# SCIM SailPoint Integration SailPoint provides a SCIM identity management connector that allows you to manage Teleport Access List membership through SailPoint IdentityNow or SailPoint IdentityIQ. ## Prerequisites - Teleport SCIM plugin setup: [SCIM Plugin Installation](https://goteleport.com/docs/identity-governance/integrations/scim.md) ## Step 1/2: Configure a SCIM 2.0 Teleport connector in SailPoint To integrate Teleport with SailPoint using SCIM, you need to configure a SCIM connector in SailPoint IdentityNow or SailPoint IdentityIQ. The exact configuration steps may vary slightly depending on your version of SailPoint, but the general process is as follows. ### Configure SCIM in SailPoint Create a new SCIM connector in SailPoint at: Applications > Application Definition > Add New Application. Select **SCIM 2.0** as the application type and provide the required configuration details: ![SailPoint Connector Details](/docs/assets/images/sailpoint-1-783ccc31a3cdbef2c801c911965be44c.png) Navigate to the Teleport SCIM Integration page and copy the OAuth 2.0 details and the SCIM base URL. --- INFO If the Teleport SCIM integration has not been set up, follow the [SCIM Plugin Installation](https://goteleport.com/docs/identity-governance/integrations/scim.md) guide before proceeding. --- In the SailPoint SCIM application configuration view, populate the configuration settings using the values obtained from the Teleport SCIM integration: - SCIM Base URL: Paste the SCIM Base URL copied from SCIM Teleport Integration page - Authentication Type: Pick "OAuth 2.0" - Token URL: Paste the Token UR copied from SCIM Teleport Integration page - Grant Type: Pick "Client Credentials" - Client ID: The Client ID copied from SCIM Teleport Integration page Click **Test Connection** to verify that the connection is successful: ![SailPoint SCIM Oauth](/docs/assets/images/sailspoint-scim-config-d668d44127d7403139e77931088391d3.png) ### Configure SCIM schema discovery Under **Configuration -> Schema**, click **Discover Schema Attributes** on both the **Accounts** and **Groups** tabs to retrieve the schema attributes: ![Account Schema Discovery](/docs/assets/images/sailpoint-3-c3295857ed6c5ac1576ab5ee4a745ab0.png) ![Group Schema Discovery](/docs/assets/images/sailpoint-4-f630db071517c7d64691453e03bf0d12.png) Go to the **Provisioning Policy** section, and create a **Create Policy** that maps the `userName` SCIM attribute to the user’s email address: ![User Provisioning settings](/docs/assets/images/sailpoint-5-b430fa34b7f43c4fcaf9661f8b58c47d.png) Save all changes. #### Configure SCIM group aggregation in SailPoint SailPoint group aggregation enables the retrieval of SCIM-type Access Lists into SailPoint as Application Group Entitlements. This allows you to import Teleport Access Lists into SailPoint and manage membership directly through SailPoint with the changes being reflected in Teleport Access Lists. Navigate to **Setup > Tasks -> New Task -> Group Aggregation** in SailPoint. ![Select Aggregation](/docs/assets/images/sailpoint-6-d718b8e4a6f5d128ed51b163468b6e57.png) Select the **Teleport SCIM Connector**, then click **Save and Execute** to run the aggregation task. ![Configure Aggregation](/docs/assets/images/sailpoint-7-4122572e1e57f92e5fc04e40b18d778b.png) If the aggregation completes successfully, you should see the imported Access Lists `type: "scim"` from Teleport in SailPoint under: **Applications > Entitlement Catalog** ![Aggregation Result](/docs/assets/images/sailpoint-8-c61fb532aaa0dd9f882eb3dbb939a6ba.png) ## Step 2/2: Submit Access Requests to SailPoint Group Entitlement (Optional) Go to **Manage > Manage User Access > Manage User Access** in SailPoint. Submit an Access Request for a mapped Access List (as represented by a group entitlement in SailPoint). ![Access request](/docs/assets/images/sailpoint-9-fe4d0be8315556de4998a2d668e46505.png) Once the request is approved, the user will be added to the appropriate Access List in Teleport.