Chase, if using Okta with SCIM, I was reading that you set the license type that is assigned to all incoming accounts on the SCIM tab. How do you handle assigning out different license types for Okta users? Would you need to configure 2 different Okta providers in LFDS?

Hi Blake, LFDS cannot handle more than one license type for SCIM at this time but we are working on SCIM improvements that will allow for an experience similar to AD sync's rules feature.

Is there a timeframe for that? That's a deal breaker for us to move to Okta SCIM.

There is no solid timeline right now but a very rough estimate would be the first half of 2023.

This seems to be true for Cloud as well. There is no option to handle both Full and Participant users, so all license assignment is being done manually.

Some questions I have are:

Why does JIT support both Full and Participants?

What is the disadvantage of using JIT over SCIM and why are there 2 technologies to begin with?

Why are we able to enable BOTH JIT and SCIM if they conflict with each other?

1. Just in Time provisioning is designed to allow users to get licenses on-demand when they need access to resources. You might not want every user to get the same license type though, so we provide options for which licenses you would like to allow.
2. These are two features that accomplish different things. SCIM is closer to a synchronization, when you want all your SAML users in Laserfiche all the time (at least in LFDS), and you want their accounts updated when something changes on the SAML side.
3. These features don't necessarily conflict with one another. In LFDS you can have multiple SAML IdPs and only turn on SCIM for some and use self-registration for the rest. In the current cloud SCIM implementation, we do not load existing users into the system until there are updates to them, so JIT can help cover the users that were not loaded in by SCIM yet.

They seem to conflict since if you enable SCIM, the JIT license assignments stop working no matter what you choose for license assignment on the SCIM side. Even if you choose None, the JIT license assignments stop working.

I am not sure why you would ever NOT want SCIM enabled as it is responsible for syncronizing your users, but you would also want JIT enabled as it is responsible for group based license assignment and first time creation of new users.

One thing I want to clarify is that JIT only triggers when users that do not exist in the system try to access the system. If a user already exists, JIT will not update their license (or be used at all) on the next login. Does that help explain?

(We do want to implement group based licensing for SCIM in the future though)

I belive the procedure that our clients use is the following.

Add a user to either the Laserfiche Full Users AD group or Laserfiche Participant Users AD group

Let the user know they can login

This means the account will not exist, but that it will be created automatically by JIT when they login

The problem is, they have no license assigned, so IT has to go back and manually assign a license.

If JIT is creating the users but not assigning them the license that it's configured to, I'd recommend opening a support case.

It is clearly a SCIM conflict. If you change SCIM to None all users are assinged None, if you change it to Full all users are assinged Full, and if you change it to Participant all users are assigned Participant.

Yes that is the case because SCIM and JIT both act on the same set of users (for now) and JIT is a one-time operation whereas SCIM operates periodically. Once group based licensing for SCIM is added, or support for several SAML providers is added in cloud, there will be more flexibility.