Skip to main content

 

Eptura Knowledge Center

Configure SCIM provisioning for the Device Hub

The Device Hub SCIM API integration supports SCIM version 2.0 and is certified for Azure Active Directory.

About this guide

The SCIM provisioning for Microsoft Azure AD guide is for Azure Active Directory administrators who want to configure user provisioning for Condeco using Condeco SCIM API. It assumes familiarity with Azure AD, basic identity management concepts, and the SCIM standard.

The key steps are provided, however, this is not a comprehensive guide. For utilizing the full potential of SCIM, please refer to the SCIM 2.0 protocol specification http://www.simplecloud.info/#Specification.

Our SCIM integration supports SCIM version 2.0 and is certified for Azure Active Directory.

Prerequisites

The following are required:

  • Azure Active Directory
  • The following values as provided by Condeco:
    • Condeco SCIM API URL
    • Condeco SCIM Token provider URL
    • SCIM client ID
    • SCIM client secret token
    • Long-lived SCIM token generated from SCIM Token Provider (up to 10 years).

Learn how to generate a SCIM token

Supported actions

When the SCIM integration between Azure AD and Condeco is ready, the following actions performed from the Azure directory are also be applied to the users in the Condeco Device Hub.

Action in Azure AD Notes
Create users Condeco requires a unique username for each user. If the username already exists in the Device Hub, the SCIM User creation is rejected by our SCIM API.
Delete/Deactivate users  
Update user attributes Updates to user profiles in Azure AD are pushed to the Device Hub.
Add a group Adding a group creates a corresponding group in the Condeco Device Hub. Any group members (who exist in Condeco) are automatically mapped to the Condeco group.
Remove a group  
Update Groups attributes  
Add/remove users to/from a group

Configuration

  1. Sign in to the Azure portal and open Azure Active Directory.
  1. Select Enterprise applications.
    screen01-bubble.png
  1. Click New application.
    screen02-bubble.png
  1. Click Create your own application.
    screen03-bubble.png
  1. Enter a name for the new application i.e. ‘CondecoScimApplication’ and select Integrate any other application you don’t find in the gallery. Click Create.
    screen04-boxed.png
  1. From the Overview page for your new application, click Provision User Accounts.
    screen05-bubble2.png
  1. Click Get started.
    screen06-bubble.png
  1. On the Provisioning page, click the Provisioning Mode drop-down and select Automatic.
    screen07-a-bubble.png
  1. Add the Admin Credentials:
    1. Tenant URL: enter the Condeco SCIM URL i.e. https:///scim/api/V1/
    2. Secret Token: enter the token from your token provider. Learn how to generation a token
      screen07a-box2.png
  1. Click Test connection and if successful, click Save to save your new application.
    screen07-bubble.png
  1. Still on the Provisioning page, expand the Mappings section and click Provision Azure Active Directory Users.
    screen15-2.png
  1. The Attribute Mapping table must only contain the following customappsso attributes:

Mandatory attributes:

  • userName
  • active
  • emails[type eq “work”].value
  • name.givenName
  • name.familyName
  • externalId

Optional attributes:

  • phoneNumbers[type eq “work”].value
  • phoneNumbers[type eq “mobile”].value

Phone number values: Phone number values must follow the RFC 3966 standard. More information about phone number values is available in the SCIM API Developers Guide > Schemas or visit the Internet Engineering Task Force (IETF) RFC Editor for full details of RFC 3966: https://www.rfc-editor.org/

Click Delete to delete mappings not listed above. The image shows only the required mappings.

Mappings 01.PNG

Learn more about SCIM User attributes and the associated Condeco User attributes

  1. Still on the Attribute Mapping page, click “externalId” mapping from the customappsso Attribute column and change the values as follows:

Mapping type: Direct
Source attribute: objectId
Default value if null (optional): leave blank
Target attribute: externalId
Match objects using this attribute: No
Apply this mapping: Always
screen09a.png

  1. Click OK to save the values.
  1. Click Save to save the Attribute Mappings and click Yes to confirm.
  1. Expand the Mappings section and click Provision Azure Active Directory Groups.
    screen15-1.png
  1. Click Yes to enable Provision Azure Active Directory Groups, then click Save.
    attrib-mapping-enabled-bubble_v1.png
  2. The Attribute Mapping page is displayed. Edit the group attributes as follows:
    1. Click the group attribute “displayname” to open the Edit Attribute page. Change Matching precendence to 2.
      attrib-mapping-displayname1_v2.png
    2. Click OK to save and return to the Attribute Mapping page.
    3. Click the group attribute “objectId” to open the Edit Attribute page. Click Match object using this attribute and select Yes. Check the Matching precedence value is 1.
      attrib-mapping-objectid_v3.png
    4. Click OK to save and return to the Attribute Mapping page.
    5. Click the group attribute “displayname” again to open the Edit Attribute page. Click Match object using this attribute and select No. Check the Matching precedence value is now 0.
      attrib-mapping-displayname2_v3.png
  1. Click OK to save and return to the Attribute Mapping page.
    attrib-mapping-group_v1.png
  1. Click Save to save the Attribute Mappings and click Yes to confirm.
  1. Click X to close Attribute Mapping and return to the Provisioning Page.
  1. Expand Settings, click the Scope drop-down list and select Sync all users and groups.
    Note: If the Scope drop-down list is not visible, close the Provisioning page and click Edit Provisioning to reopen.
    screen14-boxed.png
  1. Set the Provisioning Status button to On.
    screen14-bubble.png
  1. Click Save to complete the SCIM application provisioning.

Current cycle status

In the Manage navigation menu select Provisioning to view the status of the current or initial incremental cycle. Use the buttons at the top to manually start or stop provisioning, and click View Provision details to check the schedule for the next run.

screen13a.png