How to set up System for Cross-Domain Identity Management (SCIM) user provisioning in Mews

Setting up SCIM in your Mews account means you can automatically synchronize your user information across multiple platforms and manage your users from a single location, your Identify Provider (IdP), for example, Microsoft Entra ID. This guide explains how to set up SCIM user provisioning in Mews, after you have contacted your Customer Support agent to purchase it. You can learn more about how to purchase SCIM here

 

SCIM user provisioning in Mews automates:  

  • The process of setting up and managing user accounts and access to Mews. 
  • Adding and removing users, for example, employee onboarding and offboarding. 
  • Assigning properties, roles, permissions, cashiers, learning paths and guest messages. 

 

This is useful for your system administrators to reduce manual user management processes and allows you to manage user via your Identity provider (IdP). You can instantly add or remove users to maintain security and access permissions at any time. 

 

In this article you can learn about the following: 

 

To set up SCIM for your Mews account, you first need to purchase SCIM by contacting your Customer Success agent. You can learn more about how to purchase SCIM here

 

Before setting up SCIM, you need to: 

  • Ensure you have purchased SCIM provisioning and that your subscription is active. 
  • Ensure you have administrative access to both Mews and your identity provider (IdP). 

 

To set up SCIM provisioning: 

  1. Log into the Microsoft Entra ID Portal.
  2. Go to 'Enterprise Applications' 
  3. Select New Application > Create your own application > Integrate any other application you don’t find in the gallery (Non-gallery). 

how to set up scim - 1.png  

  1. Select Provisioning on the left panel, then click the Provisioning Mode drop-down to change the mode to Automatic 

how to set up scim - 2.png  

  1. Provide the Admin Credentials, Tenant URL* and Secret Token from the 'SCIM Provisioning' screen in your Mews settings.  

 

To do so in Mews Operations:

    1. Log into your Mews account.
    2. Go to the main menu  > Security > SCIM Provisioning
    3. Follow the steps below for Mews Multi-Property accounts. 

 

To do so in Mews Multi-Property:

    1. Log into your Mews account.
    2. Go to the main menu  > Settings > Security > SCIM Provisioning. 

how to set up scim - 2-23.png  

  1. Copy the Tenant URL in Mews and paste it in the Tenant URL* field on the Entra ID console seen in step 4.  

how to set up scim - copy tenant url .png  

How to set up scim - Tenant url - 4.1.png  

  1. Generate the Secret Token by clicking Generate secret token in the SCIM Provisioning section under Security in Mews, as below. Then copy and paste it into the Entra ID Secret Token field.   

Important: When you click Regenerate, the system generates a new token, rendering the previous token invalid. You need to use the most recent token for the connection. 

how to set up scim - Generate secret token.png How to set up scim -paste token test connection.png  

  1. On the Entra ID console, click Test Connection.
  2. If the connection is successful, you get the following notification:  

how to set up scim - test notification .png  

  1. If you do not receive a confirmation notification, check the Tenant URL to ensure it is not blocked by firewalls or any other traffic interceptors inside your network. You can also check the Secret Token is correct. 
  2. Click Save to save the configuration. 

how to set up scim - test notification save.png  

 

You can now link, or map, your users from your Identify Provider (IdP) account to Mews.  

 

This section explains the necessary mappings between the Mews SCIM API and Microsoft Entra ID attributes.  

 

Note: If you already have users in Mews before setting up SCIM, you need to transfer ownership of those users to your Identity Provider (IdP). In some cases, if the user data in Mews and your IdP is identical, the IdP may skip the sync and the transfer will fail. To prevent this, create a mapping that connects the user's mailNickname attribute in the IdP to the externalId attribute in Mews. 

 

  1. To link or map your users, go to the Provisioning tab in Microsoft Entra ID, then click Provision Entra ID Users: 

Inserting image...   

  1. The default configuration should be correct for your system; however, you need to check that:
    1. Under Enabled, you select Yes. This enables mapping for your users. 
    2. Under Target Object Actions=, you select the checkboxes for Create, Update and Delete.

how to set up scim - attribute mapping - enabled.png  

  1. Mews SCIM API only supports a subset of Microsoft Entra ID attributes, or details, and discounts the rest. The attributes that Mews SCIM API supports are: 

Mews Attribute 

SCIM 

Attribute Name 

Required 

Description 

Email 

userName  

Yes 

Mews uses user emails as the primary identifier, they are unique within the system and read-only. You need to map the SCIM userName attribute to the user email.  

If there are users that already exist in Mews and you want to match them with a user you have set up in Microsoft Entra ID, then their emails need to match. 

Status 

active 

Yes 

true or false: When set to false, the user is disabled, resulting in the system blocking their access to the Mews application until you reactivate the user. However, the system retains the user accounts linked to that user. 

FirstName 

name.givenName  

Yes 

Any given string. It maps to the First Name value of the user in Mews. 

