How to set up SCIM with Azure AD for Templafy Hive?

About this article

This article is about how to set up SCIM (automatic user provisioning) within the Azure AD SAML2 and OpenID Connect single sign-on applications.

1. Configure SCIM in Azure AD
2. Assign User or User Groups to the SCIM application
3. Verify the attribute mappings within the SCIM configuration
4. Mapping of custom claims
5. Test SCIM using Provision on-demand
6. Enable SCIM
7. Known Limitations of Microsoft Entra ID

Prerequisites

OpenID Connect or SAML2 application configured Owner access to Templafy tenant Global Admin rights to Azure AD tenant Public API module(s) enabled

 

It is important to remember to edit the SCIM attribute mappings to send the e-mail attribute instead of the UPN if they are different Only the Active Directory groups that are assigned to the SCIM application will be sent to Templafy Existing users on your Templafy tenant that are deleted from your Identity Provider (in this case Azure AD) prior to configuration, will not get deleted from your Templafy tenant after the configuration Deactivating users in AzureAD will de-provision (delete) them in Templafy, activating them will provision (create) them

 

1. Configure SCIM in Azure AD

1. Open the Templafy OpenID Connect or SAML2 enterprise application in Azure AD
2. Navigate to the Provisioning tab
3. Select Automatic in the Provisioning Mode dropdown
4. Under the Admin Credentials section, fill in the Tenant URL and Secret token
   • Tenant URL format is - https://[templafytenantid].api.templafy.com/v1/scim/
   • The Secret token is available when creating the SCIM API key in the Templafy tenant (support article about how to create the SCIM API key)
5. Click Test connection
6. Once the connection has been established, Save the configuration
7. Return to the main application screen

 

2. Assign User or User Groups to the SCIM application

1. Open the Templafy OpenID Connect or SAML2 enterprise application in Azure AD
2. Navigate to the Users and groups tab
3. Click Add user/group on the top ribbon
4. Under Users and groups, click None selected 
5. Search for the user or group
6. Click the user or group and then click the blue Select button
7. Click Assign

 

3. Verify the attribute mappings within the SCIM configuration

*Note: If using SAML2 SSO, the attribute mappings in SCIM should be the same as the attributes mapped in normal single sign-on. 

This is particularly important when the UPN (User Principle Name) and E-mail address are different. It is best practice to create users in Templafy with the e-mail as opposed to the UPN. This is the example I show in the video below. 

1. Open the Templafy OpenID Connect or SAML2 enterprise application in Azure AD
2. Navigate to the Provisioning tab
3. Click Edit attribute mappings
4. Scroll down to the Mappings section
5. Click on Provision Azure Active Directory Users
6. Scroll down to the attribute mappings
7. Click on the attribute you want to re-map 
   • In this case, I want to update the UPN to e-mail
8. Under Source attribute, find the mail attribute and click Ok at the bottom
9. Save the change 

 

4. Mapping of custom claims

Note: Custom claims are currently only supported with the SAML2 and not with the OpenID Connect protocol. OpenID Connect does not provide custom claims attributes and will therefore overwrite the ones received via SCIM 2.0.

1. Open the Templafy SAML2 enterprise application in Azure AD
2. Navigate to the Provisioning tab
3. Click Edit attribute mappings
4. Scroll down to the Mappings section
5. Select Provision Azure Active Directory Users
6. Click Add New Mapping
7. Within the Target attribute choose a Templafy custom claim and select the attribute that should be send with it in the Source attribute.
   
   

 

5. Test SCIM using Provision on-demand

*Note: SCIM has not been enabled yet. It is important to test SCIM with a user prior to running the initial synchronization to ensure the user is successfully created in Templafy with accurate AD claim data

In order to use the Provision on demand feature, the user must already be assigned to the application. This feature does not support provisioning of groups, only users

1. Open the Templafy OpenID Connect or SAML2 enterprise application in Azure AD
2. Navigate to the Provisioning tab
3. Click Provision on demand on the top ribbon
4. Search for the user you want to provision on-demand
5. Select the user
6. Click Provision

After the user is provisioned, export details are shown along with other useful information about the provision including scoping, matching, and action details

 

6. Enable SCIM

Before enabling SCIM, make sure that the appropriate users or groups are assigned to the application. It is these users or groups that will then be added to your Templafy tenant.

1. Open the Templafy OpenID Connect or SAML2 enterprise application in Azure AD

2. Navigate to the Provisioning tab

3. Click Start provisioning on the top bar

When you start provisioning, all users or groups who are assigned to the application will then be synched into your Templafy tenant. Once The initial sync is finished, you are able to check the Provisioning logs to check the status of the synch (who was synched and who was not synched). 

 

7. Known Limitations of Microsoft Entra ID

"Microsofts Entra ID currently can't provision null attributes. If an attribute is null on the user object, it will be skipped." 

In practical terms, this means that if a particular Azure AD user attribute is set to null or has no value when provisioning a new user account or updating an existing one, Azure will not handle it as expected; instead, it will ignore that attribute. For more information, please refer to the Microsoft documentation.

Please note that this limitation is specific to Azure AD SCIM and does not affect the authentication flow.

 

 

Related articles

How to generate the token for SCIM in Templafy Hive What is SCIM and how does it work?