SCIM provisioning with Azure Active Directory

Learn to provision users and groups from Azure using SCIM.

The System for Cross-domain Identity Management (SCIM) specification is an open API designed to make managing user identities in cloud-based applications and services easier and faster. EAA supports SCIM provisioning with Azure Active Directory, allowing it to obtain users and groups information quickly, sync between identity stores in near real-time and apply enforcement policies.

To configure SCIM provisioning with EAA SCIM directory as SCIM target and Microsoft Azure Active Directory as the SCIM source follow STEP 1 through STEP 5. This minimal configuration supports these mapping of these SCIM attributes between Azure Active Directory and EAA SCIM directory:

However, if you wish to map other SCIM attributes as specified by RFC 7643 between Azure Active Directory and EAA, see optional STEP 6, STEP 7 for more details. After completing STEP 7, you can associate the Azure SCIM directory to a Microsoft Azure AD IdP, assign the IdP to the application to authenticate users to access the application.

Prerequisites: Sign up for Microsoft Azure admin account.

Note: If a user existing in a SCIM directory does not belong to any groups, the user will be considered to be an invalid user for access authorization and will receive a 403 forbidden error.

STEP 1: Create a new SCIM directory of type Azure in EAA

Configure a SCIM directory of type Azure in EAA and note down the SCIM base URL and Provisioning key.

How to

  1. In the EAA Management portal, go to Identity > Directory
  2. Click, Add Directory
  3. Provide a name, description for directory.
  4. Select the Directory Type as SCIM, SCIM Schema as Azure.
  5. Click Create Directory and Configure.
  6. The SCIM base URL is populated with a value. Copy this value and save it. You will need it for Azure SCIM provisioning in STEP 4.
  7. In the SCIM provisioning section, click Generate new Provisioning key.
  8. In the new dialog Generate provisioning key, provide a name and description, and click Create Provisioning key.
  9. Copy the Provisioning key by clicking on the copy to clipboard icon. If you don’t copy it, you will lose it and you’ll have to generate a new key. You will need this for the Azure SCIM provisioning in STEP 4.
  10. Login preference Attributes. Select either User principal name (default) or Email of how you want to user to log in.
  11. Click Save Directory. The newly created SCIM directory should appear as a directory card in DIRECTORIES.

STEP 2: Create an EAA Enterprise App in Azure Active Directory

Configure an Enterprise Application in Azure Active Directory (AD) for EAA.

How to

  1. Login as administrator to your account in Azure Active Directory portal.
  2. Go to your tenant inside the Azure Active Directory. Create users and groups, add members to your groups under the Manage section in the Microsoft Azure portal. See Manage users and groups in Azure Active Directory
  3. In the navigation menu, select Enterprise applications.
  4. The All applications page displays enterprise applications created in your Azure AD tenant.
  5. In All applications, click New application (+).You are redirected to the Azure AD gallery that displays the available application templates.
  6. In Browse Azure AD Gallery (Preview), click Create your own application (+).
  7. Select Integrate any other application you don't find in the gallery, enter a unique name for your eaa application, say demo-app and click Create.

STEP 3: Assign Users and Groups to EAA Enterprise App in Azure Active Directory

Add the users and groups to the new EAA app you created in STEP 2.

How to

  1. Login as administrator to your account in Azure Active Directory portal.
  2. Go to your tenant inside the Azure Active Directory.
  3. In the navigation menu, select the Enterprise Applications and navigate to the demo-app you created in STEP 2.
  4. In the navigation menu, select Users and groups, click + Add user/group
  5. In the Add Assignment page, click Users and groups, to open the list of available users.
  6. In the Users and groups section, select the user and groups you want to assign to the demo-app you created earlier, and click Select.

    For example, we have added two users belonging to no groups and two additional groups to the demo-app.

  7. The Users and groups page gets updated with the selected list.

    For example, if you added two groups and two users belonging to no groups to the demo-app successfully, you should see:

STEP 4: Configure SCIM provisioning in Azure Active Directory

You can configure automatic provisioning of users and groups in Microsoft Azure Active Directory. This will enable EAA SCIM directory to automatically import all identities, including users and groups, and synchronize with Azure identity store.

