SCIM Connector Installation
The Delinea SCIM Connector uses Windows Installer to install and configure the SCIM Connector website. There are 3 main paths that the installer leverages to set up the website.
After the SCIMConnector 4.3.0 installation is complete, replace SCIM All Users, SCIM All Groups, and SCIM All User Groups Secret Server SQL reports. See the Data Acquisition section for detailed information on how to replace the SQL reports. If you are configuring SCIMConnector with Secret Server for the first time, you don’t have to replace the reports in SQL.
Currently, only local administrator or non-administrator user accounts associated with Secret Server can be used to log in to SCIMConnector. Approval from an administrator is required for non-administrator accounts.
SCIM Connector Installer Download
Click here to download the latest version of the SCIM Connector installer.
Basic Installation
- Run the SCIMConnector.msi as administrator on the server where IIS is available. If the Run As Administrator option is unavailable when right-clicking on the installer file, open the command prompt with administrator and run the installer. The installation performs basic readiness checks and guides you through the website setup.
- After the initial welcome dialog, select the mode of installation to perform.
-
If you want to set up SCIMConnector with high availability and a load balancer, select Multiple Instance installation mode. Otherwise, select Single Instance mode.
-
If you prefer a Multiple Instance mode, select Next, then a new window will open to enter the following details:
-
Passphrase: You must enter any string the user wants in order to generate an encryption key. This value must be the same in all instances.
-
Shared Folder Path: For this mode, you need to create a shared folder accessible in read/write mode to all SCIMConnector instances for storing configuration files and logs. Enter the shared folder path here. You can make this folder accessible to everyone or domain users. If using a domain, ensure all machines are logged in using the same domain user and set the same user as the identity for the SCIMConnector application pool in IIS. Otherwise, keep it LocalSystem as it is.
-
Load Balancer Machine Host Name: As per existing functionality, all secrets related to SCIMConnector are stored under the folder in Secret Server and this folder name is based on the machine host name on which SCIMConnector is installed like SCIM <Machine Host Name>. But the multiple instance mode contains multiple instances. Hence, you create a folder based on the machine hostname on the load balancer running. Enter the load balancer machine hostname here.
-
-
Once all required values are entered, select Next.
-
After configuring the instance mode, select the type of installation to perform.
Standard Installation
The standard installation process is used to install the SCIM Connector into a new website in IIS. This requires a custom port, if port 443 and port 80 (standard HTTPS/HTTP ports) are not bound to any site, the SCIM Connector site will be bound to them by default. If Ports 443 or 80 are already bound to a website on the IIS server, a new port will be selected for the SCIM Connector site. Port selection for HTTPS will start from 8443 and increment by one (for example, 8444) until an available port is found. For HTTP, the port selection will start at 8080 and increment up by one. Use the Advanced option if you want to pick the ports that SCIM Connector will use.
-
Select the Standard option to create a new website in IIS and click Next.
-
Review the End-User License Agreement. Once satisfied, check the I accept the terms and the License Agreement checkbox and click Next.
-
Provide the path where the application files will be installed. A subdirectory (SCIMConnector) will be created in the specified path (for example, C:\inetpub\wwwroot\SCIMConnector). Click Next.
-
The SCIM Connector installation is now ready to create the website. Click Install and follow the installation prompts.
-
After the installation is complete the default browser will launch and SCIM Connector is ready to be configured. See the Configuration section for additional details.
-
The install creates a subdirectory called SCIMConnector and the application files are displayed as follows and can be seen in the following folder.
-
A new website has been created and can be seen in the IIS Manager.
-
An SCIMConnectorAppPool application pool has been created and can be viewed in the IIS Manager.
-
Review the Basic Settings of the SCIMConnector website. The site is associated with the application pool that was created.
-
The site bindings (HTTP and HTTPS) have been created for the website.
The ports may differ from the standard HTTP/HTTPS ports. This is because another website in IIS has already taken the standard ports for HTTP and HTTPS (80/443).
The installation will search for a certificate with the hostname and use this for configuring HTTPS. This can be changed after the installation to any certificate that is desired and available. If no certificate is found, the installation will create one that is self-signed.
Advanced Installation
The advanced installation process uses the default website.
The Advanced option allows the SCIM Connector to be installed as either a virtual directory under the default website or the creation of a new website while defining the binding ports. The advanced installation process is the same as the standard installation process.
-
To install the SCIM Connector as a virtual directory under the default website select the Advanced option and click Next.
-
Select Use Default Web Site and click Next.
