Contents
Definitions
SCIM: SCIM stands for System for Cross-domain Identity Management. It is a standardized protocol that allows for the automation of user provisioning and deprovisioning across different systems and applications. SCIM provides a common framework for identity management, making it easier to manage user accounts and access rights in a centralized manner. It defines a set of RESTful APIs for creating, updating, and deleting user accounts, as well as querying user information. SCIM is widely used in enterprise environments to streamline user provisioning processes and ensure consistency across different systems .
Active Directory: Active Directory (AD) is a directory service developed by Microsoft. It is used to manage and organize resources in a network environment, such as users, computers, and other network devices. Active Directory provides a centralized database that stores information about network resources and enables administrators to control access to these resources. It offers features such as user authentication, authorization, and policy enforcement. Active Directory is commonly used in Windows-based environments and is a key component of Microsoft's identity and access management solutions.
Important Information
User Management
We identify users by their email address.
A SCIM user can only have access to a single Astrato tenant.
After user control is handed over to SCIM, the origin will be changed from INTERNAL to SCIM.
If a user already exists as a SCIM tenant, the account will be converted to SCIM, and user control will be handed over to SCIM. Astrato will not allow for disabling/deleting that user from the tenant.
When a user is imported from SCIM, they are automatically assigned the default role of "Viewer" in Astrato.
Group Management
We identify groups by name
If a group with the same name exists in a tenant, it will be converted to a SCIM, and the group control will be handed over to SCIM.
If a group has internal members, they will stay in that group marked with origin: INTERNAL.
All group members in a group synchronized by SCIM will be marked as SCIM.
If a user exists as a group member already, his membership will be converted to SCIM.
SCIM group members can only be managed by SCIM.
You have the ability to add/delete internal group members to the SCIM group.
How to configure Astrato SSO for Azure?
ℹ Important
Astrato SSO requires existing Azure’s Enterprise application. To create it see: How to create an Enterprise Application in Azure for SCIM Provisioning
Astrato requires email to be used as user identifier and a login credential. Please make sure that your azure users have an email field filled. (Screenshot A)
Steps
Administration → Enterprise Connection → View (Screenshot B)
Login connection → New Connection
Open ID Connect
Go to the Setup tab and fill in the required fields → Create
After the creation of the connection, in the Setup tab should be visible a new section → Verification
Verify connection → redirection to SSO provider login page
Back to Astrato
Required Fields
Connection name: custom value to identify your connection
Issuer URL: https://login.microsoftonline.com/<tenantID>/v2.0, where <tenantID> is from Microsoft Entra ID → Overview
Client ID is from Microsoft Entra ID → Enterprise applications → Application ID
Client secret → see: Generate client secret
Identity provider domain: unique identifier to use on Sign with sso login page
Screenshot A
Screenshot B
How to enable SCIM provisioning in Astrato?
Important
To enable SCIM provisioning in Astrato it’s required to create Astrato SSO see: How to configure Astrato SSO for Azure
Steps
1. Navigate to Administration -> System Settings
2. Click enable under SCIM Provisioning section.
If the button is disabled and you see a warning, that means SSO is not enabled for your tenant. See Important section.
It should show a popup with Base Url and JWT Token. Save those values as they won't be visible anymore.
SCIM provisioning credentials
Astrato → SCIM Details | Azure → Provisioning |
Base URL | Tenant URL |
JWT Token | Secret Token |
How to create an Enterprise Application in Azure for SCIM Provisioning?
1. Login to https://portal.azure.com/ with your personal account
2. Go to Microsoft Enter ID
3. Select from the left panel Enterprise applications
4. Add a new application
5. As Astrato's application has not yet been integrated into the gallery, integrate it manually by Create your own application button
Select Integrate any other application you don't find in the gallery (Non-gallery) and click Create
6. Go back to Microsoft Entra ID and select from the left panel App registrations
7. Generate client secret
Save the secret value as it will be needed to create Astrato's SSO login connection
8. Select from the left panel Token configuration
9. Select from the left panel Authentication and add platform with Redirect URIs →
10. Select from the left panel API permissions and Grant admin consent for Astrato
How do you configure provisioning for Astrato’s application in Azure?