How to

  1. Login as administrator to your account in Azure Active Directory portal.
  2. Go to your tenant inside the Azure Active Directory.
  3. In the navigation menu, select the Enterprise Applications and navigate to the demo-app you created in STEP 2.
  4. Select Provisioning and click Get Started.
  5. On the Provisioning page, select Provisioning mode as Automatic.
  6. Update the Admin Credentials section:
    1. Paste the SCIM base URL for the Tenant URL.
    2. Paste the Provisioning key from EAA in the Secret Token field.
    3. Click Test Connection, to verify that Azure Active Directory can communicate to the SCIM endpoint in EAA.
  7. Click Save.

STEP 5: Map SCIM attributes to Azure attributes and start provisioning

Map the SCIM attributes to the Azure attributes for your EAA enterprise app in Microsoft Azure Active Directory.

How to

  1. Login as administrator to your account in Azure Active Directory portal.
  2. Go to your tenant inside the Azure Active Directory.
  3. In the navigation menu, select the Enterprise Applications and navigate to the demo-app you created in STEP 2.
  4. Select Provisioning. Under Manage provisioning, click Edit attribute mappings.
  5. Expand the Mappings tab. Make sure Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled.
  6. Click Provision Azure Directory Users. In the Attribute Mapping screen, map these customappsso Attribute (same as SCIM attributes) to the corresponding Azure Active Directory database Attribute for these attributes and remove the others by clicking on Delete and Save your attribute mappings.

    Here is a more detailed screen-shot of the default user attributes mapping supported by EAA are:

    Note: No changes are needed for the Provision Azure Directory Groups, unless you wish to map additional SCIM attributes to Azure attributes. The default group attributes mapping supported by EAA are:
  7. Navigate back to Provisioning. Click Start provisioning. Alternatively, you can Provision on demand, if you wish to explicitly push some users from Azure to EAA immediately. See On-demand provisioning in Azure Active Directory.
    If you go to the EAA management portal and check the SCIM directory you created in STEP 1, you should see the users and groups imported from Azure Active Directory.

STEP 6: (optional) Map additional SCIM attributes to Azure attributes.

You may want to map additional SCIM attributes, like maybe the department the employee belongs to from the SCIM source, Azure Active Directory, to the SCIM target, EAA SCIM directory. You can do this by adding a new mapping for the SCIM attribute in Azure Active Directory, and then adding a custom attribute in EAA as described in STEP 7.

You more information refer to Microsoft documentation, Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory

How to

  1. Login as administrator to your account in Azure Active Directory portal.
  2. Go to your tenant inside the Azure Active Directory.
  3. In the navigation menu, select the Enterprise Applications and navigate to the demo-app you created in STEP 2.
  4. Select Provisioning. Under Manage provisioning, click Edit attribute mappings.
  5. Expand the Mappings tab
  6. To add a new SCIM attribute, click Provision Azure Directory Users.
  7. Click Add New Mapping.
  8. In the Edit Attribute dialog box, choose the following settings:
    Note: EAA only supports these extensions: Users schema, Enterprise Users schema, Enterprise Users extension, and group.

    The new custom attribute, department is added in Azure AD attribute mapping for users:

STEP 7: (optional) Add a custom attribute in EAA and map it to the SCIM attribute in your EAA SCIM directory

Add any custom attributes in EAA and map them to the SCIM attributes in your SCIM directory.

How to

  1. You can add a new custom attribute in EAA by navigating to System > Settings.
  2. Go to User attributes section and click Add more. For example, to map the Department attribute name as a string variable to user.department field in EAA, add this configuration:
  3. Go to the SCIM directory you created in EAA in STEP 1 and click Configure Directory. (gear icon).
  4. Go to the Attribute mapping section and click Add more. Select the EAA attributes and scroll down, you should see the new custom attribute you added. In this example, Department and map it to the SCIM attribute department.

    For this example, after attribute mapping the result should look like this:

    Custom SCIM attributes like department can be pushed from the SCIM source, Azure Active Directory to the SCIM target, EAA SCIM directory for the users. After completing STEP 7, you can associate the Azure SCIM directory to a Microsoft Azure AD IdP, assign the IdP to the application to authenticate users to access the application.