens can be created and active at the same time, for rotation purposes.
Tokens can be revoked at any time using the Delete button. However, before revoking a token, ensure it’s no longer used by your identity provider.
Setup SCIM in the Identity Provider
The next step to setting up SCIM with Pigment is to setup your identity provider with the generated URL and API token.
Okta
There is no preconfigured Pigment integration in the Okta Integration Network at the moment. If Okta is your identity provider and you need help setting up SCIM, contact Pigment Support.
Here’s how to manually set up SCIM in Okta with your generated API token and URL:
- Log in to Admin panel in Okta.
- Open the Applications menu and review the details for your Pigment SAML 2.0 Application.
- In the General tab, select the Enable SCIM Provisioning check box.
- In the Provisioning tab, click Integration, and then SCIM Connection.
- Click Edit and update the following fields:
- SCIM connector base URL. Enter the API URL you generated in Pigment.
- Unique identifier. Enter the user name.
- Supported provisioning actions. Select Push New Users and Push Profile Updates options.
- Authentication. Select HTTP Header
- HTTP Header Authorization. Enter the API token you generated in Pigment.
6. Click Test Connector Configuration to confirm if the connection works successfully.
7. Click Save.
- Go to the Provisioning tab located in the To App Settings panel, and click Edit.
9. Select the following:- Create Users
- Update User Attributes
- Deactivate Users
10. Click Save
The SCIM integration is now complete. Any Members assigned to the Okta application are now created in Pigment.
OneLogin
Here’s how to manually set up SCIM in OneLogin with your generated API token and URL:
- Log in to the OneLogin’s Admin panel and open the applications list.
- If you already have a SAML application for Pigment, ensure it can support a SCIM v2 Core configuration.
Otherwise, click on Add App and select SCIM Provisioner with SAML (SCIM v2 Core) to create a new one. - In the Application Configuration section:
-
SCIM Base URL. Enter the API URL you generated in Pigment.
-
Custom Headers. These fields should remain empty.
-
SCIM Bearer Token. Enter the API token you generated in Pigment.
-
SCIM JSON Template. Use the following code:
{
"schemas": i
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "{$user.email}",
"userName": "{$user.email}",
"displayName": "{$user.display_name}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
},
"emails": <
{
"value": "{$user.email}",
"primary": true,
"type": "work"
}
]
}
4. Click Enable.
5. In the Provisioning menu:
- You can now enable provisioning and select which operations require an approval.
- When users are deleted or suspended in OneLogin, you can choose to delete or suspend them. The operations are identical in Pigment, deleted Members are not suspended for historical purposes.
6. Click Save.
Microsoft Entra ID
Here’s how to manually set up SCIM in Microsoft Entra ID with your generated API token and URL:
- Login to the Azure Portal and open your Microsoft Entra Directory.
- Select Enterprise applications.
If you already have a SAML Application set up for Pigment, select it and go to the application overview in step 5.
- Click New Application and select Create your own application.
- In the Application creation sidebar, enter Pigment as the name, then select Create.
- In the Application overview screen, go to Provisioning, then click Get started.
- Complete the following fields:
- Provisioning mode. Select Automatic from the menu.
- Tenant URL. Enter the API URL you generated in Pigment.
- Secret Token. Enter the API token you generated in Pigment.
7. Test the connection.
8. If the connection is is successful, click Save.
Mapping Attributes
You may need to change the default mappings between the Entra ID attributes and Pigment on the provisioning page. To adjust this, open the Mappings section and modify how the values in Microsoft Entra ID correspond to the attributes in Pigment. For more information, see User Attributes Mapping.
How to enable Microsoft Entra ID provisioning
If Microsoft Entra ID provisioning is unavailable initially, here’s how you enable it:
- Go to the Enterprise Application's Provisioning Overview page.
Provisioning displays a status of unavailable. - Click Start Provisioning, or alternatively select Provision on Demand to sync a specific user or group immediately.
This is useful if you need to perform a test in advance of a full sync. - Go to the Provisioning section and set the Provisioning Status to on.
This enables automatic user management for this enterprise application.
The SCIM integration is now complete. Entra ID will manage user creation, updates, and deactivations within Pigment based on changes in the app assignment scope within Entra ID.
User Attributes Mapping
Pigment requires and maps the following SCIM User Attributes:
userName. The Member’s login email, for example: john.doe@example.comdisplayName. The full display name for the user, for example: John Doe
The SCIM standard holds attributes for a lot more fields, such as job title, phone numbers, and so on. However, these are not part of Pigment’s user profile. Any extra data sent in addition to the required fields noted above are ignored and are not stored.