ℹ Important
You need to create and verify Login connection in Astrato (see How to configure Astrato SSO for Azure)
You need to enable SCIM provisioning for your Astrato Tenant to obtain JWT Token and Base Url (see How to enable SCIM provisioning in Astrato)
You need to create an Enterprise Application in Azure. If it’s created as App registration, an enterprise app with the same name will also appear, however it will say that provisioning is not supported. (Screenshot C). To create Enterprise Application in Azure see (How to create an Enterprise Application in Azure for SCIM Provisioning)
When you re-enable JWT Token remember to change it in Azure provisioning
Azure AD will provision only those users and groups that are assigned into Azure. You can find it under Azure Entra ID -> Enterprise Applications -> Astrato Demo app -> Users and groups (Screenshot D)
Screenshot C
Screenshot D
Steps
Go into: Azure Entra ID -> Enterprise Applications -> Astrato Demo app
From the left panel under Manage -> Provisioning select Provisioning Mode Automatic and expand the Admin Credentials section where you need to fill a Tenant URL and a Secret Token from Astrato Base URL and JWT Token. Look for Scim provisioning credentials in this document to get more insights.
3. Test Connection, and if it works, Save.
4. Saving should result in displaying the Mapping section, which needs to be expanded on the same view.
5. Mapping for provisioning
Provision Azure Active Directory Users
Astrato doesn’t use most of the default parameters mapping. Please delete unnecessary mappings and update existing ones using values from the table below.
Mapping type | Source attribute (Azure Active Directory Attribute)
| Target attribute (customappsso Attribute) |
Direct | userName | |
Expression | Not([IsSoftDeleted]) | active |
Direct | displayName | displayName |
Direct | givenName | name.givenName |
Direct | surname | name.familyName |
Direct | objectId | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber |
When it’s done. User Attribute mapping should look as below:
Provision Azure Active Directory Groups
As a next step, come back to the Provisioning setup and edit attributes for Groups. Please configure group attribute mapping to contain only the attributes from the table and delete all unnecessary attributes as Astrato won’t recognize them.
ℹ Note
An attribute named urn:ietf:params:scim:schemas:extension:enterprise:2.0:Group:description doesn’t exist by default. To create it click on a checkbox Show advanced options and then click Edit attribute list for customappsso
Mapping type | Source attribute (Azure Active Directory Attribute)
| Target attribute (customappsso Attribute) |
Direct | displayName | displayName |
Direct | objectId | externalId |
Direct | members | members |
Direct | description | urn:ietf:params:scim:schemas:extension:enterprise:2.0:Group:description |
When groups mapping is done it should look the same as on a screenshot below:
Automatic provisioning of users and groups in Azure can take about 40 minutes to start. If you want to test your configs can also use Provision on demand from the left menu and manually provision data to Astrato.
When users get provisioned to Astrato you will notice that they Origin changed from Internal to SCIM
After SCIM mapping is configured there is a need to enable SCIM either by changing Provisioning Status to On under Provisioning -> Manage-> Provisioning or by clicking Start provisioning on a Provisioning Overview. When it’s started, you will be able to see the status either here or by visiting Provisioning logs.
You can watch then Provision Logs and see how the process works
Astrato may return failure due to several reasons:
Failure is caused by a user already existing in a different tenant where SCIM has no control. To fix it see How can I add an existing Astrato user to the SCIM tenant?
JWT Token used by Azure is invalid. To fix it see section: How do you configure provisioning for Astrato’s application in Azure and update Admin credentials.
How can I add an existing Astrato user to the SCIM tenant?
If a SCIM user already exists in a different tenant, it’s allowed to transfer his tenant membership manually by using login URL to the tenant he wants to join. Copy login URL from a login connection as below and provide it to the user.
You need a Login URL to the SSO tenant:
Administration → Enterprise Connection → View
Login connection → Edit
Setup tab → Login URL