Managing user licenses via SCIM
With the SCIM integration, Zefort administrators can maintain Zefort users and user groups in the identity provider (“IdP”) used in your organization, such as Azure AD or Okta.
Map the IdP user groups with licenses and SCIM will automatically create and maintain the users and their licenses in Zefort. If you make changes (e.g. name changes) in your IdP, they will automatically be reflected in Zefort.
Mapping IdP groups with Zefort licenses
- Go to Account settings and open Integrations.
- Activate new or configure existing SCIM integration. See more detailed instructions here.
- Select the desired license and map it with group from your IdP.
Let’s assume that you have a group in IdP named “Paralegals” which you want to be automatically created in Zefort as well. With Zefort’s SCIM integration, you can map the “Paralegals” group to a specific license, such as Editors, for example. When you add new people to the “Paralegals” group in your IdP, SCIM will automatically add the new user with an editor license in Zefort.
Further, let’s assume that you also have a “Managers” group which is mapped to the “Admin” license. In this case users in that group will get the admin license in Zefort. If a user is in both “Paralegals” and “Managers” groups, they will get the highest license level among the groups, which in this case is admin license.
If a user is in both groups and then removed from the “Managers” group, their license level will be automatically adjusted to the highest available license level, which would be “Editors” in our example above, since the user is still a member of the group “Paralegals”.
You can also set a default license for the users that don’t belong to any of the group mappings. In our example, group “Auditors” doesn’t have any mapping in SCIM integration. Group members will get the license that has been set as default, which is “Viewer” in this case. Note that the default user group is only used when the user is first provisioned, so changing the default license group will not impact existing users.
Note: If you remove an IdP group or remove the license mapping, you might end up in a situation where some users don’t belong to any group. In this case, users will keep the same user license that they had before removing the group or mapping.
About floating vs non-floating licenses
There might be cases where the user that gets added through SCIM gets assigned to two groups, each with the same license level, say Editor, but one of the groups uses floating licenses and one of the groups uses non-floating licenses. In these cases, the user will always be assigned a non-floating license, no matter the number of licenses left in your plan.
This means that the number of licenses for a particular level can, and will, go into the negative. Don’t worry however, the licenses are soft limited, meaning that there will be no effect on how and who can use Zefort if you have negative licenses: no one will get locked out and all features of the service will still work as expected.
In case where license numbers go negative, you can either contact our sales department in order to get more licenses or wait for sales to be in contact
with you. Removing existing users with the same license will of course also free up new license spots.
See an example on the video below!
Company ACME Oy has 2 administrator licenses and 1 floating administrator license. All users get provisioned by SCIM.
- Two groups are created, say “Admins” and “Floating admins”
- In the SCIM integration settings, the “Admins” group gets assigned the “Administrator” license and the “Floating admins” gets assigned to the “Floating administrator” license.
- User A is added to both groups → Licenses left: 1 administrator license, 1 floating administrator license
- User B is added to both groups → Licenses left: 0 administrator license, 1 floating administrator license
- User C is added to both groups → Licenses left: -1 administrator license, 1 floating administrator license
- User D is added to the “Floating admins” group→ Licenses left: -1 administrator license, 0 floating administrator license