SCIM provisioning with Azure

Provision users from Azure Active Directory using SCIM

You can use SCIM protocol to import user's digital identities from Azure (the source system) to Enterprise Application Access.

You can use EAA SCIM directory as the SCIM target and Microsoft Azure Active Directory as the SCIM source.

This minimal configuration supports the following mapping of SCIM attributes between Azure Active Directory SCIM source and EAA SCIM directory:

  • userName
  • active
  • displayName
  • emails[type eq "work"].value
  • name.givenName
  • name.familyName
  • phoneNumbers[type eq "mobile"].value
  • externalid

Prerequisite:
Sign in to your Microsoft Azure admin account.

STEP 1: Create a new SCIM directory of type Azure in Enterprise Center

Configure a SCIM directory of type Azure in Enterprise Center and save the SCIM base URL and the Provisioning key.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select Add New Directory (+).

  4. Enter a name and description for directory.

  5. In Directory Type select SCIM, and in SCIM Schema select Azure.

  6. Select Add New Directory.

  7. Open your new directory Settings > General and copy SCIM base URL. Save it for Azure SCIM provisioning in STEP 4.

  8. In Settings > General select Create Provisioning Key.

  9. Enter a name and description for the key.

  10. Copy Provisioning key by clicking on the copy to clipboard icon. Save it for Azure SCIM provisioning in STEP 4.

  11. In Login preference Attributes select either User principal name (default) or Email to choose for a user a way to log in.

  12. Select Save.
    The new SCIM directory appears in the directories list in Identity & Users > Directories.

STEP 2: Create an EAA enterprise app in Azure Active Directory

Configure an enterprise application in Azure Active Directory (AD) for Enterprise Application Access.

  1. Log in as administrator to your account in Azure Active Directory portal.

  2. Go to your tenant inside the Azure Active Directory. Create users and groups, add members to your groups under the Manage section in the Microsoft Azure portal. See Manage users and groups in Azure Active Directory.

  3. In the navigation menu, select Enterprise applications.

  4. All applications displays enterprise applications created in your Azure AD tenant.

  5. In All applications, select New application (+). You are redirected to the Azure AD gallery that displays the available application templates.

  6. In Browse Azure AD Gallery (Preview), select Create your own application (+).

  7. Select Integrate any other application you don't find in the gallery, enter a unique name for your application, for example, demo-app and select Create.

STEP 3: Assign Users and Groups to EAA enterprise app in Azure Active Directory

Add the users and groups to the new EAA Enterprise application you created in STEP 2.

  1. Log in as administrator to your account in Azure Active Directory portal.

  2. Go to your tenant inside the Azure Active Directory.

  3. In the navigation menu, select Enterprise Applications and go to the demo-app you created in STEP 2.

  4. In the navigation menu, select Users and groups, select Add user/group (+).

  5. In Add Assignment select Users and groups to open the list of available users.

  6. In Users and groups select the users and groups you want to assign to the demo-app you created earlier, and click Select.

In Users and groups you can search for users and groups by name and select them.

The Users and groups page gets updated with the selected list.

Users and groups belonging to an app, are displayed together in one list with Display Name, object type and role assigned visible.

STEP 4: Configure SCIM provisioning in Azure Active Directory

Configure automatic provisioning of users and groups in Microsoft Azure Active Directory. This enables Enterprise Application Access SCIM directory to automatically import all resources, including users and groups, and synchronize with Azure Active Directory.

  1. Log in as administrator to your account in Azure Active Directory portal.

  2. Go to your tenant inside the Azure Active Directory.

  3. In the navigation menu, select Enterprise Applications and go to the demo-app you created in STEP 2.

  4. Go to Manage > Provisioning and select Get Started.

  5. On the Provisioning page, select Provisioning mode as Automatic.

  6. Update the Admin Credentials section:

    1. Paste the SCIM base URL for Tenant URL.

    2. Paste the Provisioning key from Enterprise Center in Secret Token.

    3. Select Test Connection, to verify that Azure Active Directory can communicate to the SCIM endpoint in Enterprise Application Access.

