Disclaimer
It is outside the scope of ValueBlue to provide documentation and guidance on how SCIM provisioning works in Microsoft Entra ID (formerly Azure Active Directory). We therefore advise you to refer to the official Microsoft documentation for in-depth concepts and technical information. Here we provide you with the guide on how to set up an Microsoft Entra enterprise app with System for Cross-domain Identity Management (SCIM) provisioning.
The customers who are using SSO within their organization will already have an app for BlueDolphin SSO created in Microsoft Entra. However, there is a restriction with Microsoft Entra in that a non-gallery application cannot be used for both SSO and SCIM. This means that you need to create a new non-gallery application which will be used only for SCIM user provisioning for BlueDolphin.
You can read more about the current limitations of SCIM 2.0 protocol compliance of the Microsoft Entra user provisioning service and proposed workarounds here. The request to support this capability has been raised with Microsoft and more details can be found in their Q&A.
Create a non-gallery enterprise application
1. Log in to the Microsoft Entra ID portal.
2. To create a new enterprise application, go to Enterprise Applications in the left pane and click + New application
3. Click+ Create your own application.
4. Enter a name for your application, select Integrate any other application you don’t find in the gallery (Non-gallery), and then click Create to create an app object. The new app is now added to the list of enterprise applications.
The following screenshot shows the Microsoft Entra ID application gallery:
Assign users and groups
After you have created an app, the screen for its management opens.
1. In the section Getting started, click 1. Assign users and groups.
You should have already created users or groups (with the roles assigned) that you now want to assign to app-roles for your new application. To create new roles for this app, go to the app roles section and follow the steps (see the screenshot below).
2. Click + Add user/group and under Users and groups click None assigned.
3. The list of available users and groups opens on the right-hand side. From there, select the users/groups that you want to assign, click Select and then Assign.
Note: Provisioning of nested groups via SCIM is not supported by Microsoft Entra ID.
Set up provisioning
1. Go to the Provisioning section of your new app.
2. Click Get started.
3. Set Provisioning mode to Automatic.
4. Set Tenant URL to https://services.eu.bluedolphin.app/scim/v2/{tenantname}/ for EU and https://services.us.bluedolphin.app/scim/v2/{tenantname}/ for US. Provide your tenant's name in the {tenantname} parameter.
5. For Secret Token, use the API key secret that you have generated in the Admin module of BlueDolphin. The steps for creating API keys are described here. You will need a key with the scope User provisioning.
6. Click Test connection to test if the new app is connected to your SCIM API. If you receive the confirmation that the connection has been established, click Save in the top-left corner.
Mappings
In the Mappings section, there are two sets of attribute mappings: one for user objects and one for group objects. Select each to review the attributes that are synchronized from Microsoft Entra ID to your app.
Both user and group mappings are enabled by default.
Group mappings
1. To customize mappings for groups, go to Mappings and click Provision Azure Active Directory Groups.
2. Leave group mapping enabled. Alternatively, if you want to disable this feature for groups and assign users directly, set Enabled to No.
3. In the section Target Object Actions, uncheck Create and Delete as these are not supported by the BlueDolphin SCIM API.
4. In the Attribute Mappings section, delete all attributes except: displayName and members (see the screenshot below).
If a group name in Microsoft Entra ID identically matches a role name in BlueDolphin, complete the mappings by saving your settings.
Otherwise, follow the steps below for writing expressions for attribute mappings in Microsoft Entra ID.
5. Click the attribute displayName and the new screen Edit Attribute opens.
6. Set Mapping type to Expression.
If you have a single group for which you need to configure mapping, in the expression box enter either of the following two expression formats. Replace 'GroupInAzureAD' with an actual group name in your organization's Microsoft Entra ID and 'RoleInBD' with a role name in BlueDolphin.
Replace([displayName], "GroupInAzureAD", , , "RoleInBD", , )
Switch([displayName], , "GroupInAzureAD", "RoleInBD" )
For example, you have a group called 'AcmeCompany-SEC-All' in Microsoft Entra ID.
If you want to provision users from this group to the 'Default users' role in BlueDolphin, the expressions should be either of the following:
Replace([displayName], "AcmeCompany-SEC-All", , , "Default users", , )
Switch([displayName], , "AcmeCompany-SEC-All", "Default users" )
If you have multiple groups assigned to your app, use the following expression format to customize the mapping. Replace every 'GroupInAzureAD' with an actual group name in your organization's Microsoft Entra ID and every 'RoleInBD' with a role name in BlueDolphin.
Switch([displayName], , "GroupInAzureAD1", "RoleInBD1", "GroupInAzureAD2", "RoleInBD2", "GroupInAzureAD3", "RoleInBD3")
For example, you have groups called 'AcmeCompany-SEC-Admin' and 'AcmeCompany-SEC-All' in Microsoft Entra ID.
If you want to provision users from these groups called to the 'Administrators' and 'Default users' roles in BlueDolphin respectively, the expressions should be:
Switch([displayName], , "AcmeCompany-SEC-Admin", "Administrators", "AcmeCompany-SEC-All", "Default users")
Make sure the expression is correctly parsed and click Ok.
7. Click Save to save any changes you have made.
Note: If the role(s) in BlueDolphin are renamed, make sure to update the mappings accordingly.
In the table below you can find required attributes and their matching values across different systems:
Group Attribute in Microsoft Entra ID | Required | SCIM /Groups Attribute | Role Attribute in BlueDolphin |
displayName | Yes | displayName | Role name |
members | Yes | members | Users |
User mappings
1. To customize mappings for users, go to Mappings and click Provision Azure Active Directory Users.
2. User mapping is set to Enabled by default and disabling is not supported.
3. Leave all Target Object Actions checked.
4. In the Attribute Mappings section, delete all attributes except: userPrincipalName, mail, givenName, and surname (see the screenshot below).
5. Click Save in the top-left corner to save any changes.
In the table below you can find required attributes and their matching values across different systems:
User Attribute in Microsoft Entra ID | Required | SCIM /Users Attribute | User Attribute in BlueDolphin |
userPrincipalName | Yes | userName | |
Yes | emails[type eq “work”].value | ||
givenName | Yes | name.givenName | First name |
surname | Yes | name.familyName | Last name |
Note: To prevent erroneous or incomplete data to flow over the interface, you may use a scoping filter to specify that each of these required attributes must exist on the user record. To configure a scoping filter, click All records under Source Object Scope.
For example, you can use the 'IS NOT NULL' clause to ensure that all the required attributes contain data:
Settings
In the Settings section, set Scope to Sync only assigned users and groups and click Save.
Finally, to initiate user provisioning set Provisioning status to On.
Delete users
When the API sends a DELETE request for a user, that user will be deleted from BlueDolphin. BlueDolphin does not support disabling users.
For more details on user deprovisioning, please refer to the official Microsoft Entra ID documentation.
Application provisioning in Microsoft Entra ID
For in-depth concepts and technical information on how application provisioning works in Microsoft Entra ID, please refer to the official Microsoft Entra ID documentation.
Comments
0 comments
Please sign in to leave a comment.