SCIM Provisioning with Azure AD

This article describes how to provision users with an Azure Active Directory (AAD) custom System for Cross-domain Identity Management (SCIM), an open standard that allows for automated user provisioning.

Prerequisites

Before you begin, you must create an Azure IdP SSO Integration.

Step 1: Generating an Endpoint and SCIM Token

To synchronize users and groups provisioned for the Axis Security application, Azure requires two pieces of information:

  • An Endpoint to which AAD makes requests.
  • A Bearer token for AAD to authenticate its endpoint requests.

To Generate an Endpoint and a SCIM Bearer Token:

  1. In the Management Console, go to the Settings-> Identity Providers  screen.
  2. Hover over the Azure Identity Provider and select edit
  3. Navigate to Advanced Settings.
  1. Go to User Auto-Provisioning (SCIM).
  2. Click Generate new token.
  1. Copy the SCIM Service Provider Endpoint and SCIM Provisioning Token and paste them into a text editor. You will need them for Step 3: Configuring the Integration.
  1. Click on Ok, and then click on Submit.
  2. Click on Commit Changes.

Step 2: Configuring the Integration

📘

Since you have an existing SSO application, you can use it to configure the SCIM provisioning (Instead of "SCIM Test" in the screenshots).

  1. In Azure, go to the navigation menu.  
  2. In the Manage section, select Provisioning.

  1. Click the Get Started button.

  1. Under Provisioning Mode, select Automatic.
  2. Under Admin Credentials enter the Tenant URL and Secret Token obtained from the Axis SCIM configuration (step 1):
    • Paste the SCIM Service Provider Endpoint in the Tenant URL field. 
    • Paste the SCIM Provisioning Token in the Secret Token field. 

  1. Click Save.
  2. Click Test Connection to confirm that the connection is set up correctly.

Step 3: Setting and Enabling Attribute Mappings

To set and enable attribute mappings in Azure:

  1. Expand the Mappings section.

  1. In the Attribute Mappings section, enable group and user attribute mappings. 

To allow external users to use the Original UPN:

📘

Adjusting the UPN mapping to the original UPN resolves the mismatch by using the invited tenant's UPN instead of the home tenant's. This change does not impact native users of the tenant.

  1. Click on: userPrincipalName.
  1. Click on the Source attribute drop down list and pick : OriginalUserPrincipalName, and click Ok.

🚧

Changing this value after initial deployment will cause a re-provisioning of all users to update the new value. Best performed in maintenance window

To complete the attribute mapping:

  1. Make sure the user mapping only maps the attributes below, otherwise you will not be able to complete the provisioning:
    1. Mail
    2. givenName
    3. Department
    4. Surname
    5. switch(deleted)
    6. originalUserPrincipalName
    7. displayName

Note: Map the attributes that are needed by your organization.

Step 4: Disable Nested Groups Provisioning

  1. Go to Your application-> Provisioning-> Edit Provisioning.

  1. Go to Groups Mapping-> Provision Azure Active Directory Groups.
  1. Select Show advanced options and Edit attribute list for customappsso.
  1. In Members-> Reference deselect the Group scheme as seen below to prevent the provision of nested groups.
  1. Click Save

Step 4: Assigning users and groups to the application

To sync users and groups, you must assign them to the AAD SCIM application. 
To assign users and groups to the AAD SCIM application:

  1. Go to Manage in the navigation menu.
  2. Select Users and groups

  1. Select Add user/group

  1. Under Users and Groups, select None selected.

  1. In the Users and Groups window, select the users and groups you want to add to the SCIM application. 
  2. Click Select
  3. Select Assign at the bottom of the screen.
  4. In the Users and groups area, add the selected users and groups to the SCIM Application.

Step 5: Enabling provisioning for the SCIM application

  1. Navigate to Provisioning page in the side menu on the left.
  2. Select Provisioning in the side menu on the left.
  3. In the Settings section:
    1. Set Scope to Sync only assigned users and groups
    2. Set Provisioning Status to On.
    3. Click on Save.

Step 6: Validate SCIM

In the Axis Management Console, go to Settings -> Provisioned Users.

You should see the users and groups provisioned from your Azure account.

Revoking the Auto-Provisioning Token

To revoke an Auto-Provisioning token:

  1. Go to Settings -> Identity Providers  
  2. Hover over the relevant Azure AD IdP and click Edit .

The Edit Azure Active Directory IdP window appears.

  1. Navigate to the Advanced settings section.
  2. In the User Auto-Provisioning (SCIM) section, click Revoke Auto-Provisioning Token.