1. AWS Simpplr
  2. Integrations and APIs
  3. People Data

Setting up SCIM for Microsoft Active Directory in Simpplr

Avatar
Matthew Rawls
Follow

Table of Contents

Overview

Prerequisites

Configuring SCIM for Azure in Simpplr

Configure Entra ID for SCIM

Adding Newly Added Standard and Custom Fields

Adding Roles

Testing SCIM

Stop Provisioning & Syncing Using SCIM

Adding Newly Added Standard and Custom Fields

Provisioning All Users Assigned to a SCIM App

Test Deprovisioning

Overview

System for Cross-domain Identity Management (SCIM) is an open standard that automates user provisioning and deprovisioning. Simpplr supports SCIM to sync user accounts from Microsoft Active Directory (AD) via Microsoft Entra ID (formerly Azure AD).

This guide provides a step-by-step process to integrate SCIM with Simpplr.

Prerequisites

  • Microsoft Entra ID with an active license supporting SCIM provisioning.

  • Simpplr Admin Access to configure SCIM settings.

  • An Enterprise Application created in Microsoft Entra ID.

Configuring SCIM for Azure on Simpplr

  1. Navigate to Manage > Application > Integrations > People data.
    AD Scim 1.png

  2. Click Add Integration and select Microsoft.
    AD Scim 2.png

  3. Enter a unique name for the integration (Duplicate names are not allowed).

  4. Click Add, which will take you to the newly added integration screen.
    AD SSCIM 3.png

  5. Click Generate Token. This will display two key configurations:

    • SCIM Base URL: The endpoint URL used by vendors to make API calls for test connections, provisioning, and syncing.

    • Token: The authentication token that Simpplr uses to validate incoming requests from the vendor for provisioning and synchronization operations.
      AD Scim 4.png

Configure Microsoft Entra ID for SCIM

  1. Create an enterprise application:

    1. Sign in to Microsoft Entra ID (Azure Portal).

    2. Navigate to Enterprise Applications.
      AD scim 5.png

    3. Click New application and select Non-gallery application.

    4. Enter a name (e.g., Simpplr SCIM Integration), then click Add.
      AD scim 6.png

  1. Configure the provisioning source and SCIM Base URL and Token. Click Test Connection.

  2. Click Provisioning, then Save.
    ad scim 7.png

  3. Configure mapping on the application created.

      • Expand the mapping section and click Provision Microsoft Entra ID users.

      • By default Entra ID maps userPrincipleName against username field. You'll need to manually update the mapping to point to mail instead as seen in the screenshot below.
        ad scim 8.png

      • Similarly, by default Entra ID assigns mailNickName as a mapping field against externalId. We will have to manually update the mapping field to ObjectId against externalId by clicking on the mailNickName field in the below screenshot.

  4. Click Save.
    ad scim 9.png

Adding Newly Added Standard and Custom Fields

    1. In Simpplr, get field mappings From Manage > Application > Integrations > People data. Click on the SCIM integration.

    2. Click the three dots and Field mappings.
      ad scim 10.png

    3. Now go back to Active Directory, then to Azure Application > Provisioning > Manage > Attribute mapping.
      ad scim 11.png

    4. Click on Provision Microsoft Entra ID Users. The page shown below will open up.
      ad scim 12.png

    5. Scroll down and check the Show advanced options checkbox.
      ad scim 13.png

    6. Click on Edit attribute list for customapps.
      ad scim 14.png

    7. If required, scroll down to see the blank text box to add the attribute.
      ad scim 15.png

    8. In the Name field, add the mapping value copied from Simpplr, add Type as per the requirement (eg, If Input values would be like date, then select date from the dropdown) and click Save.
      ad scim 16.png

    9. Now go back to the mapping section, scroll down and click Add New Mappings. This will open up the mapping section.
      ad scim 17.png

    10. Select Mapping Type as ‘Direct’.

    11. Source attribute - Select the Microsoft field whose value you want to sync.

    12. Target attribute - Select the Simpplr field in which the above value you want to sync.

    13. Apply this Mapping - Always.

    14. Click Ok.
      ad scim 18.png

Adding Roles

  1. Go to Microsoft Entra ID > App registrations on the Azure Portal. Select your application.

  2. Click App Roles in the left sidebar.

  3. Click on Create app roles.azure user 1.png

  4. Roles for Simpplr end user and application manager need to be created mandatorily. So in the next step, put Application Manager in display name, application_manager in Value, allowed member types to be user/groups and an appropriate description like Simpplr application manager role. Check the Do you want to enable this app role? checkbox and click Apply.azure user 2.png

  5. Repeat the last step for the end user role with the value display name as End User, Value as end_user, description like Simpplr end user role, and click Apply.

