To set up Azure SCIM, you need to create a Service Provider (SP) entity in the Azure portal. This entity will be used to connect your organization's identity provider to Azure.
Azure SCIM supports two protocols: SCIM 1.1 and SCIM 2.0. You'll need to choose the protocol that's compatible with your identity provider.
First, create a new Azure AD application to act as the Service Provider. This application will be used to authenticate and authorize requests between your organization's identity provider and Azure.
To enable SCIM, you'll need to register the application with the Azure AD application registration API. This will provide the necessary permissions for the application to act as the Service Provider.
Prerequisites
To set up Azure SCIM, you'll need to have an Azure AD tenant. You'll also need a SCIM tenant URL, which you can find in the directory sync set up in Autodesk Account.
To get started, you'll need to have a few things in place. You'll need to complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji tenant. This will give you the SCIM access token and API URL that you'll need.
You'll also need to copy and store the token provided in the SCIM Directory Integration article. Be aware that once you click Done, the token will not be visible and will be required in a later step.
Here are the prerequisites you'll need to have:
- An Azure AD tenant
- SCIM tenant URL
- Secret token (or SCIM access token)
Be sure to review the supported user and group attributes listed in the SCIM Directory Integration article to ensure you're meeting all the necessary requirements.
Configuring Azure SCIM
Configuring Azure SCIM is a crucial step in integrating Azure Active Directory with your Harmony SASE Management Platform. To get started, log in to your Harmony SASE Management Platform and navigate to Settings, then IdentityProviders.
Select the + Add Provider button to begin the configuration process. Choose Microsoft Azure AD as the provider you want to connect.
You'll need to fill in your Microsoft Azure AD Domain, which is your domain name (e.g., harmonysase.com). You may also need to enter Domain Aliases if they are required. For the Client ID, use the Application ID stored in Azure AD.
Make sure to use the Client Secret value shown when you created it in Azure AD. Under Domain, enter the name of your Microsoft Azure AD Domain, and under Domain Aliases, add any email domains corresponding to the connection.
After completing these steps, select Done to finish the configuration process. If you encounter access errors after configuration, check the troubleshooting steps to resolve the issue.
Microsoft Entra ID Integration
To integrate Microsoft Entra ID with Harmony SASE, you'll need to log in to Microsoft Azure and choose Azure Active Directory from the sidebar.
This integration ensures continuous synchronization of users between Azure AD and Harmony SASE, facilitating seamless user management and authentication.
First, log in to your Harmony SASE Management Platform and navigate to Settings, then IdentityProviders. From there, select + Add Provider.
Choose Microsoft Azure AD as the provider, and fill in your Microsoft Azure AD Domain, Domain Aliases (optional), Client ID, and Client Secret. For the Client ID, this value is stored as the Application ID in Azure AD.
To set up the integration, you'll need to create a SCIM Integration in Microsoft Entra ID, assign users and groups, and consider any necessary configurations.
Here are the steps to configure a SCIM user directory integration with Microsoft Entra ID:
- Prerequisites: Ensure you have the necessary permissions and configurations in place.
- Create the SCIM Integration in Microsoft Entra ID.
- Assign Users and Groups.
- Considerations: Review any specific requirements or configurations for your organization.
Application Setup
To set up your Azure SCIM application, start by configuring the SCIM application in Azure. This involves navigating to Azure Active Directory, creating a new enterprise application, and setting up provisioning. You can do this by following the steps outlined in the Azure portal, which include setting the provisioning mode to automatic and configuring attribute mappings.
To create the SCIM application, you'll need to create a new enterprise application in Azure and set up its provisioning. This can be done by selecting the "New application" option in the Azure portal and choosing to create a non-gallery application. You'll then need to enter an input name for your app and select the "Create" option.
Once you've created the SCIM application, you can obtain the necessary credentials from the Autodesk User Management Portal. This involves logging in to Autodesk, accessing the team settings, and copying the Tenant URL and Secret token. These values will be used to set up the provisioning tab in your Azure portal.
Obtain Autodesk Credentials
To obtain Autodesk credentials, you'll need to log in to the Autodesk User Management Portal. This is where you'll access the necessary settings to connect your Azure AD SCIM directory.
First, go to the left navigation bar and select the User management tab. From there, you can access the team settings by clicking on By User or By Group.
Next, click the Set up directory sync button and select Azure AD SCIM as the directory environment. This will allow you to link your Azure AD directory to Autodesk.