LastName 

name.familyName 

Yes 

Any given string. It maps to the Last Name value of the user in Mews. 

  1.  You need to remove any attribute mappings that are not necessary for Mews SCIM API. The final Attribute Mappings configuration and format should appear as shown below: 

how to set up scim - attribute mapping final appearance.png  

  1. Click Save. 

 

You have now set up SCIM provisioning in Mews via your Microsoft Entra ID account and mapped your user information into Mews. You can now set up user groups to complete your SCIM set up.  

 

You can learn more about how to set up user groups for System for Cross-Domain Identity Management (SCIM) here. 

 

You may encounter issues during set up, the following section details common issues and how to resolve them: 

  • Users not receiving emails: When you provision a user for the first time in Mews, it is necessary that they set up their password to log in. Note: Even if your property is Single Sign-On (SSO) enforced, users still need to set up a password to log in. This system uses this password on the account page for updating the accounts security configuration. Users you provision through SCIM receive their sign-up email after you assign them to a user group set up with one or more properties. To resolve this issue: 
    • Check if the user is part of a user group.
      • If not, assign them to the group linked to the appropriate property.
      • If yes, check you have correctly set up the group with a property assigned.  
  • “Operation not permitted”error: Check and confirm the SCIM configuration is enabled within Mews on the Security screen.  

how to set up scim - troubleshooting.png  

    • If you receive this error only when provisioning some users, these users might have accounts outside of the tenant. In this case, you cannot provision the user with SCIM and you can only update them manually in Mews.
  • Issues with provisioning users who I already manage through Mews: You cannot manage users who use their own account to log into multiple Mews subscriptions through SCIM. If you attempt to add a user of this description through the process described above, you receive an error message. To resolve this, you can:
    • Choose a new email address for the user you are managing. This ensures you own this email address and the associated user, and no other portfolio can manage this account.
    • You can manage the user using the existing user management functionality in Mews.
  • Issues with provisioning new users who I yet do not manage through Mews: When provisioning a new user through SCIM, you may receive an error stating that the user already exists in Mews. This means the user account exists already and is managed by either the user or another portfolio. You cannot manage these users using SCIM. To resolve this issue:
    • Choose a new email address for the user you are managing. This ensures you own this email address and the associated user, and no other portfolio can manage this account.
    • Invite the user to Mews using the existing user management features in Mews.
  • All my users are still linked to my old Mews subscription: You can synchronize your users with a single Mews subscription. If you need to synchronize your users with a new Mews subscription, contact Mews support.
  • Issues with transferring ownership of existing Mews users to your IdP: When a customer already has users in Mews and they want to start using SCIM, it is necessary to transfer ownership of those users from Mews to their Identity Provider (IdP). In some cases, this transfer fails because the user data in Mews and the IdP are identical, and the IdP then skips the sync for those users. This results in the ownership transfer not being completed. To resolve this issue:
    • You need to create a mapping that maps the user's mailNickname attribute in the IdP to the externalId attribute in Mews. This ensures the system can correctly match the users, and the ownership transfer completes successfully.
  • Changes in IdP not reflected in Mews: Microsoft Entra ID synchronizes data in regular cycles. Synchronization occurs approximately every 20-40 minutes. You can learn more here. If you need to enforce synchronization manually, for example, to reflect changes related to user status, you can do so by clicking Provision on demand. You can access this option from the menu on the left, as below: <

managing user groups scim -provision on demand click.png  

  • SCIM configuration token compromised: If the token you use for connecting your IdP with Mews is compromised, you need to generate a new token. To do so:  
    1. Log into your Mews account > main menu  > Security > SCIM Provisioning.
    2. Click Regenerate. This generates a new token and invalidates the previous one: 

how to set up scim - generate regen secret token - 5.png  

  1. Go to the IdP. Under the section Enterprise Applications, search for the application created for user provisioning with Mews.
  2. Go to the Provisioning screen.
  3. Under the Admin Credentials section, navigate to the Secret Token field: 

How to set up scim -troubleshooting - token.png  

  1. Paste the token you generate in Step 2 into the field and click Test Connection.
  2. If the status is successful, click Save changes. If the status fails, repeat the process fromStep 1. 

 

Important notes:  

  • Currently it is not possible to provision Central users. You can only provision users for your properties.
  • You cannot change a user email address. Mews SCIM API does not support changing a given user email, as Mews itself does not yet support this feature. If you attempt to update a user email mapped to the userName SCIM attribute, you receive an error. Any user that already exists in Mews and your IdP needs to share the same Email address for the system to consider them as the same user.  
  • Mews users that do not have an account within your portfolio cannot be managed through SCIM. They can however be managed using the existing Mews user management features by inviting them into your organization.
  • The Secret Token does not have an expiration time. For security reasons, it is essential to regularly regenerate the token. 

 

  

You can learn more about how to set up user groups in SCIM with Mews here. 

Was this article helpful?
00



Feedback