BlueDolphin supports automatic user provisioning. When automatic user provisioning is enabled, you can use the public API to manage BlueDolphin users and their role assignments. This means you no longer need to do this manually in the BlueDolphin UI. When you use automatic user provisioning, whenever a user logs in, they will have the role(s) that correspond to their user groups in your organization's Identity and Access Management (IAM) tool. BlueDolphin user authentication is still done through IDP.
In BlueDolphin, automatic user provisioning is done using public REST API calls that follow the SCIM 2.0 protocol. If your organization uses an IAM tool that supports SCIM 2.0, that tool can issue public API API calls to BlueDolphin to read, create, update and delete users and role assignments in BlueDolphin for all users that belong to certain user groups in your organization's IAM tool.
Note: BlueDolphin automatic user provisioning is currently supported with the following IAM tools: SailPoint, Okta, and Azure. Any other IAM tool that supports SCIM 2.0 may also work, but is not explicitly supported.
For more information on the SCIM 2.0 protocol, see http://www.simplecloud.info/
For integration with Azure, a new 'Non-gallery' application should be created. Please refer to the Azure AD documentation here: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Azure Active Directory - Microsoft Entra | Microsoft Docs
Please also refer to the documentation of your IAM tool.
The public REST API for automatic user provisioning has two endpoints, /Users and /Groups.
For more detailed documentation on the BlueDolphin public REST API,
How to start using automatic user provisioning
Enable the feature
BlueDolphin automatic user provisioning is disabled by default. To request the feature to be enabled, raise a Zendesk support ticket with BlueDolphin. BlueDolphin support will inform you when the feature is enabled.
Please be aware that when automatic user provisioning is enabled:
- You can still manually manage users and their role assignments in the BlueDolphin UI.
There can be a mix of manually and provisioned users.
Also, each user can have a mix of manual and provisioned role assignments.
- You can't recognize the difference between a manually managed user or role assignment from an automatically provisioned one - neither in the UI nor through public API call responses.
Create an API key
To successfully issue public API calls for a certain feature, calls must use a valid API key with that feature as the scope of the API key. The public API calls for the feature 'automatic user provisioning' need to make use of an API key with the scope 'user provisioning'.
In Admin > Public API keys, create an API key and store the key secret.
For more information on this, see Working with the public API.
Map IAM user groups to BlueDolphin roles
Before starting with automatic user provisioning, you must decide for each BlueDolphin role to which IAM user groups that role corresponds. In general, you only want to provision users in BlueDolphin for a subset of your IAM user groups. This mapping can be many-to-many.
Assuming you have used BlueDolphin without automatic user provisioning, your BlueDolphin tenant will contain users that have been manually created. Before you can use user provisioning on a day-to-day basis, you need to match (aka 'correlate') those pre-existing BlueDolphin users with IAM users.
Also whenever you change the mapping of IAM user groups to BlueDolphin roles, perform a full 'initial matching' before going to day-to-day user provisioning.
For a high level description of this initial matching process, please see User tips & tricks: Initial matching as part of Automatic User Provisioning.
Day-to-day automatic user provisioning
At regular intervals, the relevant changes to the users in IAM need to be propagated to BlueDolphin, so that the users and role assignments are in sync.
A relevant change in IAM can be one of the following types:
- a new user
- a deleted user
- a change in relevant user details or
- a change in IAM user group membership
(for one of the relevant IAM user groups).
For each type of change, configure IAM to do the corresponding public API call to BlueDolphin.