You'll then be prompted to enter Azure admin credentials. This is where you'll find the Tenant URL and the Secret token, which are essential for completing the setup process.
Here's a quick rundown of the steps:
- Login to Autodesk and select the User management tab on the left navigation bar.
- Go to By User or By Group to access the team settings.
- Click the Set up directory sync button and select Azure AD SCIM as the directory environment.
- Click Next to access the Azure admin credentials.
- Copy the Tenant URL and the Secret token.
Remember to copy the Tenant URL and the Secret token, as these values will be used in the Provisioning tab of your Autodesk application in the Azure portal.
Create Authentication Domain
To create an authentication domain, click + Add new. This will allow you to set up a new authentication domain for your SCIM-provisioned users.
For the new authentication domain, you'll need to select SCIM as the Source of users. This is a crucial step in the process.
Make sure to copy and save the API token, as it will only be shown once. You'll need this token for later use.
Create Application
To create an application in Azure, you'll need to navigate to the Enterprise applications page. Select New application and choose Create your own application. This will take you to a pop-up window where you can enter an Input name for your app. Make sure to select Integrate any other application you don't find in the gallery (Non-gallery).
You'll need to click on Create to proceed. Alternatively, you can also configure a SCIM application by logging in to your Azure tenant and navigating to Azure Active Directory. From there, you can create a new enterprise application named Harmony SASE SCIM.
To configure the SCIM application, you'll need to set Provisioning Mode to automatic on the Provisioning screen. You'll also need to expand Admin Credentials and Mappings to configure the attribute mappings. The attribute mappings should match the below configuration:
Remember to delete all the irrelevant fields and change 'userPrincipalName' as necessary.
ObjectGUID Attribute Mapping
ObjectGUID Attribute Mapping is a crucial step in setting up your application. User attribute mappings are pre-configured and don't require further action, but if you want to view or customize the ObjectGUID attribute, you'll need to follow a specific procedure.
To access this feature, you'll need to check the Show advanced options box in the provisioning screen. This will allow you to add the objectGUID to the attribute list.
To do this, you'll need to add objectGUID to the attribute list with the details of mapping type as 'ObjectGUID' and source as 'Directory'. This will enable you to customize the ObjectGUID attribute.
Once you've added objectGUID to the attribute list, you'll need to click Save, then add a new mapping for objectGUID with the same details. After that, click Save to go back to the provisioning screen.
Here's a summary of the steps:
- Check the Show advanced options box.
- Add objectGUID to the attribute list with mapping type as 'ObjectGUID' and source as 'Directory'.
- Click Save, then add a new mapping for objectGUID.
- Click Save to go back to the provisioning screen.
Frequently Asked Questions
What is the difference between SCIM and SAML?
SCIM automates user provisioning and deprovisioning, while SAML handles authentication and authorization. While related, these protocols serve distinct purposes in identity and access management.
What is the difference between jit and SCIM?
JIT (Just-In-Time) and SCIM (System for Cross-domain Identity Management) provisioning differ in their automation capabilities, with JIT focusing on account creation and SCIM handling account management, deprovisioning, and more. While both protocols automate user access, SCIM offers more comprehensive management, but requires more app support.
Is SCIM still used?
SCIM 1.1 is still used in some organizations, particularly those with legacy identity management systems. Many companies, like Okta and PingIdentity, support both versions for compatibility.
What is SCIM in Azure AD?
SCIM is a standardized protocol that enables the creation, update, and deletion of user and group objects in Azure AD using common REST verbs and a pre-defined schema. It simplifies user management and synchronization across multiple systems and applications.
What is SCIM provisioning in Azure AD?
SCIM provisioning in Azure AD is a feature that simplifies user account management by automating the creation, maintenance, and permission updates for cloud-based applications. It helps IT admins efficiently manage user access and permissions across multiple applications.
Sources
- https://docs.newrelic.com/docs/accounts/accounts/automated-user-management/azure-ad-scimsso-application-configuration/
- https://support.perimeter81.com/docs/azure-active-directory
- https://help.autodesk.com/cloudhelp/ENU/SSOGUIDE-Okta-Guide/files/About-Directory-Sync/SSOGUIDE_Okta_Guide_About_Directory_Sync_Azure_SCIM_html.html
- https://docs.dynatrace.com/docs/manage/identity-access-management/user-and-group-management/access-scim/scim-azure
- https://support.kandji.io/support/solutions/articles/72000560496-scim-directory-integration-with-microsoft-entra-id-formerly-azure-ad-
Featured Images: pexels.com