-
Review the End-User License Agreement. Once satisfied, check the I accept the terms and the License Agreement checkbox and click Next.
-
Provide the path where the application files will be installed. A subdirectory (SCIMConnector) will be created in the specified path (for example, C:\inetpub\wwwroot\SCIMConnector) then click Next.
-
For Virtual Directory installations, it’s recommended to change the path or the IIS Manager will show both the folder and the virtual directory.
-
Select Install to start the SCIM Connector installation to create the website.
-
When the installation is complete, the default browser is launched and SCIMConnector is ready to be configured. See the Configuration section for additional details.
Instead of creating a new website, the installation has created a virtual directory under the default website. The bindings or ports associated with the virtual directory are the same as the default website.
The URL to access the SCIM Connector is different. To access the SCIM Connector when it is a Virtual Directory, use the hostname or IP address and append/SCIMConnector.
Creating a New Website
The Create New Website with port options installation process is the same as the standard process but will have the ability to predefine the ports that are used.
-
Select Create new website and click Next.
There may already be a default website in IIS. If there is a port conflict, the following dialog will display. You can choose a custom port to enter in the HTTPS Port field.
-
By default, HTTPS communication is recommended. However, in cases where SCIM endpoints don’t work with HTTPS, select the Enable http checkbox to enable HTTP.
-
Provide the custom available port for HTTP and select Next.
Once the installation is complete, the Login page for SCIM Connector should be displayed in the default browser. If the browser does not launch, you can access the SCIM Connector by the website or virtual application. The Login page requires the URL to the Secret Server and either a local or domain Secret Server Administrator account.
The status will appear as “Multiple Instance Setup: true, Shared Path: \\10.60.12.149\SCIM_Config” at the bottom for multiple instance mode. If it is showing false, check whether the shared folder is accessible and verify the permissions.
The status will appear as “Multiple Instance Setup: false” for a single instance mode
Connecting SCIM with the Delinea Platform
If Secret Server is configured on the platform, a user can access it through their platform account, making the platform login to SCIMConnector valuable. For details, see Setup.
Log into SCIMConnector through the Delinea Platform
Prerequisites
To access Secret Server using platform identities, ensure the following accounts are configured:
-
Platform Administrator Account: This account must have full Secret Server administrator permissions.
-
Platform Service Account: Required for service-level access.
Make sure you have the domain name from your secret server instance.
Log into SCIMConnector through Secret Server
To log in to the SCIMConnector through Secret Server, you need to pass the SS instance URL as a BaseUrl, along with the Secret Server administrator username and password.
To sign in with the domain account:
-
Select the Is it domain account? checkbox and enter the domain name into the text box. For local accounts, ignore the Domain field.
-
Select Sign In.
The images below display a login form that allows using either a domain account or a local account.
Using Domain Account
Using Local Account
To log in to the SCIMConnector through the platform, you need to provide the platform instance URL as a BaseUrl, along with the platform administrator's username and password.
Repairing SCIM Installation
The repair installation process is used to restore lost files and mend the installation if it has been hampered. Right-click on the installer and run as Admin.
Verifying SSL Certificate
A valid SSL certificate is required on the Secret Server side by default. It can bypass this verification by setting the flag (SkipSSLCheck) value to True in the appsettings.json file, located at C:\inetpub\wwwroot\SCIMConnector
. However, it's important to note that bypassing this verification poses a security risk.
To bypass SSL certificate verification:
-
Open Internet Information Services (IIS) on your computer and stop the SCIMConnector application.
-
Go to
C:\inetpub\wwwroot\SCIMConnector
and open the appsettings.json file. -
Set the SkipSSLCheck value as the following:
SkipSSLCheck = true
-
Start the SCIMConnector application in Internet Information Services (IIS).
If a valid SSL certificate is unavailable on the Secret Server side, you should attempt to use the SCIMConnector without bypassing verification. The SCIMConnector will throw a "Secret Server Service Unavailable" error in that case.
Configuring Proxy Server to redirect network traffic to Secret Server
Secret Server can receive a network traffic via configured user's local proxy server.
To configure network traffic redirection:
-
On your computer, open the Start menu.
-
Right-click This PC and select Settings.
-
In the right pane of the Settings dialog, click Advanced system settings.
-
In the System Properties dialog, got to Advanced> Environment Variables.
-
In the User variables for... section, select New.
-
In the Variable Name field, specify https_proxy.
-
In the Variable value field, specify your proxy server information.
-
Select OK.