Menu

    How to Enable SCIM in Entra/Azure

    Avatar
    Secure Code Warrior Elves
    • Updated
    Follow

    This article will walk you through the steps required to enable and configure SCIM provisioning for your Entra/Azure environment

     

    Enable SCIM

     

    Before you start, please generate a SCIM API key using the instructions in this article Automated User Provisioning with SCIM

     

    Step 1

    Click "Enterprise apps" in the side navigation bar and select your Secure code application

     

    Step 2

    Next click "Provisioning" on the side bar and select "New configuration."

     

    Step 3

    This will open the provisioning configuration. Enter the Tenant URL and the Secret token (SCIM API Key)

    Field Value
    Tenant URL
    • Production:
      • US: https://scim.prod-us.prod.securecodewarrior.com/v2/
      • EU: https://scim.prod-eu.prod.securecodewarrior.com/v2/
    • Test environment:
      • https://scim.customertest.prod.securecodewarrior.com/v2/
    Secret Token Please enter the SCIM API Key

     

    Click the "Test connection" button, then hit create

     

    Step 4

    Navigate to "Attribute mapping" and select "Provision Microsoft Entra ID Users"


    Ensure that "Create" and "Update" are selected.

    Note: Delete can also be enabled; however, please note that this will mean that users will be deleted from the platform, if you would like users to be disabled instead, then please keep this unticked.

     

    Remove unsupported attributes

    • Navigate to "Provisioning" > "Attribute mapping" 
    • Select "Provision Microsoft Entra ID Users" 
    • Scroll down to the "Attribute Mappings" section to remove all the unsupported attributes and keep the standard attributes that are currently supported.

    All supported attributes can be found in this article Automated User Provisioning with SCIM

     

    At this point, your Entra/Azure application has been configured for basic user provisioning and de-provisioning. 

    In this basic setup:

    • Newly provisioned users will be created with the developer role in the Default Team.
    • User updates will only update the user’s email address,  First Name, and Last name.
    • When users are removed from the SCW Application in Entra/Azure, they will be de-provisioned from SCW by setting their account status to disabled (this is if delete is unticked, if ticked, the user's account will be deleted).
    • If a de-provisioned user is given access again, then it will re-enable their existing account(Only if the account has not been deleted)

     

    Secure Code Warrior Custom Attributes( Teams, Roles, and Tags)

    You can leverage SCIM to manage Teams, Roles, and tags(optional) in Secure Code Warrior

    Note: Entra/Azure offers several ways to set up attributes to send the relevant information. In this article, we'll show how to send the Role using app roles and expressions, and how to send the Team as the "department" field in the attributes. 

     

     

    Step 1

    Start by creating app roles within the application. 

    • Click "App registrations" on the left-hand side 
    • Select the App that had been created in this case, "Secure Code Warrior"
    • Click "App roles" and "Create App role"
    • Create a role for each of our available roles: Company Admin, Team Manager, and Developer.

     

      Note: You can't create a value with spaces, so the three roles will have the following properties.

    Display name Allowed Member types Value Description
    Company Admin Users/Groups CompanyAdmin Company admin access to SCW
    Team Manager Users/Groups TeamManager Team Manager access to SCW
    Developer Users/Groups Developer Developer access to SCW

     

     

    Step 2

    Next, you will need to create a corresponding group for each app role and assign them to the application

    • Navigate to Enterprise apps > select the application > Users and groups
    • Click Add Group
    • Add a group for each role:
      • Company Admin 
      • Team Manager
      • Developer
    • Make sure each group is assigned to the application 

    Once the groups are added to the application, assign the appropriate App Role to each group

    • Select the check box for the group you want to assign a role to 
    • Click "edit assignment."
    •  A new window will open where you can click "Select a role" 
    • Choose the appropriate app role to assign to that group.
    • Repeat the process for all remaining roles 

    Note: If you would like to see how groups can be created and added, please have a look at our SSO setup guide for Entra/Azure, specifically the Create groups section.  

     

     Example screenshot that shows a group for each Role and the app role assigned under "Role assigned."

     

    Note: depending on which Role a user will have, they must be added to the relevant group that has just been configured for that role.

     

    Step 3

    Now, let's add role and team to the list of attributes 

    • Navigate back to the attribute mapping for the application ( "Enterprise Apps" > select the SCW App you created > Provisioning > Attribute mapping > Provision Microsoft Entra ID Users).
    • Click "show advanced options", and then select "Edit attribute list for customappsso."
    • This will open the attribute list where you can add the SCIM Schema names as described in this article.
    • Create an attribute with the type "String" for each of the following Schema Names:
      • urn:ietf:params:scim:schemas:extension:scw:2.0:User:role
      • urn:ietf:params:scim:schemas:extension:scw:2.0:User:teamName

     

    When you're finished, click Save at the top.

     

    Step 4

    Now, you are ready to create the mapping for Role and team.  Click "add new Mapping" on the Attribute Mapping page. This will open a new page, which is where we will configure this attribute.


    Role Attribute

    Below is a screenshot of how the Role attribute should be set up, as we are using App roles to send the role attribute, we will use an expression that sends the relevant value based on which app role is being passed.

     

    The expression we are using adjusts the value sent by the app roles to match the expected format. 

    Set the default role value to developer

    Switch(SingleAppRoleAssignment([appRoleAssignments]), "developer", "developer",
 "TeamManager", "team manager", "CompanyAdmin", "company admin", "developer")

     

    Set the default role value to null, in which case, the request will fail if the role isn't passed in the request

    Switch(SingleAppRoleAssignment([appRoleAssignments]), "developer", "developer",
 "TeamManager", "team manager", "CompanyAdmin", "company admin", "null")



    Team Attribute

    In this example, we use the "department" field as the value for sending team names. Therefore, the setup for this attribute will be as below.

    Mapping Type Direct
    Source Attribute Department
    Target Attribute urn:ietf:params:scim:schemas:extension:scw:2.0:User:teamName
    Apply this mapping Always

    Once done, the Attribute mapping page in Azure/Entra should look like the below:

     

     

    Related Articles:

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.