Articles in this section

How to set up SCIM with Microsoft Entra ID

About this article

This article provides instructions on how to set up SCIM within the Microsoft Entra ID SAML2 and OpenID Connect single sign-on applications.

 

Prerequisites

 
  • OpenID Connect or SAML2 application configured
  • Owner access to Templafy tenant
  • Global Admin rights to the Azure tenant
  • Public API module enabled

 

1. Generate the SCIM (Secret) Token

  1. Ensure the Public API module has been enabled in the Templafy Admin Center
  2. Navigate to the Account section
  3. In the API Keys tab, click Create key
  4. Provide a name to the key
  5. Click Next
  6. Click Add scope and select scim
  7. Click Create
  8. Click Copy key for use in step 2 below

Animation.gif

 
  • The keys are unique keys and are non-recoverable. If you lose the key, you will have to regenerate a new one.
  • The name of a key cannot be edited after its creation.

 

 

 

2. Configure SCIM in Microsoft Entra ID

  1. Open the Templafy OpenID Connect or SAML2 enterprise application in Microsoft Entra ID
  2. Navigate to the Provisioning tab
  3. Select Automatic in the Provisioning Mode dropdown
  4. Under the Admin Credentials section, fill in the Tenant URL and Secret token
  5. Click Test connection
  6. Once the connection has been established, Save the configuration
  7. Return to the main application screen

SCIM1.gif

 

3. Assign User or User Groups to the SCIM application

  1. Open the Templafy OpenID Connect or SAML2 enterprise application in Microsoft Entra ID
  2. Navigate to the Users and groups tab
  3. Click Add user/group on the top ribbon
  4. Under Users and groups, click None selected 
  5. Search for the user or group
  6. Click the user or group and then click the blue Select button
  7. Click Assign

SCIMAssignment2.gif

 

4. (SAML2 Only) Verify the Attribute Mappings within the SCIM Configuration

 
  • If using SAML2 SSO, the attribute mappings in SCIM should be the same as the attributes mapped in single sign-on.
  • It is important to remember to edit the SCIM attribute mappings to send the e-mail attribute instead of the UPN if they are different.
  1. Open the Templafy SAML2 enterprise application in Microsoft Entra ID
  2. Navigate to the Provisioning tab
  3. Click Edit attribute mappings
  4. Scroll down to the Mappings section
  5. Click on Provision Microsoft Entra ID Users
  6. Click on the attribute to re-map 
    • In the example below, updating the UPN to e-mail
      • Under Source attribute, find the mail attribute and click Ok at the bottom
  7. Save the changes 

SCIMAttributeMap.gif

 

5. (SAML2 Only) Mapping of Custom Claims

 
  • Custom claims are only supported with SAML2 and not with OpenID Connect.
  • OpenID Connect does not provide custom claim attributes and will therefore overwrite the ones received via SCIM 2.0.
  1. Open the Templafy SAML2 enterprise application in Microsoft Entra ID
  2. Navigate to the Provisioning tab
  3. Click Edit attribute mappings
  4. Scroll down to the Mappings section
  5. Select Provision Microsoft Entra ID Users
  6. Click Add New Mapping
  7. Within the Target attribute choose a Templafy custom claim and select the attribute that should be send with it in the Source attribute.

 

6. Test SCIM using Provision on demand

It is important to test SCIM with a user prior to running the initial synchronization to ensure the user is successfully created in Templafy with accurate AD claim data.

In order to use the Provision on demand feature, the user must already be assigned to the application. This feature does not support provisioning of groups, only users.

  1. Open the Templafy OpenID Connect or SAML2 enterprise application in Microsoft Entra ID
  2. Navigate to the Provisioning tab
  3. Click Provision on demand on the top ribbon
  4. Search for the user you want to provision on-demand
  5. Select the user
  6. Click Provision

After the user is provisioned, export details are shown along with other useful information about the provision including scoping, matching, and action details.

SCIMOnDemand.gif

 

7. Enable SCIM

  1. Open the Templafy OpenID Connect or SAML2 enterprise application in Microsoft Entra ID

  2. Navigate to the Provisioning tab

  3. Click Start provisioning on the top bar

When you start provisioning, all users or groups who are assigned to the application will then be synced into your Templafy tenant. Once the initial sync is finished, you are able to check the Provisioning logs to check the status of the sync (who was synced and who was not synced).

SCIMStart.gif

 

 

Related articles

 

 

setup SCIM Microsoft Entra ID
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.