  6. Now to map this roles to your application and SCIM, go to Enterprise Applications and select your application.

  7. In the provisioning tab, click on Edit provisioning.azure user 3.png

  1. Expand the mapping section and click Provision Microsoft Entra ID users. This will open the Attribute Mapping page.azure user 4.png

  1. Scroll down and click on Add New Mapping.

  2. In the mapping type, select Expression.

  3. Use the following values:
    Expression: SingleAppRoleAssignment([appRoleAssignments]) (recommended)
    Target Attribute: roles[primary eq true].value 

  4. Click on Ok, then Save.azure user 5.png

Testing SCIM

  1. Add a User in the application - To add the users, simply go to Users and Groups from your Application homepage in the left side bar.

  2. Click on Add user/groups.

  3. Click on the link below users and groups.
    ad scim 19.png

  4. Search for the user you want to add. Click on the user, then Select.
    ad scim 20.png

  5. Click on select a role and select the appropriate role.
    ad scim 21.png

  6. Click on Assign to assign the user.

  7. To manually provision or retry, go to the Provisioning page of your application, click on Provision on demand, select the user, and then click Provision. Ensure that the user is assigned to the application and has a role; otherwise, Entra ID will automatically skip provisioning.

  8. To review the logs, navigate to the Provisioning page of your application and click on View Provisioning Logs. This will open the logs page, where you can check the status to determine if provisioning was successful.
    ad scim 22.png

  9. Provisioning logs can also be found under Provisioning > Monitoring > Provisioning Logs.
    ad scim 23.png

Setting up the Matching Precedence

User accounts are automatically created when Azure AD is integrated and configured. When you define multiple Azure AD mappings, the users are automatically classified while creating the user accounts based on the filter parameters. It then starts assigning the profile and storage specified in the Azure AD mapping.

However, it may be a case, where user accounts fall under multiple Azure AD mappings based on the defined criteria. In such cases, administrators can define the priority for the mappings, and users are imported based on the mapping sequence and the assigned profile and storage specified in that mapping.

  1. Go to Provisioning > Attribute Mappings.

  2. Click on Provision Microsoft Entra ID Users.

  3. Here you can set the Matching Preference for each Attribute. For example, click username edit, then select Match objects using this attribute as “Yes” and select the matching preference as 2.
    ad scim 24.png

  4. Suggested matching preference for each attribute:

    • externalId - 1

    • username - 2

    • email - 3

To Stop User Sync & Provisioning using SCIM on Entra ID:

  1. Go to Microsoft Entra ID > Enterprise Applications and select your application.

  2. Click on Provisioning in the left sidebar, then click Stop Provisioning in the top bar.

  3. Navigate to Manage > Applications > Integrations > People Data on the Simpplr App.

  4. Select the SCIM, click on the 3 dots, and click Delete.<>
    ad scim 25.png </>

Provisioning All Users Assigned to SCIM App

Go to Application Used to Set Up SCIM > Provisioning > Overview. Click Start Provisioning.

This will allow all users to be provisioned/synced that have been assigned to the application as specified in the previous steps.
ad scim 26.png

Test Deprovisioning

  1. Select the user already provisioned in Simpplr and present in the user group of the SCIM application.

  2. Go to Overview > Account Status > Edit.
    ad scim 27.png

  3. Uncheck the Account Enabled check box and save this profile.
    ad scim 28.png

  4. Now go back to SCIM Application > Provision > Provision on Demand.

  5. Search for the user and click the Provision button.

  6. The user should be marked as Inactive in Simpplr.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more