  7. Select Save.

STEP 5: Map SCIM attributes to Azure attributes and start provisioning

Map the SCIM attributes to the Azure attributes for your EAA enterprise application in Microsoft Azure Active Directory.

  1. Log in as administrator to your account in Azure Active Directory portal.

  2. Go to your tenant inside the Azure Active Directory.

  3. In the navigation menu, select Enterprise Applications and go to the demo-app you created in STEP 2.

  4. Select Provisioning. Under Manage provisioning select Edit attribute mappings.

  5. Expand Mappings and check if Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled.

  6. Select Provision Azure Directory Users to map Azure attributes. In Attribute Mapping, map customappsso Attribute (same as SCIM attributes) to the corresponding Azure Active Directory database Attribute. To remove other attributes, select Delete and Save your attribute mappings.

Default user attributes mapping supported by Enterprise Application Access are listed in the below table.

Azure Active Directory AttributeCustomappsso Attribute
userPrincipalNameuserName
Switch([IsSoftDeleted], , "False", "True", "True", "False")active
displayNamedisplayName
mailemails[type eq "work"].value
givenNamename.givenName
surnamename.familyName
mobilephoneNumbers[type eq "mobile"].value
mailNicknameexternalid

No changes are needed for the Provision Azure Directory Groups, unless you wish to map additional SCIM attributes to Azure attributes. The default group attributes mapping supported by Enterprise Application Access are:

Azure Active Directory AttributeCustomappsso Attribute
displayNamedisplayName
objectIdexternalId
membersmembers
  1. Return to Provisioning. Select Start provisioning.
    Alternatively, select Provision on demand, if you wish to explicitly push some users from Azure to Enterprise Application Access immediately. See On-demand provisioning in Azure Active Directory.

  2. In Enterprise Center check the SCIM directory you created in STEP 1. You should see the users and groups imported from Azure Active Directory.

STEP 6: (optional) Map additional SCIM attributes to Azure attributes

To map additional SCIM attributes (like a department the employee belongs to from the SCIM source, Azure Active Directory, to the SCIM target, EAA SCIM directory) add a new mapping for the SCIM attribute in Azure Active Directory, and next add a custom attribute in EAA as described in STEP 7.

For more information refer to Microsoft documentation, Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory.

  1. Log in as administrator to your account in Azure Active Directory portal.

  2. Go to your tenant inside the Azure Active Directory.

  3. In the navigation menu, select Enterprise Applications and go to the demo-app you created in STEP 2.

  4. Select Provisioning. Under Manage provisioning, select Edit attribute mappings.

  5. Expand Mappings and select Provision Azure Directory Users to add a new SCIM attribute.

  6. Select Add New Mapping.

  7. In Edit Attribute configure the following settings:

    • In Mapping type select direct and in Source attribute select department Azure AD database attribute.
    • In Target attribute select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department SCIM attribute for the department.

πŸ“˜

Enterprise Application Access only supports these extensions: User's schema, Enterprise User's schema, Enterprise User and group.

The new custom attribute is added in Azure AD attribute list.

STEP 7: (optional) Add a custom attribute in Enterprise Center and map it to the SCIM attribute in your Enterprise Center SCIM directory

Add any custom attributes in Enterprise Center and map them to the SCIM attributes in your SCIM directory.

  1. Add a new custom attribute in General Settings > Settings.

  2. Select User Attributes and select Add Attribute. For example, to map the Department attribute name as a string variable to user.department, add the following configuration:

NameTypeVariable Name
DepartmentStringuser.department
  1. Select Save Attribute Changes βœ“.

  2. Go to the directory list page and click on the directory you created in Enterprise Center in STEP 1.

  3. Go to the Attribute mapping section and select Add more. Go to EAA Attributes and select the new custom attribute you added. In this example, Department and map it to department in the SCIM Attributes.

Custom SCIM attributes like department can be pushed from the SCIM source, Azure Active Directory to the SCIM target, EC SCIM directory for the users. After completing STEP 7, you can associate the Azure SCIM directory to a Microsoft Azure AD IdP, assign the IdP to the application to authenticate users to access the application.


Did this page help you?