Provision users and groups

In order to identify specific users and groups that are permitted to access your private applications, provision users to the service using a SCIM 2.0-compliant identity provider.

Tip: For initial testing purposes, you can skip this step. Private application traffic is authenticated by the endpoint client. To allow access for users who have not been provisioned, you can set the Users setting in your private application access rule to All users. Users who have not been provisioned to the service will appear in reports as "Unknown user".

Private application access control rules employ user identification and authentication to allow or block access to resources based on user identity or user group membership. Users can be identified to the service in the following ways:

Endpoint authentication: supported Windows endpoint clients identify users to the service using the user's UPN (UserPrincipleName).
SAML-based single sign-on: where required by a policy rule, a SAML authentication request is triggered to authenticate the user with a supported third-party identity provider.

In order to be identified and authenticated by your policy rules, users must exist in the Private Access user directory. Users and groups are provisioned to the directory by connecting a third-party SCIM-compliant identity management provider.

Provision users from your identity management provider using the details on the Administration > Authentication > SCIM settings page.

Note: The user directory can be cached within the Private Access service. After adding users, or moving users between groups, allow up to 35 minutes before testing that the user can access private applications.