Provision users with SCIM
The System for Cross-domain Identity Management (SCIM) specification is an open API designed to make managing user identities in cloud-based applications and services easier and faster. Enterprise Application Access (EAA) supports SCIM provisioning with Azure Active Directory and with Okta. It allows to obtain users' and groups' information quickly, sync between identity stores in near real-time and apply enforcement policies.
It is possible to extend mapping to other SCIM attributes as specified by RFC 7643 between Azure Active Directory or Okta and Enterprise Application Access.
If a user existing in a SCIM directory does not belong to any group, the user is considered to be an invalid user for access authorization and receives a
403
forbidden error.
Provision users from Azure Active Directory using SCIM
Configure SCIM provisioning with EAA SCIM directory as SCIM target and Microsoft Azure Active Directory as the SCIM source.
This minimal configuration supports the following mapping of SCIM attributes between Azure Active Directory SCIM source and EAA SCIM directory:
userName
active
displayName
emails[type eq "work"].value
name.givenName
name.familyName
phoneNumbers[type eq "mobile"].value
externalid
Prerequisite:
Sign in to your Microsoft Azure admin account.
STEP 1: Create a new SCIM directory of type Azure in EAA
Configure a SCIM directory of type Azure in EAA and save the SCIM base URL and the Provisioning key.
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
Select Add Directory.
-
Enter a name and description for the directory.
-
In Directory Type select SCIM, and in SCIM Schema select Azure.
-
Click Create Directory and Configure.
-
The SCIM base URL is populated with a value. Copy this value and save it. You will need it for Azure SCIM provisioning in STEP 4.
-
In the SCIM provisioning section, click Generate new Provisioning key.
-
In the Generate provisioning key enter a name and description, and select Create Provisioning key.
-
Copy Provisioning key by clicking on the copy to clipboard icon. Save it for Azure SCIM provisioning in STEP 4.
-
In Login preference Attributes select either User principal name (default) or Email to choose for a user a way to log in.
-
Click Save Directory.
The new SCIM directory card appears in Identity > Directories.
STEP 2: Create an EAA enterprise app in Azure Active Directory
Configure an enterprise application in Azure Active Directory (AD) for EAA.
-
Log in as administrator to your account in Azure Active Directory portal.
-
Go to your tenant inside the Azure Active Directory. Create users and groups, add members to your groups under the Manage section in the Microsoft Azure portal. See Manage users and groups in Azure Active Directory.
-
In the navigation menu, select Enterprise applications.
-
All applications displays enterprise applications created in your Azure AD tenant.
-
In All applications, select New application (+). You are redirected to the Azure AD gallery that displays the available application templates.
-
In Browse Azure AD Gallery (Preview), select Create your own application (+).
-
Select Integrate any other application you don't find in the gallery, enter a unique name for your application, for example,
demo-app
and select Create.
STEP 3: Assign Users and Groups to EAA enterprise app in Azure Active Directory
Add the users and groups to the new EAA Enterprise application you created in STEP 2.
-
Log in as an administrator to your account in Azure Active Directory portal.
-
Go to your tenant inside the Azure Active Directory.
-
In the navigation menu, select Enterprise Applications and go to the
demo-app
you created in STEP 2. -
In the navigation menu, select Users and groups, select Add user/group (+).
-
In Add Assignment select Users and groups to open the list of available users.
-
In Users and groups select the users and groups you want to assign to the
demo-app
you created earlier, and click Select.
In Users and groups you can search for users and groups by name and select them.
The Users and groups page gets updated with the selected list.
Users and groups belonging to an app, are displayed together in one list with Display Name, object type and role assigned visible.
STEP 4: Configure SCIM provisioning in Azure Active Directory
Configure automatic provisioning of users and groups in Microsoft Azure Active Directory. This enables Enterprise Application Access SCIM directory to automatically import all resources, including users and groups, and synchronize with Azure Active Directory.
-
Log in as administrator to your account in Azure Active Directory portal.
-
Go to your tenant inside the Azure Active Directory.
-
In the navigation menu, select Enterprise Applications and go to the
demo-app
you created in STEP 2. -
Go to Manage > Provisioning and select Get Started.
-
On the Provisioning page, select Provisioning mode as Automatic.
-
Update the Admin Credentials section:
-
Paste the SCIM base URL for Tenant URL.
-
Paste the Provisioning key from EAA Management Portal in Secret Token.
-
Select Test Connection, to verify that Azure Active Directory can communicate to the SCIM endpoint in Enterprise Application Access.
-
-
Select Save.
STEP 5: Map SCIM attributes to Azure attributes and start provisioning
Map the SCIM attributes to the Azure attributes for your EAA enterprise application in Microsoft Azure Active Directory.
