Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Getting Started

  1. Last updated
  2. Save as PDF
Limited Availability: To access SCIM Provisioning, contact Skyhigh Support.

 

Identity Providers

An Identity Provider (IdP) is a corporate organization's central user management system that controls all employee credentials and group memberships. When a user joins the organization, the IdP creates and manages their user details, with access permissions, and typically assigns them to a group. Similarly, when a user leaves the organization, their user details are updated in the IdP accordingly. Modern IdPs, such as Okta, Microsoft Entra ID, and Ping Identity, support Single Sign-On (SSO) authentication. This SSO integration allows customer identity administrators to control authentication access to contracted services, eliminating the need to manage user authentication separately inside individual applications. For example, when administrators integrate Skyhigh Security with an IdP via SSO, users authenticate once through the central IdP and securely access the Skyhigh Security console without entering separate credentials.

While SSO integration controls login access to Skyhigh Security, it does not manage user permissions or roles within the application. To address this user management gap, Skyhigh Security utilizes the System for Cross-domain Identity Management (SCIM). SCIM is an open standard designed specifically to automate user provisioning and identity lifecycle management. SCIM does not replace your existing SAML configurations for SSO. Instead, the two protocols work together: SAML handles user authentication (login), while the SCIM facility in your IdP automatically creates user accounts, updates group memberships, and synchronizes users and groups directly into Skyhigh Security.

Current Problem Statement in User Management Within Skyhigh

Historically, managing roles and permissions in Skyhigh Security required application administrators to manually create users and manage their access directly within the tenant. Manually adding users in Skyhigh Security increases the risk of entering incorrect information. This manual process is time-consuming and inefficient for administrators, especially when managing large numbers of users.

When a role is updated, it is difficult to track and manually apply these changes in the application. Similarly, when an employee leaves the organization, administrators may forget or delay deactivating the user's access. This delay poses a security risk by leaving active user credentials in the application.

To address challenges in both manual user creation and role assignment, Skyhigh Security integrates SCIM with its overhauled Role-Based Access Control (RBAC) framework. This automated approach shifts user lifecycle and group management to the IdP. As the IdP synchronizes user and group data into the application, Skyhigh Security uses its RBAC framework to assign and enforce specific roles and permissions for those synchronized groups.

What is SCIM Integration?

Effective user lifecycle management is critical for maintaining robust security and organizational compliance. Skyhigh Security leverages SCIM (System for Cross-domain Identity Management) to centralize user administration and access control through your designated IdP.

As a cross-platform identity management protocol, SCIM facilitates seamless communication between the IdP and the Service Provider (Skyhigh Security). SCIM automatically provisions and updates users in Skyhigh, ensuring that any changes made at the source are synchronized in real-time.

To adopt SCIM, follow this sequential workflow to automate user management:

  1. Enable provisioning. Create the Skyhigh application within your IdP and enable SCIM provisioning.
  2. Define IdP groups. Organize users into specific groups within the IdP based on their required access levels.
  3. Initial synchronization: Once groups are pushed from the IdP to Skyhigh, members are initially granted zero access to maintain a Zero Trust security posture.
  4. Role mapping: A SOC Admin or User Manager must manually map specific Skyhigh roles to these imported IdP groups within Skyhigh SSE.
  5. Automated lifecycle management: Once the mapping is complete, any new users added to these groups in the IdP will automatically inherit the correct roles in Skyhigh, eliminating the need for manual intervention.

NOTES:  

  • Role assignment within the Skyhigh tenant is restricted to the Tenant Admin or users with explicit User Manager permissions.
  • A user with admin privileges must configure the API credentials and add the Skyhigh application to the IdP.
  • The integration utilizes OAuth 2.0 Bearer tokens to ensure secure, authorized communication between systems.
  • Currently, Skyhigh supports Okta and Microsoft Entra ID for SCIM integration.

For more details about how to leverage SCIM, see the following guides:

Why do we need SCIM?

Skyhigh Security leverages SCIM to centralize identity management and enforce automated access controls. Implementing SCIM provides the following key benefits:

  • Enhanced Security Management. Streamlines user lifecycles to eliminate orphaned accounts, a significant security vulnerability, by ensuring access is revoked the moment a user leaves the organization.
  • Strengthened Compliance and Auditability. The system automatically tracks exactly who has access to what. Proving your security to auditors is now effortless and error-free.
  • Operational Efficiency. Automates onboarding and offboarding across multiple applications. This drastically reduces administrative overhead and minimizes the risk of human error in manual configuration.
  • Cross-Platform Consistency. Ensures that user identities and permissions remain consistent across all cloud and SaaS platforms, maintaining a synchronized, well-organized access structure.
  • Seamless Scalability. Designed to handle high user volumes and frequent organizational shifts, allowing your identity management to keep pace with business growth without compromising security.
  • Identity-First Architecture. Position your Identity Provider as the central control plane. This transition simplifies access management across diverse environments and reinforces a modern security perimeter.

