System for Cross-Domain Identity Management (SCIM)

System for Cross-Domain Identity Management (SCIM) is a standard protocol designed to facilitate the automation of user provisioning and management across various applications and services. SCIM allows organizations to manage user identities in a centralized manner, enabling seamless integration with identity providers and other systems.

With SCIM, organizations can automate the process of creating, updating, and deleting user accounts across multiple platforms, reducing the administrative burden associated with manual user management. This is particularly beneficial for businesses that utilize a variety of applications and need to ensure that user access is consistent and secure.

Benefits

Key benefits of SCIM User Provisioning include:

Centralized User Management: Manage user identities from a single source, ensuring consistency across all applications.
Automated Provisioning: Automatically create, update, or deactivate user accounts based on organizational changes, such as new hires or role changes.
Enhanced Security: Reduce the risk of unauthorized access by ensuring that user accounts are promptly updated or removed as needed.
Improved Efficiency: Streamline the onboarding and offboarding processes, allowing IT teams to focus on more strategic initiatives.

Configure SCIM in Chargebee

This guide provides the steps required to how to obtain or configure the SCIM Provisioning on Chargebee, and includes the following topics:

Prerequisites

SAML must be enabled before configuring Provisioning for Chargebee.
After enabling SAML, you must reach out to Chargebee support to enable Provisioning on your site.

Provisioning Features

The following Provisioning features are supported:

Push New Users
Push Profile Updates
Push User Deactivation
Reactivate Users
Push Groups
Unlink Groups
Push Groups or Push Group Updates

Import of Users or Groups from Chargebee to Okta is not supported.

Configuration Steps

Setup in Chargebee

To obtain the API Token value for configuring Provisioning in Chargebee, follow these steps:

Login to your Chargebee account using SAML.
Navigate to Settings > Team Members.
Click Get Started under User Identity Management.
Follow the steps below
1. Select SCIM and click Next.
2. Select OKTA and Bearer as authentication type and click Next.
Under Chargebee Credentials, copy the values of the Chargebee Site URL and Bearer Token. Use these values to add SCIM connection at the Provisioning tab of the Chargebee Okta Application.

Setup in Okta

To configure your provisioning settings in the Okta Application, follow these steps:

Login to your Okta account and navigate to Okta admin console.
Select Applications from the left nav.
Select the Chargebee Okta application instance that is configured with SAML for the respective site. This is the instance created while enabling SAML for the site, as mentioned here.
Navigate to Provisioning tab and click Configure API Integration.
Complete the following steps:
1. Select the Enable API Integration checkbox. Enter your Chargebee API Token from step 5 as mentioned above.
2. Click Test API Credentials for testing your credentials. This step is optional.
3. Click Save to apply the changes.
In Provisioning tab, select To App and click Edit to update the Provisioning to App section.
Select and save the following options:
1. Create Users
2. Update User Attributes
3. Deactivate Users
Navigate to the Sign on tab and click Edit to update the Settings section.
Save the application by setting the Application username format to Email under Credential Details.

Chargebee's Group Name Format

Chargebee requires the okta group name to be in the following format:

CB/<domain>/ROLE/<role_name>
- CB is a standard prefix that will not change.
- domain is your domain name.
- ROLE is the standard prefix that will not change.
- role_name is the access role name. For example, Admin, Analyst, and more. Learn more about the access roles preasent in Chargebee.
Currently, we do not support the creation of the Owner group, as we have restricted the transfer of owners through SCIM.

System for Cross-Domain Identity Management (SCIM)

Benefits

Key benefits of SCIM User Provisioning include:

Centralized User Management: Manage user identities from a single source, ensuring consistency across all applications.
Automated Provisioning: Automatically create, update, or deactivate user accounts based on organizational changes, such as new hires or role changes.
Enhanced Security: Reduce the risk of unauthorized access by ensuring that user accounts are promptly updated or removed as needed.
Improved Efficiency: Streamline the onboarding and offboarding processes, allowing IT teams to focus on more strategic initiatives.

Configure SCIM in Chargebee

This guide provides the steps required to how to obtain or configure the SCIM Provisioning on Chargebee, and includes the following topics:

Prerequisites

SAML must be enabled before configuring Provisioning for Chargebee.
After enabling SAML, you must reach out to Chargebee support to enable Provisioning on your site.

Provisioning Features

The following Provisioning features are supported:

Push New Users
Push Profile Updates
Push User Deactivation
Reactivate Users
Push Groups
Unlink Groups
Push Groups or Push Group Updates

Import of Users or Groups from Chargebee to Okta is not supported.

Configuration Steps

Setup in Chargebee

To obtain the API Token value for configuring Provisioning in Chargebee, follow these steps:

Login to your Chargebee account using SAML.
Navigate to Settings > Team Members.
Click Get Started under User Identity Management.
Follow the steps below
1. Select SCIM and click Next.
2. Select OKTA and Bearer as authentication type and click Next.
Under Chargebee Credentials, copy the values of the Chargebee Site URL and Bearer Token. Use these values to add SCIM connection at the Provisioning tab of the Chargebee Okta Application.

Setup in Okta

To configure your provisioning settings in the Okta Application, follow these steps:

Login to your Okta account and navigate to Okta admin console.
Select Applications from the left nav.
Select the Chargebee Okta application instance that is configured with SAML for the respective site. This is the instance created while enabling SAML for the site, as mentioned here.
Navigate to Provisioning tab and click Configure API Integration.
Complete the following steps:
1. Select the Enable API Integration checkbox. Enter your Chargebee API Token from step 5 as mentioned above.
2. Click Test API Credentials for testing your credentials. This step is optional.
3. Click Save to apply the changes.
In Provisioning tab, select To App and click Edit to update the Provisioning to App section.
Select and save the following options:
1. Create Users
2. Update User Attributes
3. Deactivate Users
Navigate to the Sign on tab and click Edit to update the Settings section.
Save the application by setting the Application username format to Email under Credential Details.

Chargebee's Group Name Format

Chargebee requires the okta group name to be in the following format:

CB/<domain>/ROLE/<role_name>
- CB is a standard prefix that will not change.
- domain is your domain name.
- ROLE is the standard prefix that will not change.
- role_name is the access role name. For example, Admin, Analyst, and more. Learn more about the access roles preasent in Chargebee.
Currently, we do not support the creation of the Owner group, as we have restricted the transfer of owners through SCIM.

Product Updates

Getting Started

Implementing Chargebee

AI in Chargebee

Product Catalog

Subscriptions

Customers

Invoices, Credit Notes and Quotes

Taxes

Hosted Capabilities

Site Configuration

Reports and Analytics

Integrations

Data Privacy & Security

Data Operations

System for Cross-Domain Identity Management (SCIM)

Benefits

Configure SCIM in Chargebee

Prerequisites

Provisioning Features

Configuration Steps

Setup in Chargebee

Setup in Okta

Chargebee's Group Name Format

Product Updates

Getting Started

Implementing Chargebee

AI in Chargebee

Product Catalog

Subscriptions

Customers

Invoices, Credit Notes and Quotes

Taxes

Hosted Capabilities

Site Configuration

Reports and Analytics

Integrations

Data Privacy & Security

Data Operations

System for Cross-Domain Identity Management (SCIM)

Benefits

Configure SCIM in Chargebee

Prerequisites

Provisioning Features

Configuration Steps

Setup in Chargebee

Setup in Okta

Chargebee's Group Name Format