General information
SCIM - an alternative to Directory Sync
SCIM stands for System for Cross-Domain Identity Management. This is a standard that is used to automatically provide user information. In contrast to the previously used Directory Sync, with SCIM the information is no longer actively requested, but automatically provided when there are changes to the information to be transferred.
Advantages of SCIM
- empower® does not require any access rights to the user directory.
- Filtering is configured in the directory service itself.
- The directory service is not regularly loaded as long as no changes are made.
How SCIM works
Unlike Directory Sync, SCIM works according to a PUSH procedure.
In contrast to the directory sync process, the data is not actively queried. With SCIM, changes to users or user groups are automatically forwarded to empower®.
Setting up the SCIM API
An app registration must first be made in the Azure portal. The creation of this app registration is described below. Please note: These steps must be carried out before using the empower® Installer.
- Search for “Microsoft Entra ID” in the Azure portal and select the service.
- Select the Enterprise applications tab in the bar on the left.
- Click on the New application button.
- Click on the Create your own application button.
- Enter a name for the application.
- Click on the Create button.
Editing the attribute mappings
To set up SCIM, it is also necessary to adjust the attribute mappings. This is not necessary for the Directory Sync. There are two attribute mappings in the Mappings section: one for users and one for groups. The standard attribute mappings must be adapted for empower®. To do this, proceed as follows:
- Also under Provisioning in the Manage Provisioning section, click Edit Mappings.
- Then click on the Provision Azure Directory Users link in the Mappings section.
- Change the mapping for externalId to objectId. By default, the email nickname is usually used here.
- Click on Ok.
- When you have completed the configuration, set the Provisioning Status to On.
- To activate the Entra ID provisioning service, click Save.
Saving the values for the Enterprise Application
For the installation of the empower® backend, the values Application ID and Directory ID are required in the backend installer. It therefore makes sense to save these values when creating the Enterprise Application. To do this, proceed as follows:
- After creating the Enterprise Application, switch to the general overview of the Microsoft Entra ID directory.
-
Then select the App registrations tab in the bar on the left.
The newly created Enterprise Application is now displayed.
- Select the Enterprise Application you have just created. You will be redirected to the application-specific overview.
- Save the Application (client) ID (application ID) and the Directory (tenant) ID (directory ID).
Redirection URIs
Redirection URIs are necessary so that Azure knows where the user should be redirected after successful authentication. To ensure that the URIs are known, they must be defined beforehand. To do this, proceed as follows:
- Select the Authentication tab in the bar on the left of the application-specific overview.
- Click on the Add a platform button.
- Under Web applications, select the Web option.
-
On the Redirect URIs page, enter the first of the following three redirect URIs for your empower® environment:
https://DNS_Name/empower/identityservice/signin-oidc https://DNS_Name/empower/identityservice/grants https://DNS_Name/empower/identityservice
“<DNS_NAME>” corresponds to the DNS name of your empower® environment. The remaining two URIs are added in the following steps.
- Click on the Configure button. Further redirection URIs can now be added under Web.
- To add the two missing URIs, click on Add URIs.
Activate Implicit Flow
Implicit Flow is used as the login method for empower® up to and including version 9.2. Implicit Flow must therefore be activated in the Azure portal.
- Also activate the Implicit Flow in the Authentication tab by activating the Access tokens and ID tokens options.
- Click on the Save button.
Client Secret
empower® also requires a valid client secret (secret client key) to be able to perform the user login. Set up a client secret in the following step.
- Select the Certificates and Secrets tab in the bar on the left of the application-specific overview.
- Click on the New client secret button.
- Enter a description for the new client secret.
- Determine the validity of the client secret according to the guidelines of the client company.
- Click on the Add button.
- Copy the Client Secret and save it. The client secret is only visible once!
Permissions for SCIM
Then adjust the permissions for the application. Adjusting the permissions allows empower® to read the user and user groups from the directory. If this adjustment is not made, synchronization is not possible.
The following permission is always required for the user login:
- User.Read
- Select the API permissions tab in the bar on the left of the application-specific overview.
- Click on the Add a permission button.
- Select Microsoft Graph.
- Repeat the process and now select Delegated permissions.
- In the following list, activate User.Read.
- Click on the Add permissions button. You will return to the overview page.
Additional settings for SCIM
Additional settings must be made for SCIM as a provisioning method. Please note: These settings can only be made after the empower® Installer has been used and SCIM has been set up with it. If you want to use SCIM as a provisioning method, proceed as follows:
- Switch to the application-specific overview.
- Select the Provisioning tab in the bar on the left of the application-specific overview.
- For Provisioning Mode, select Automatic from the drop-down menu.
-
In the Tenant URL field, enter the URL of the SCIM endpoint which was generated during the empower® Installer for the application in the following format:
<https://<dns_name>/empower/scimapi/scim>
- In the Secret Token field, enter the token that was generated during the empower® Installer
- To test the connection, click on Test Connection. If the attempt fails, an error message is displayed.
- If the attempt is successful, click Save.
Comments
0 comments
Article is closed for comments.