Skip to main content
All CollectionsAdministrationEnterprise Authentication
Enabling SCIM (Active Directory) for Astrato
Enabling SCIM (Active Directory) for Astrato

Astrato Guide: Learn to integrate Azure for SSO and SCIM provisioning, manage users and groups, and configure enterprise applications.

Piers Batchelor avatar
Written by Piers Batchelor
Updated over a year ago

Contents


Definitions

SCIM: SCIM stands for System for Cross-domain Identity Management. It is a standardized protocol that allows for the automation of user provisioning and deprovisioning across different systems and applications. SCIM provides a common framework for identity management, making it easier to manage user accounts and access rights in a centralized manner. It defines a set of RESTful APIs for creating, updating, and deleting user accounts, as well as querying user information. SCIM is widely used in enterprise environments to streamline user provisioning processes and ensure consistency across different systems .

Active Directory: Active Directory (AD) is a directory service developed by Microsoft. It is used to manage and organize resources in a network environment, such as users, computers, and other network devices. Active Directory provides a centralized database that stores information about network resources and enables administrators to control access to these resources. It offers features such as user authentication, authorization, and policy enforcement. Active Directory is commonly used in Windows-based environments and is a key component of Microsoft's identity and access management solutions.

Important Information

User Management

  • We identify users by their email address.

  • A SCIM user can only have access to a single Astrato tenant.

  • After user control is handed over to SCIM, the origin will be changed from INTERNAL to SCIM.

  • If a user already exists as a SCIM tenant, the account will be converted to SCIM, and user control will be handed over to SCIM. Astrato will not allow for disabling/deleting that user from the tenant.

  • When a user is imported from SCIM, they are automatically assigned the default role of "Viewer" in Astrato.

Group Management

  • We identify groups by name

  • If a group with the same name exists in a tenant, it will be converted to a SCIM, and the group control will be handed over to SCIM.

  • If a group has internal members, they will stay in that group marked with origin: INTERNAL.

  • All group members in a group synchronized by SCIM will be marked as SCIM.

  • If a user exists as a group member already, his membership will be converted to SCIM.

  • SCIM group members can only be managed by SCIM.

  • You have the ability to add/delete internal group members to the SCIM group.


How to configure Astrato SSO for Azure?

ℹ Important

  • Astrato SSO requires existing Azure’s Enterprise application. To create it see: How to create an Enterprise Application in Azure for SCIM Provisioning

  • Astrato requires email to be used as user identifier and a login credential. Please make sure that your azure users have an email field filled. (Screenshot A)

Steps

  1. Administration → Enterprise Connection → View (Screenshot B)

  2. Login connection → New Connection

  3. Open ID Connect

  4. Go to the Setup tab and fill in the required fields → Create

  5. After the creation of the connection, in the Setup tab should be visible a new section → Verification

  6. Verify connection → redirection to SSO provider login page

  7. Back to Astrato

Required Fields

  • Connection name: custom value to identify your connection

  • Issuer URL: https://login.microsoftonline.com/<tenantID>/v2.0, where <tenantID> is from Microsoft Entra ID → Overview

  • Client ID is from Microsoft Entra ID → Enterprise applications → Application ID

  • Client secret → see: Generate client secret

  • Identity provider domain: unique identifier to use on Sign with sso login page

Screenshot A

Screenshot B

How to enable SCIM provisioning in Astrato?

Important

  • To enable SCIM provisioning in Astrato it’s required to create Astrato SSO see: How to configure Astrato SSO for Azure

Steps

1. Navigate to Administration -> System Settings

2. Click enable under SCIM Provisioning section.

If the button is disabled and you see a warning, that means SSO is not enabled for your tenant. See Important section.

It should show a popup with Base Url and JWT Token. Save those values as they won't be visible anymore.

SCIM provisioning credentials

Astrato → SCIM Details

Azure → Provisioning

Base URL

Tenant URL

JWT Token

Secret Token


How to create an Enterprise Application in Azure for SCIM Provisioning?

