SCIM provisioning
SCIM (System for Cross-domain Identity Management) stands as a robust protocol designed to streamline the synchronisation of users and groups between two systems.
This article is tailored for organisations grappling with the challenges of managing a sizable workforce and aiming to minimise manual efforts during the implementation of new software. Specifically, for those seeking to ease the administration of the UMA solution for companies with numerous users, we advocate for the adoption of automatic user (de-) provisioning through SCIM.
Essentially, SCIM empowers you to maintain synchronisation between your users in UMA and their associated data.
Key Advantages of SCIM Implementation
Automatic User Provisioning: Initiate user provisioning directly from your active directory.
Real-time User Data Updates: Ensure instant updates of user data in alignment with the active directory (e.g., changes in internal departments).
Automatic User Deprovisioning: Streamline the process of deprovisioning users who exit your company.
How It operates
SCIM comprises of two integral components: a provider and a client. UMA serves as the SCIM client.
Once provisioning is active between Microsoft Entra ID and UMA, the SCIM provider queries UMA for users earmarked for provisioning.
If a user is absent, UMA generates the corresponding resource.
If a user exists but varies in certain aspects, it undergoes an update.
Required permissions
Due to the push-principle inherent in SCIM, UMA never requires direct retrieval of information from Microsoft Entra ID. Consequently, no permissions are needed, solidifying the secure and efficient nature of the SCIM protocol.
For more information on Microsoft Entra ID SCIM, check out this guide from Microsoft below:
Setup
Log into UMA, navigate to the integrations page and click to activate SCIM provisioning.
Copy the tenant URL and token and save for later.
Log into Microsoft Entra ID and create a new non-gallery enterprise application.
Navigate to provisioning mode and select automatic. Enter the tenant URL and token and test the connection.
Click on mappings and disable Microsoft Entra ID Groups.
Click on Microsoft Entra ID Users. As a minimum, UMA requires the below:
UMA Attribute | Microsoft Entra ID Attribute |
---|---|
userName | userPrincipalName |
active | Switch([IsSoftDeleted], , "False", "True", "True", "False") |
displayName | displayName |
externalId | objectId |
Please ensure to change Microsoft Entra's attribute for externalId to objectId
Click manage, select users and groups and add the users and groups you want to provision with UMA.
Click on provisioning and click on the start provisioning button.
The initial Microsoft Entra ID sync is triggered immediately after you enable provisioning. Subsequent syncs are triggered every 20-40 minutes, depending on the number of users and groups in the application. See Provisioning summary report in the Microsoft Entra ID documentation.
Additional information
When a user is permanently deleted from Microsoft Entra ID, they will be removed from UMA during the next scheduled sync.
If a user is soft deleted in Microsoft Entra ID, they are automatically marked as inactive in UMA during the next sync. The user's email account will also update in UMA according to Microsoft's provisioning request.
When a user is removed from the SCIM application in Entra ID, they are marked as inactive in UMA at the next scheduled sync.
After activating SCIM integration, user accounts added beforehand will operate independently from those added via SCIM. To sync manually added users with SCIM, include these users in your SCIM application. Note that users provisioned via SCIM cannot be edited or deleted through UMA; only their permissions can be updated.
Last updated