SCIM: User provisioning with Azure AD
SCIM, or System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning. It makes it easy to add, update or remove users across different applications simultaneously. The solution is built using the SCIM 2.0 specification.
In order to set up user provisioning with Azure AD, it has to be configured both in Scoro and Azure AD.
Setting up SCIM
Scoro SCIM setup
- SCIM settings can be found under Settings → Integrations → SCIM
- Admin users can set the default values for new users created via SCIM:
- Default company account (only available in case of multiple company accounts)
- Default role
- Email notification with account data
- In order to enable the SCIM API, you must generate an OAuth bearer token
- After SCIM is enabled, the API credentials allow you to set up SCIM from the Azure AD
Azure AD Enterprise Application
- If you are planning to use both User Provisioning and Single Sign-On, please check the manual for connecting Scoro and SSO and do it before continuing with the SCIM configuration.
- If you don’t have SSO and you are not planning to add it, please make sure that you have an Enterprise Application before continuing.
- In the Azure Portal, select Enterprise Applications and click New application.
- Click Create your own application.
- Give your application a Name, choose “Integrate any other application you don't find in the gallery (Non-gallery)” and click Create.
Configuring Azure AD Provisioning
Note! Azure AD has known issues with SCIM 2.0 protocol compliance and it requires some extra configuration, which is explained in detail in the next paragraph. You can read more about the situation here.
- In the Manage tab of the new application, choose Provisioning.
- Choose the Automatic provisioning mode.
- Enter Admin Credentials, which you will find from the Scoro SCIM setup page.
- Tenant URL = Company base URL + “/?aadOptscim062020” (special flag for compliance fix)
- Secret token = Bearer token
- Click Test Connection.
- If credentials are correct, you will see a success message in the top right corner and you will be able to Save the settings.
Mapping user attributes
After you have successfully saved the credentials, you will need to configure the Mappings and Settings sections
- Open Mappings to configure the mapping between Scoro and Azure AD
- Disable Groups provisioning since this is not supported by Scoro SCIM
- Open Users provisioning to map out correct fields between Scoro and Azure AD.
- Keep only the fields that can be synced with Scoro SCIM:
- userType * (doesn’t exist by default)
- Other listed attributes can be deleted because these can’t be updated in Scoro.
- Configure/check the following fields:
- Activate/deactivate users
- Keep the Azure attribute Switch ([IsSoftDeleted], , "False", "True", "True", "False") active
- Keep the first letters of values “True” and “False” capitalized
- You can read more about application provisioning from here
- Update userType
- Add a new mapping for userType
- You can use roles that are defined for your application or define new roles
- The values that Scoro can use are “user” and “admin”
- If role names don’t match with the roles in Scoro, the expression builder can be used to switch the values:
- Example with Role: (Switch([Role], , "Member", "user", "Admin", "admin"))
- Alternatively, you can remove the matching and manage roles in Scoro only
- Update emails and phoneNumbers
- Email and phoneNumbers support only filtering by type (emails/phoneNumbers[type eq "work"].value)
- All other filter mappings are not supported
- The complete list of mapped values
- Configure Settings
- We recommend to choose Scope - “Sync only assigned users and groups”
- You can also choose whether you want to receive email notifications or not
- Save the changes after you have added all the mappings
- You can enable/disable provisioning by choosing Start/Stop provisioning or edit details by choosing Edit provisioning
- User provisioning between Scoro and Azure is now configured.
- Active values have to be “True” and “False” with the first letter capitalized, otherwise the on-demand provisioning can’t be enabled.
- Scoro SCIM supports only the “work” type filter for phoneNumbers and emails (emails[type eq "work"].value)
Was this article helpful?
Thank you for your feedback!