1. Login to https://portal.azure.com/ with your personal account

2. Go to Microsoft Enter ID

3. Select from the left panel Enterprise applications

4. Add a new application

5. As Astrato's application has not yet been integrated into the gallery, integrate it manually by Create your own application button

Select Integrate any other application you don't find in the gallery (Non-gallery) and click Create

6. Go back to Microsoft Entra ID and select from the left panel App registrations

7. Generate client secret

Save the secret value as it will be needed to create Astrato's SSO login connection

8. Select from the left panel Token configuration

9. Select from the left panel Authentication and add platform with Redirect URIs →

10. Select from the left panel API permissions and Grant admin consent for Astrato

How do you configure provisioning for Astrato’s application in Azure?

ℹ Important

  • You need to create and verify Login connection in Astrato (see How to configure Astrato SSO for Azure)

  • You need to enable SCIM provisioning for your Astrato Tenant to obtain JWT Token and Base Url (see How to enable SCIM provisioning in Astrato)

  • You need to create an Enterprise Application in Azure. If it’s created as App registration, an enterprise app with the same name will also appear, however it will say that provisioning is not supported. (Screenshot C). To create Enterprise Application in Azure see (How to create an Enterprise Application in Azure for SCIM Provisioning)

  • When you re-enable JWT Token remember to change it in Azure provisioning

  • Azure AD will provision only those users and groups that are assigned into Azure. You can find it under Azure Entra ID -> Enterprise Applications -> Astrato Demo app -> Users and groups (Screenshot D)

Screenshot C

Screenshot D

Steps

  1. Go into: Azure Entra ID -> Enterprise Applications -> Astrato Demo app

  2. From the left panel under Manage -> Provisioning select Provisioning Mode Automatic and expand the Admin Credentials section where you need to fill a Tenant URL and a Secret Token from Astrato Base URL and JWT Token. Look for Scim provisioning credentials in this document to get more insights.

3. Test Connection, and if it works, Save.

4. Saving should result in displaying the Mapping section, which needs to be expanded on the same view.

5. Mapping for provisioning

Provision Azure Active Directory Users

Astrato doesn’t use most of the default parameters mapping. Please delete unnecessary mappings and update existing ones using values from the table below.

Mapping type

Source attribute

(Azure Active Directory Attribute)

Target attribute

(customappsso Attribute)

Direct

mail

userName

Expression

Not([IsSoftDeleted])

active

Direct

displayName

displayName

Direct

givenName

name.givenName

Direct

surname

name.familyName

Direct

objectId

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

When it’s done. User Attribute mapping should look as below:

Provision Azure Active Directory Groups

As a next step, come back to the Provisioning setup and edit attributes for Groups. Please configure group attribute mapping to contain only the attributes from the table and delete all unnecessary attributes as Astrato won’t recognize them.

ℹ Note

An attribute named urn:ietf:params:scim:schemas:extension:enterprise:2.0:Group:description doesn’t exist by default. To create it click on a checkbox Show advanced options and then click Edit attribute list for customappsso

Mapping type

Source attribute

(Azure Active Directory Attribute)

Target attribute

(customappsso Attribute)

Direct

displayName

displayName

Direct

objectId

externalId

Direct

members

members

Direct

description

urn:ietf:params:scim:schemas:extension:enterprise:2.0:Group:description

When groups mapping is done it should look the same as on a screenshot below:

Automatic provisioning of users and groups in Azure can take about 40 minutes to start. If you want to test your configs can also use Provision on demand from the left menu and manually provision data to Astrato.

When users get provisioned to Astrato you will notice that they Origin changed from Internal to SCIM

After SCIM mapping is configured there is a need to enable SCIM either by changing Provisioning Status to On under Provisioning -> Manage-> Provisioning or by clicking Start provisioning on a Provisioning Overview. When it’s started, you will be able to see the status either here or by visiting Provisioning logs.

You can watch then Provision Logs and see how the process works

Astrato may return failure due to several reasons:

  • Failure is caused by a user already existing in a different tenant where SCIM has no control. To fix it see How can I add an existing Astrato user to the SCIM tenant?

  • JWT Token used by Azure is invalid. To fix it see section: How do you configure provisioning for Astrato’s application in Azure and update Admin credentials.


How can I add an existing Astrato user to the SCIM tenant?

If a SCIM user already exists in a different tenant, it’s allowed to transfer his tenant membership manually by using login URL to the tenant he wants to join. Copy login URL from a login connection as below and provide it to the user.

  1. You need a Login URL to the SSO tenant:

    1. Administration → Enterprise Connection → View

    2. Login connection → Edit

    3. Setup tab → Login URL

Did this answer your question?