-
Log in as an administrator to your account in Azure Active Directory portal.
-
Go to your tenant inside the Azure Active Directory.
-
In the navigation menu, select Enterprise Applications and go to the
demo-app
you created in STEP 2. -
Select Provisioning. Under Manage provisioning select Edit attribute mappings.
-
Expand Mappings and check if Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled.
-
Select Provision Azure Directory Users to map Azure attributes. In Attribute Mapping, map customappsso Attribute (same as SCIM attributes) to the corresponding Azure Active Directory database Attribute. To remove other attributes, select Delete and Save your attribute mappings.
Default user attributes mapping supported by Enterprise Application Access are listed in the below table.
Azure Active Directory Attribute | Customappsso Attribute |
---|---|
userPrincipalName | userName |
Switch([IsSoftDeleted], , "False", "True", "True", "False") | active |
displayName | displayName |
mail | emails[type eq "work"].value |
givenName | name.givenName |
surname | name.familyName |
mobile | phoneNumbers[type eq "mobile"].value |
mailNickname | externalid |
No changes are needed for the Provision Azure Directory Groups, unless you wish to map additional SCIM attributes to Azure attributes. The default group attributes mapping supported by Enterprise Application Access are:
Azure Active Directory Attribute | Customappsso Attribute |
---|---|
displayName | displayName |
objectId | externalId |
members | members |
- Return to Provisioning and click Start provisioning.
Alternatively, select Provision on demand, if you wish to explicitly push some users from Azure to Enterprise Application Access immediately. See On-demand provisioning in Azure Active Directory.
In EAA check the SCIM directory you created in STEP 1. You should see the users and groups imported from Azure Active Directory.
STEP 6: (optional) Map additional SCIM attributes to Azure attributes
To map additional SCIM attributes (like a department the employee belongs to from the SCIM source, Azure Active Directory, to the SCIM target, EAA SCIM directory) add a new mapping for the SCIM attribute in Azure Active Directory, and next add a custom attribute in EAA as described in STEP 7.
For more information refer to Microsoft documentation, Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory.
-
Log in as administrator to your account in Azure Active Directory portal.
-
Go to your tenant inside the Azure Active Directory.
-
In the navigation menu, select Enterprise Applications and go to the
demo-app
you created in STEP 2. -
Select Provisioning. Under Manage provisioning, select Edit attribute mappings.
-
Expand Mappings and select Provision Azure Directory Users to add a new SCIM attribute.
-
Select Add New Mapping.
-
In Edit Attribute configure the following settings:
- In Mapping type select
direct
and in Source attribute selectdepartment
Azure AD database attribute. - In Target attribute select
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
SCIM attribute for the department.
- In Mapping type select
Enterprise Application Access only supports these extensions:
User's schema
,Enterprise User's schema
,Enterprise User and group
.
The new custom attribute is added in the Azure AD attribute list.
STEP 7: (optional) Add a custom attribute in EAA and map it to the SCIM attribute in your EAA SCIM directory
Add any custom attributes in EAA and map them to the SCIM attributes in your SCIM directory.
-
Add a new custom attribute in System > Settings.
-
Go to User Attributes and select Add more. For example, to map the Department attribute name as a string variable to user.department, add the following configuration:
Name | Type | Variable Name |
---|---|---|
Department | String | user.department |
-
Go to the SCIM directory you created in Enterprise Application Access in STEP 1 and click Configure Directory.
-
Go to the Attribute mapping section and select Add more. Select EAA attributes and scroll down, you should see the new custom attribute you added. In this example, Department and map it to the Department SCIM attribute.
Custom SCIM attributes like department can be pushed from the SCIM source, Azure Active Directory to the SCIM target, EC SCIM directory for the users. After completing STEP 7, you can associate the Azure SCIM directory to a Microsoft Azure AD IdP, assign the IdP to the application to authenticate users to access the application.
Provision users from Okta using SCIM
Use SCIM protocol to import users' digital identities from Okta (the source system) to Enterprise Application Access.
Prerequisite:
Sign in to your Okta account.
This integration supports endpoints compatible with the SCIM 2.0 specification.
STEP 1: Create a new SCIM directory of type Okta in EAA
-
In the EAA Management Portal navigation menu, select Identity > Directories.
The Directory cards appear. -
Select Add Directory.
-
Enter the name and description for the directory.
-
In Directory Type select SCIM, and in SCIM Schema select Okta.
-
Select Create Directory and Configure.
-
Open your new directory Settings > General and copy SCIM base URL . Save it for Okta SCIM provisioning in STEP 4.
