Disclaimer
It is outside the scope of ValueBlue to provide documentation and guidance on how SCIM provisioning works in Azure Active Directory. We therefore advise you to refer to the official Microsoft documentation for in-depth concepts and technical information. Here we provide you with the guide on how to set up an Azure Active Directory (AD) enterprise app with System for Cross-domain Identity Management (SCIM) provisioning.
The customers who are using SSO within their organization will already have an app for BlueDolphin SSO created in Azure AD. However, there is a restriction with Azure in that a non-gallery application cannot be used for both SSO and SCIM. This means that you need to create a new non-gallery application which will be used only for SCIM user provisioning for BlueDolphin.
You can read more about the current limitations of SCIM 2.0 protocol compliance of the Azure AD user provisioning service and proposed workarounds here. The request to support this capability has been raised with Microsoft and more details can be found in their Q&A.
Create a non-gallery enterprise application
1. Log in to the Azure Active Directory portal.
2. To create a new enterprise application, go to Enterprise Applications in the left pane and click + New application
3. Click+ Create your own application.
4. Enter a name for your application, select Integrate any other application you don’t find in the gallery (Non-gallery), and then click Create to create an app object. The new app is now added to the list of enterprise applications.
The following screenshot shows the Azure AD application gallery:
Assign users and groups
After you have created an app, the screen for its management opens.
1. In the section Getting started, click 1. Assign users and groups.
You should have already created users or groups (with the roles assigned) that you now want to assign to app-roles for your new application. To create new roles for this app, go to the app roles section and follow the steps (see the screenshot below).
2. Click + Add user/group and under Users and groups click None assigned.
3. The list of available users and groups opens on the right-hand side. From there, select the users/groups that you want to assign, click Select and then Assign.
Note: Provisioning of nested groups via SCIM is not supported by Azure.
Set up provisioning
1. Go to the Provisioning section of your new app.
2. Click Get started.
3. Set Provisioning mode to Automatic.
4. Set Tenant URL to https://services.eu.bluedolphin.app/scim/v2/{tenantname}/ for EU and https://services.us.bluedolphin.app/scim/v2/{tenantname}/ for US. Provide your tenant's name in the {tenantname} parameter.
5. For Secret Token, use the API key secret that you have generated in the Admin module of BlueDolphin. The steps for creating API keys are described here. You will need a key with the scope User provisioning.
6. Click Test connection to test if the new app is connected to your SCIM API. If you receive the confirmation that the connection has been established, click Save in the top-left corner.
Mappings
In the Mappings section, there are two sets of attribute mappings: one for user objects and one for group objects. Select each to review the attributes that are synchronized from Azure AD to your app.
Both user and group mappings are enabled by default.
Group mappings
1. To customize mappings for groups, go to Mappings and click Provision Azure Active Directory Groups.
2. Leave group mapping enabled. Alternatively, if you want to disable this feature for groups and assign users directly, set Enabled to No.
3. In the section Target Object Actions, uncheck Create and Delete as these are not supported by the BlueDolphin SCIM API.
4. In the Attribute Mappings section, delete all attributes except: displayName and members (see the screenshot below).
If a group name in Azure AD identically matches a role name in BlueDolphin, complete the mappings by saving your settings.
Otherwise, follow the steps below for writing expressions for attribute mappings in Azure AD.
5. Click the attribute displayName and the new screen Edit Attribute opens.
6. Set Mapping type to Expression.
If you have a single group for which you need to configure mapping, in the expression box enter either of the following two expression formats. Replace 'GroupInAzureAD' with an actual group name in your organization's Azure AD and 'RoleInBD' with a role name in BlueDolphin.
Replace([displayName], "GroupInAzureAD", , , "RoleInBD", , )
Switch([displayName], , "GroupInAzureAD", "RoleInBD" )
For example, you have a group called 'AcmeCompany-SEC-All' in Azure AD.
If you want to provision users from this group to the 'Default users' role in BlueDolphin, the expressions should be either of the following:
Replace([displayName], "AcmeCompany-SEC-All", , , "Default users", , )
Switch([displayName], , "AcmeCompany-SEC-All", "Default users" )
If you have multiple groups assigned to your app, use the following expression format to customize the mapping. Replace every 'GroupInAzureAD' with an actual group name in your organization's Azure AD and every 'RoleInBD' with a role name in BlueDolphin.
Switch([displayName], , "GroupInAzureAD1", "RoleInBD1", "GroupInAzureAD2", "RoleInBD2", "GroupInAzureAD3", "RoleInBD3")
For example, you have groups called 'AcmeCompany-SEC-Admin' and 'AcmeCompany-SEC-All' in Azure AD.
If you want to provision users from these groups called to the 'Administrators' and 'Default users' roles in BlueDolphin respectively, the expressions should be:
Switch([displayName], , "AcmeCompany-SEC-Admin", "Administrators", "AcmeCompany-SEC-All", "Default users")
Make sure the expression is correctly parsed and click Ok.
7. Click Save to save any changes you have made.
Note: If the role(s) in BlueDolphin are renamed, make sure to update the mappings accordingly.
In the table below you can find required attributes and their matching values across different systems:
Group Attribute in Azure | Required | SCIM /Groups Attribute | Role Attribute in BlueDolphin |
displayName | Yes | displayName | Role name |
members | Yes | members | Users |
User mappings
1. To customize mappings for users, go to Mappings and click Provision Azure Active Directory Users.
2. User mapping is set to Enabled by default and disabling is not supported.
3. Leave all Target Object Actions checked.
4. In the Attribute Mappings section, delete all attributes except: userPrincipalName, mail, givenName, and surname (see the screenshot below).
5. Click Save in the top-left corner to save any changes.
In the table below you can find required attributes and their matching values across different systems:
User Attribute in Azure | Required | SCIM /Users Attribute | User Attribute in BlueDolphin |
userPrincipalName | Yes | userName | User name |
Yes | emails[type eq “work”].value | ||
givenName | Yes | name.givenName | First name |
surname | Yes | name.familyName | Last name |
Note: To prevent erroneous or incomplete data to flow over the interface, you may use a scoping filter to specify that each of these required attributes must exist on the user record. To configure a scoping filter, click All records under Source Object Scope.
For example, you can use the 'IS NOT NULL' clause to ensure that all the required attributes contain data:
Settings
In the Settings section, set Scope to Sync only assigned users and groups and click Save.
Finally, to initiate user provisioning set Provisioning status to On.
Delete users
When the API sends a DELETE request for a user, that user will be deleted from BlueDolphin. BlueDolphin does not support disabling of users.
For more details on user deprovisioning, please refer to the official Azure AD documentation.
Application provisioning in Azure AD
For in-depth concepts and technical information on how application provisioning works in Azure AD, please refer to the official Azure AD documentation.
Comments
0 comments
Please sign in to leave a comment.