Navigation:  SCIM provisioning configuration with Azure Active Directory platform >

Configuring user provisioning

 Previous  Top  Next

The user provisioning configuration is performed in two steps: first, it is necessary to configure SE Suite, to generate the security token and to configure the scheduling of the import of the provisioned users, and later, it is necessary to configure the provisioning in the Azure Active Directory platform.

 

See below how to perform each configuration:

 

SE Suite

 

1.To add a new configuration, in SE Suite, access SE Configuration arrowrgray SCIM provisioning (CM033), select "Configuration" in the left side tab, and click on the Add secret token button.

 

sda0024_zoom70

 

2.Enter a name for this configuration in the ID # field and save the information.

 

sda0025_zoom70

 

3.After saving, the configuration will be recorded in the system as enabled and with the security token generated. The values stored in the Secret token and Tenant URL fields will be necessary to configure the provisioning in Azure.

 

sda0026_zoom70

 

It is also possible to enter, in the Default access group field, a default access group for new users provisioned via SCIM.

 

sda0027_zoom70

 

The default access group will only be used for new users provisioned via SCIM, that is, if a user has already been provisioned without the default access group information and, later, the default access group was entered in the configurations, when this same user is provisioned again, due to updates in their record, the access group will not be assigned to them.

 

Azure Active Directory

 

1.Access Azure Active Directory and locate and select the enterprise application in the enterprise application listing. In your enterprise application, in the side menu, select Provisioning and click on Get started to start the provisioning configuration.

 

sda0028_zoom50

 

2.In Provisioning Mode, select the Automatic option. In Admin Credentials, in the Tenant URL and Secret Token fields, enter the respective values from in the "Tenant URL" and "Secret token" fields configured in SE Configuration arrowrgray SCIM provisioning (CM033).

 

 

1 / 2
2 / 2

 

3.After entering the fields, click on the Test connection button to test the connection and click on Save to save the configurations and enable the attribute mapping configurations.

 

sda0030_zoom50

 

4.Still in the provisioning configuration, access the attribute mapping information in Mappings and click on the Provision Azure Active Directory Groups link.

 

sda0031_zoom50

 

5.On the Azure group mapping configuration screen, select Enabled as "No" to disable group provisioning and click on the Save button. After returning to the provisioning configuration screen, user group provisioning should be disabled.

 

 

1 / 2
2 / 2

 

6.In the provisioning configuration screen, in Mappings, click on the Provision Azure Active Directory Users link to configure the attribute mappings of the provisioned users. It is necessary to keep Enabled with the value of “Yes” and, in Target Object Actions, select the options: Create, Update, Delete.

 

sda0033_zoom70

 

7.Still in the user attribute mapping configuration, the attributes highlighted in the image below must be deleted:

 

sda0034_zoom60

 

The attributes highlighted in the previous image must be deleted, as SE Suite will not use them, and if they are kept, the users will not be provisioned.

 

See below a table that maps the fields and attributes in the AD user record with the fields in the user record in the User (AD004) menu of the SE Administration component.

 

Azure field

Azure Active Directory Attribute

customappsso Attribute

User field (AD004)

Required

User Principal Name

userPrincipalName

userName

Login

True

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active

Record Status

True

Name

displayName

displayName

Name

True

Job title

jobTitle

title

Position

False

Email

Mail

emails[type eq "work"].value

E-mail

False

Phone

telephoneNumber

phoneNumbers[type eq "work"].value

Office phone

False

Employee ID

employeeId

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

User ID

True

Department

department

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

Department

False

Manager

manager

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

Leader¹

False

Company name

companyName

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization

Organizational Unit²

False

1 - The current user will be added as a subordinate in the leader user record.

2 - Field used as parameter to add the user under their organizational unit.

 

As shown in the example below, there are multiple departments with the same name (Information Technology), each with its own ID # and placed under its organizational unit. Using this new attribute, the system can map the departments and insert the user under the correct unit.

 

 

ExemploSCIMUnidades_EN

 

In the following case, the myUser user would be placed in the Information Technology department located under the Sofexpert-EUR organizational unit.

 

exemploscimjson_universal

 

The user attribute mapping configuration must be equal to the image below:

 

sda0035

 

IMPORTANT!

The "customappsso Attribute" column in the user attribute mapping in Azure must not be edited. If it is necessary to change the value of an attribute, it can be edited in the "Azure Active Directory Attribute" customizable column.