SCIM - Administrator Setup Guide

Note: This document is targeted at IT Administrators.


System for Cross-domain Identity Management

Qudini supports member provisioning with the System for Cross-domain Identity Management (SCIM) standard. To use provisioning, you'll need (SSO/SAML integration) enabled for the merchant. See https://support.qudini.com/en/support/solutions/articles/4000164867-sso-saml-authentication-administrator-setup-guide before proceeding further with this guide.


Administrator Setup

SCIM is a premium feature, so please first speak to your account manager if you would like to set up.


Note that the following guide requires a technical understanding of SCIM/SSO. It is recommended to be read by an IT Administrator.


Once you have access you can manage the setup process by accessing the 'Authentication' section within your Merchant Admin settings. This is only accessible to Merchant Admin users:

Navigate to 'Authentication' 
Create a new token with the choice of Unlimited, 1, 2 or 5 year life time
Copy this token by clicking on the token field. You will need to provide this for your identify provider

Your SCIM provisioning setup will vary depending on the identity provider that you use. The ones we support are Azure AD, PingFederate, Google Workspace, Okta, Bitium, OneLogin.
You will need to provide the token copied earlier and the SCIM v2 endpoint into the identity provider. If a test connection option is available, it is highly recommended to use this feature

Azure AD example:



Groups Information

We use SCIM groups to assign roles to users, such as venue admin, concierge and server. At the moment, these are the only roles available.


The group names have a clear and specific naming convention to identify each one possible in an specific merchant. These group names are already defined by Qudini and can be seen using the /Groups API from SCIM.


As a SCIM manager, these groups must be created in the system to be able to assign them to the its users.


For example, the group urn:qudini:venue-group:m:80384:v:244528:venue-admin belongs to merchant ID 80384 and venue ID 244528, this is a venue level group. In this case the user will have access to the whole venue.


Another example, the group urn:qudini:queue-group:m:80384:v:245233:q:203552:concierge belongs to merchant ID 80384, venue ID 245233 and queue ID 203522, which will give the user concierge permissions to that specific queue.


This is an example of the /api/v3/merchants/80384/scim/Groups API response. Note that all groups belong to m:80384 in this example:


{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 6,
    "Resources": [
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ],
            "id": "urn:qudini:venue-group:m:80384:v:244528:venue-admin",
            "displayName": "urn:qudini:venue-group:m:80384:v:244528:venue-admin"
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ],
            "id": "urn:qudini:queue-group:m:80384:v:244528:q:202905:concierge",
            "displayName": "urn:qudini:queue-group:m:80384:v:244528:q:202905:concierge"
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ],
            "id": "urn:qudini:queue-group:m:80384:v:244528:q:202905:server",
            "displayName": "urn:qudini:queue-group:m:80384:v:244528:q:202905:server"
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ],
            "id": "urn:qudini:venue-group:m:80384:v:245233:venue-admin",
            "displayName": "urn:qudini:venue-group:m:80384:v:245233:venue-admin"
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ],
            "id": "urn:qudini:queue-group:m:80384:v:245233:q:203552:concierge",
            "displayName": "urn:qudini:queue-group:m:80384:v:245233:q:203552:concierge"
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ],
            "id": "urn:qudini:queue-group:m:80384:v:245233:q:203552:server",
            "displayName": "urn:qudini:queue-group:m:80384:v:245233:q:203552:server"
        }
    ]
}

You can find our API documentation on https://qudini.stoplight.io/docs/api-docs/i3c4xi8xd8c9d-scim


Multi-Venue Advisor

One new feature that SCIM groups provide for SSO is to allow multi-venue advisors.


Adding a user to several groups in different venues is possible. This allows to give a user different permissions on for each venue, i.e. User A is a concierge in Venue A and a server in Venue B. Or User B can be venue admin of Venues A, B, C.

When the user logs into the application, they will be prompted which store want to operate, and there is a “Switch Store” option in the right user menu.

Did you find it helpful? Yes No