Setup - Auto User Provisioning via SCIM
Auto User Provisioning Overview
Auto User Provisioning enables your company to integrate an external user directory with your Safari account. You can connect your identity provider with Safari to automatically provision and de-provision users in your account, as well as update key user information such as name, email and role. Safari supports auto user provisioning with the System for Cross-domain Identity Management (SCIM) standard. SCIM is an open-standard protocol that simplifies how you manage identities in cloud-based applications. It enables your organization to create, update, or deactivate a wide variety of user accounts with minimal effort.
Your IT group can configure Safari roles and permissions with your connected identity provider (IdP) from one place, giving your employees and outside partners access to the systems they need without multiple sign-ons. You can ensure that users can access only resources they’re authorized to use, which protects your systems and applications. Auto User Provisioning via SCIM is an add-on feature. Please contact your Customer Success Manager for pricing details when you're ready to implement this important security feature.
Safari will partner with your IT department to enable this feature. Please reach out to your Customer Success Manager at customer-engagement@safarilaw.com to start the conversation.
Creating External Users When SCIM is Enabled
Sometimes companies will want to temporarily assign work on Safari to outside counsel. In this instance, you'll need to have your IT department create a guest account for outside users and assign them to the appropriate group to gain access to Safari. When inviting external users, you can take two general approaches as described below:
- Safari Authentication: Guest users are added in the IdP and assigned to groups using their actual email addresses. With this approach, your company maintains control over authorization (via SCIM), but Safari controls the authentication of the user account. The user will log into Safari using Safari-managed credentials and select the company with which they want to work from the list of companies that have given them access. When a company deactivates a user, they'll no longer have access to that company within Safari.
- Client Domain: Guest users are added in the IdP and assigned to groups using a new email address that is provisioned with your company domain or a subdomain (top-level domain must match). With this approach, your company controls both authentication (via Single Sign-On—SSO) and authorization (via SCIM). The user will log into Safari using company-managed credentials and only have access to your company within Safari. The disadvantage of this approach is that the external user will need to maintain this separate set of credentials that are specific to your company.
NOTE: Why does Safari generally retain control over external party authentication?
Since external users could be invited to work with multiple companies within the Safari platform, it would not be secure to allow a single company to control their authentication. Instead, Safari maintains control of the secure authentication directly with the external user and each company can invite or remove that user from their company instance as needed.
Since external users could be invited to work with multiple companies within the Safari platform, it would not be secure to allow a single company to control their authentication. Instead, Safari maintains control of the secure authentication directly with the external user and each company can invite or remove that user from their company instance as needed.
Information for IT Departments
SCIM is a common industry approach to auto-provision users in a SaaS software solution. It supplies a secure, standardized way to automate provisioning across domains without the need for expensive custom integrations and management of proprietary APIs.
- Safari supports the following Identity Providers: Okta, Azure AD, SailPoint, and other IdPs that support SCIM v2.0 or later.
- If User Provisioning via SCIM is enabled, only the IT department can enter or adjust the First Name, Last Name, Email, Active, and Permissions fields—all outside of Safari.
- If User Provisioning via SCIM is disabled, the following fields are locked—Email, First Name, Last Name, Role, IsActive—and new users cannot be manually created.
Need detailed information? Please contact your Customer Success Manager at customer-engagement@safarilaw.com to get started and receive our Safari SOP Auto User Provisioning (SCIM) Setup Guide.
Related Articles
Setup - Users
This help page for system Owners and Admins covers the following topics: Viewing List of Users Creating/Editing Users Includes information about adding outside counsel as users System and Access Permissions Deactivating Users Individual users can ...Setup - Auto-Delete Documents (Record Retention Policy)
Overview YOUR COMPANY MUST FIRST CONTACT SAFARI SUPPORT TO SET UP THIS FEATURE. Because document destruction is permanent and not recoverable, this feature is not automatically accessible in system setup. If you'd like to implement this feature, a ...Setup - Subtypes
Overview NOTE: Only system Owners can edit Subtypes. For more information see Setup - Users. Safari requires a Subtype field in every matter. You can use and configure Subtypes for several purposes, including matter assignment, workflows, transfers ...Setup - Templates and Library
This help page describes how your company can incorporate your standard forms and policies into its Safari workflows: Templates - Incorporate your standard forms or legally required forms with templates to create documents or send correspondence. ...Setup - Single Sign-On (SSO)
SSO Overview Single sign-on (SSO) is an authentication system that allows your users to access online applications like Safari by simply logging into your company's network. In other words, rather than you having a separate user ID and password for ...