-
In General > Attribute Mapping set the following default User and Group mapping attributes:
EAA Attributes | SCIM Attributes |
---|---|
User Principal Name | userName |
displayName | displayName |
firstName | name.givenName |
lastName | name.familyName |
mail | work emails.value |
phoneNumber | primary phoneNumbers.value |
status | active |
Make sure that your Okta SCIM application contains the same set of attributes. See the Attribute mapping in STEP 4.
-
In General select Create Provisioning Key.
-
Enter name and description for the key and select confirm (✓).
-
Copy Provisioning key by clicking on the copy to clipboard icon. Save it for Azure SCIM provisioning in STEP 4.
-
In General > Login preference Attributes select either User principal name or Email to choose for a user a way to log in.
-
Select Save.
The newly created SCIM directory appears in Directories list in Identity & Users > Directories.
STEP 2: Add user and group accounts in Okta
-
Sign in to your Okta account at
https://<your tenant name>.okta.com
. Select Admin to get into your administrator console. -
To add an individual user account, go to Directory > People.
-
Select Add Person and enter this data in the Add Person dialog:
-
In User type, select User.
-
Enter the user's data.
-
Select Add User.
-
-
To add a group account, go to Directory > Groups.
-
Click Add Group and enter this data in the Add Group dialog:
-
Enter the group's name and description.
-
Select Add Group.
-
STEP 3: Create SCIM application in Okta
-
Sign in to your Okta account at
https://<your tenant name>.okta.com
. Select Admin to get into your administrator console. -
In Applications > Applications select Browse App Catalog.
-
In Browse App Integration Catalog search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).
-
To create a SCIM-type app, in SCIM 2.0 Test App (Header Auth) select Add.
-
In Add SCIM 2.0 Test App (Header Auth) > General Settings define the name and the accessibility of your SCIM application:
-
In the Application label, enter the application name.
-
Accept default settings by clicking Next.
-
-
In Sign-On Options you can define the way users log in to your integration. Select Secure Web Authentication, and next select Done to accept default settings.
Your SCIM application created in the Okta Admin portal is now ready.
STEP 4: Configure provisioning in Okta
Follow these steps to enable the communication between Enterprise Application Access and Okta by providing your authentication properties.
-
Sign in to your Okta account at
https://<your tenant name>.okta.com
. Select Admin to get into your administrator console. -
Go to Applications > Applications.
-
In Applications search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).
-
In Provisioning select Configure API Integration.
-
In Provisioning select Enable API Integration.
-
Use the values you saved in STEP 1:
-
Paste your SCIM base URL into Base URL.
-
Paste your Provisioning key into API Token.
-
-
Select Test API Credentials to verify your credentials.
-
When you receive a confirmation, select Save.
Your Enterprise Application Access and Okta are now connected via SCIM protocol. In Provisioning you can you configure the following settings:
-
To App. Here you can configure data that flows to the EAA service from Okta user profiles and through the integration.
-
To Okta. Here you can configure data that flows to Okta from the EAA service.
-
API Integration. Here you can modify your API authentication credentials.
-
In To App select Edit to enable operations for your group's endpoint.
-
Enable Create, Update and Deactivate Users, and select Save.
-
Configure the Attribute mapping so that is consistent with default settings in Enterprise Application Access. Check if your SCIM app contains the same attributes as your SCIM directory in Enterprise Application Access.
For default attributes see STEP 1.8.
Your provisioning settings for your SCIM application are now configured. Next, you can optionally set up alias provisioning in the Okta Admin portal.
STEP 5: Assign groups to your SCIM application in Okta
Follow these steps to assign users to your SCIM application.
-
Log in to your Okta account at
https://<your tenant name>.okta.com
. Select Admin to get into your administrator console. -
Go to Applications > Applications.
-
Select Assignments to assign individual users or groups. To assign a group select Groups.
-
In Assign SCIM app to Groups select Assign > Assign to Groups.
-
In Assign SCIM app to Groups search for a group you want to provision, and select Assign.
In Assign SCIM app to Groups you can enter additional information for the selected group. To continue select Save and Go Back. -
Select Done.
In SCIM Assignment you can see the newly assigned group or groups. -
Go to Push Groups to push groups to Enterprise Application Access and enable group-based management.
-
In Push Groups > Find groups by name enter and select the name of your assigned group.
The name of the selected group appears below. -
To add more groups select Save & Add Another, and repeat the previous step.
-
To accept default settings and confirm your groups select Save.
-
For each of the selected groups, open the Push Status and select Push now to override the users and their privileges in Enterprise Application Access via immediate transfer from Okta.
If you get the error,
BadRequest - invalidSyntax: 'password' is not a valid SCIM attribute or has no mapping configured
contact support.
Updated about 1 year ago