How to setup SCIM with Microsoft Entra ID (Azure Active Directory)

Modified on Thu, 18 Jul at 10:12 AM

TABLE OF CONTENTS

SCIM defined
How SCIM works
- SCIM vs. SAML
- SCIM vs. SSO
Setting up SCIM in Fluid
SCIM Provisioning complete
Further Reading

SCIM defined

SCIM is a protocol that standardizes how identity information is exchanged between one entity and another. It’s an open standard and is widely used to simplify the process of granting people or groups access to cloud-based applications.

In an enterprise work scenario, using SCIM reduces the effort it takes to create, modify, and synchronize employee accounts and govern the resources employees have access to.

How SCIM works

In addition to providing a predefined schema for common identity attributes like group name, username, first name, last name, and email, SCIM provides a standardized definition of client and service provider roles. A client is usually an identity provider or IAM system, such as Microsoft Entra ID (formerly known as Microsoft Azure AD). A service provider is typically a software-as-a-service app. The client manages core identity information that apps need to grant or refuse access.

SCIM uses a representational state transfer (REST) API to perform the actions needed to manage identity lifecycles. The database operation acronym CRUD describes the basic REST actions SCIM provisioning uses:

Create - add new users in applications.

Read - retrieve or search for information from existing identities and groups.

Update - synchronize updated identity information between the client and apps.

Delete - deprovision identities.

SCIM vs. SAML

Security Assertion Markup Language (SAML) and SCIM are both open-standard protocols that streamline the exchange of identity data. SAML is commonly used to provide SSO for enterprise applications and to extend SSO across security domains. Similar to SCIM, it plays a role in enabling people to use the same credentials to access multiple services. SCIM lays the foundation for SAML to work by creating, updating, or deleting user profiles in the target system with the necessary information for the user to sign in to an app.

SAML is based on Extensible Markup Language (XML) and uses it to make security assertions, which are statements that service providers use to decide whether to grant access to a resource. When SAML authenticates that your identity can have access to a resource, it gives you an access token for a single session in your browser. Both SCIM and SAML are underlying technologies commonly used in enterprise IAM solutions.

More information can be found at Fluid SAML

SCIM vs. SSO

SCIM and SSO are two different technologies that play slightly different roles in managing identities and access. SCIM is for provisioning identities across multiple applications, and SSO is for authenticating users in multiple applications with a single set of credentials.

SCIM supports SSO and works together with it. SSO requires user provisioning to function. Enterprise IAM systems tend to use a complex mix of technology to make the user experience seamless, and SCIM, SSO, and SAML are all technologies that help achieve that aim.

Setting up SCIM in Fluid

2 – Click “Enterprise Applications”

3 – Click “New Application”

4 – “Create your own application”

5 – Name your application

6 – In the new app, click Provision User Accounts

7 – Get Started

8 – Set provisioning mode to automatic. Fill out Tenant URL.

Your tenant url is https://{organisation}.fluid.wlork/scim/v2 

Replace {organisation} with the name of your particular Fluid instance name. You can check this by going to your Fluid application and looking at the Url in the browser

The Secret Token is shared with SCIM provisioning and Fluid. You will need to generate this token and save to both SCIM provisioning and Fluid. Please make a copy of this token during setup.

9 - Log into Fluid with an account that has the appropriate admin level privileges to access the administration console to configure secret token.

- select Authentication Providers

- ensure that "Disable SCIM User Sync" is NOT enabled

- enter a SCIM secret token, this token is a shared secret between Fluid and SCIM. Each time SCIM makes a request to Fluid it will pass this secret as a authorization bearer token. Fluid will validate the secret before allowing access to SCIM.

Secrets are stored in a secure encrypted keyvault in Fluid. You should follow your internal security policies with respect to token format, length and character types to ensure a strong secret.

- click Save

- Copy Token and paste it into “Secret Token” in Azure

Finally, click “Test Connection” and “Save”.

10 – Go to Provision Azure Active Directory Group Mappings

With respect to provisioning groups, the default attribute mappings that are pre-set are correct, you don't need to make any changes to attribute mappings.

- ensure that Create and Delete is unchecked, under target object actions

- ensure the attribute mappings are as defined above

With respect to provisioning users, the default attribute mappings that are pre-set are correct, you don't need to make any changes to attribute mappings.

SCIM Provisioning complete

This concludes the setup for SCIM providing between Azure AD/Entra ID and Fluid. Changes made to groups and users in your AD will be reflected in Fluid.

With respect to importing existing users to Fluid using SCIM please see this article Importing users into Fluid via SCIM and this article Assigning user permissions and roles via SCIM for more information on configuring specific Fluids roles to users

For group user provisioning, Fluid expects the AD group to be named "Fluid User". Any users that are moved to this group are automatically provisioned within Fluid. If your organisation wishes to use a different AD group name, please reach out to support or your client success representative who will be able to setup a custom mapping for your instance.