User Lifecycle Automation in Skyhigh Using SCIM

By leveraging SCIM, user onboarding, role updates, and deactivations are managed directly through your Identity Provider rather than through manual configuration within Skyhigh. This shift to an identity-first model creates a reliable, near-real-time access framework that scales with organizational changes.

The following sections detail how Skyhigh Security handles the automated lifecycle of provisioning, deprovisioning, and role synchronization:

Provisioning

When a user is created in the Identity Provider, the SCIM integration automatically provisions a corresponding user account in Skyhigh. The following actions are performed:

  • User creation. A new user account is created in Skyhigh.
  • Zero trust. The user will not be assigned any roles or permissions in Skyhigh.
  • Role assignment. The Skyhigh admin maps roles to groups in Skyhigh.
  • Access. Once users in IdP groups are pushed to Skyhigh, they will not have any access until the role mapping is done in Skyhigh. However, the user will be active and able to log in to Skyhigh, but will only see a blank dashboard with no tiles.
Role/Group Change

Any changes in a user's group membership within the IdP are synced to Skyhigh as follows:

  • Role synchronization. User role assignments in Skyhigh are updated to reflect the latest group memberships from the IdP.
  • Permissions management. This ensures that user permissions in Skyhigh are always up to date and reflect the user’s active group associations.

NOTES: 

  • Administrators can map SCIM-provisioned groups from the IdP to custom Skyhigh roles directly via the user interface, ensuring granular access controls are maintained across the organization.
  • For SCIM-provisioned users, role assignments are managed exclusively at the group level. Individual roles cannot be modified manually at the user level, as group-based permissions from the IdP serve as the single source of truth.
Deprovisioning

When a user account or group is deleted in the IdP, the following steps are taken to deprovision their Skyhigh account:

  • User Account Deletion
    • Inactivation. The user's account in Skyhigh is marked as inactive. All access to Skyhigh systems, including reports and processing capabilities, will be revoked immediately to mitigate any potential security risks.
  • User Group Deletion
    • The user is a part of a single group. If a user is part of a group that gets deleted from the IdP, the user will be marked as inactive in Skyhigh. However, the user will be displayed on the Skyhigh UI without any roles, groups, or permissions assigned.
    • The user is a part of multiple groups. If the user is part of multiple groups and one of those groups is deleted from the IdP, the roles and permissions of the other groups are overridden for the user. For example, consider a user belonging to both Group A (Admin role) and Group B (Analyst role). If Group A is deleted in the IdP, the user’s Admin permissions are revoked, and they automatically fall back to the Analyst role from Group B. If the user is also a member of a third group (Group C), those additional roles are combined with their Group B permissions.

This ensures that user role assignments within Skyhigh are always updated based on the IdP's current group memberships, maintaining a real-time, accurate reflection of their access level without manual intervention.

This automated process is engineered for minimal latency, ensuring that security gaps are closed in near real-time. To maintain full transparency and compliance, every SCIM operation is meticulously captured in an audit log. By leveraging these automated workflows, organizations can significantly strengthen their security posture and simplify user lifecycle management within Skyhigh Security.

How does Jurisdiction work with SCIM Integration?

Data jurisdictions are managed directly in the Skyhigh console and remain independent of the SCIM integration. While your Identity Provider controls roles and group memberships, jurisdiction settings are configured and maintained locally within Skyhigh.

Key Features

  • Editable Settings. You can assign or modify jurisdictions for both manual and SCIM-provisioned users, including performing bulk edits.
  • Role Eligibility. You can assign any combination of manual and SCIM users to a jurisdiction, provided they do not have administrative roles (such as Administrator ​​​​​​or Compliance Manager).
  • Local Management. Jurisdiction configurations are not synchronized via SCIM. This ensures that your localized data visibility rules remain unchanged during IdP synchronization.

NOTE: Data jurisdictions act as a visibility filter for dashboards and reports without affecting the user's functional permissions assigned by the IdP.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.