What is SCIM?
SCIM (System for Cross-domain Identity Management) is a standard for the automation of user provisioning. User provisioning refers to the process of creating, updating and deleting user accounts and access to resources across multiple applications and systems all at once.
This enables people management teams (e.g., IT departments) to have user accounts, with their privileges and permissions created and maintained in one single system, and for this information to be communicated across different applications and systems without having to duplicate it manually.
The system that allows you to handle all user's information is called an Identity Provider (IDP), like Microsoft Entra ID. The external application for which you need users to have access and interact with, is called a Service Provider (SP), like the Arcules Web Platform. When changes to a user account happen in Microsoft Entra ID, these changes are automatically synchronized with the Arcules Web Platform through the SCIM protocol.
Note: The SCIM protocol allows you to leverage your existing users and groups already present in Microsoft Entra ID and synchronize them with the Arcules Web Platform.
Microsoft Entra ID Integration
This section describes the process of integrating the Arcules Web portal with Microsoft Entra ID for SAML and SCIM.
SAML
In the following article you will find the details about how to configure SAML 2.0 Single Sign-on (SSO): Setting up SSO for your organization
SCIM
As described previously, the SCIM protocol allows you to automate the user provisioning process. This remaining of this article explains the required steps to configure SCIM in Microsoft Entra ID to be integrated with the Arcules Web Portal.
SCIM configuration in Arcules Web Portal
Enabling SCIM
In order to use SCIM, contact our customer care team (link) to make this functionality available for your organization, as initially, when you access the Arcules Web Portal (Settings > Identity & Access Management) you will see the following screen:
Once SCIM is available for your organization, then click on the Enable button in the SCIM section:
After clicking on the Enable button you will see the following configuration:
URL: This is the tenant URL and will be used for the SCIM configuration in Entra ID.
Secret Token: The token required for the SCIM configuration in Entra ID. This token is only viewable once, which means that once the page is reloaded, the token will not re-appear. If you fail to copy the token when it is initially shown to you, you will need to regenerate a new token.
Refreshing the SCIM Token
If you want to regenerate the SCIM token, in case it is lost or it has been compromised, you can do this in the Arcules Web Portal.
Note: Once you refresh an organization's SCIM token, the previous token is immediately invalidated. Then, you should use the new token to reconfigure the Identity Provider (IdP) in order to avoid interruptions to your user provisioning.
Requirements
Your organization must already have had SCIM provisioning enabled.
You must have the IT Manager role assigned in order to refresh the SCIM token.
From the Arcules Web Portal, on the left menu, open the Settings > Identity & Access Management menu, then click on the Refresh button in the SCIM section.
You will see the following dialog:
Click Refresh Token to confirm. The newly generated SCIM token displays.
Select the token to copy it to your clipboard. This new token revokes the previous one and cannot be undone.
Email Notifications for Token Expiration
SCIM tokens are generated with a validity of one year. When your SCIM token is set to expire in 90 days or less, an email notification is sent to the user or users with the assigned IT Manager role until the token is rotated. By rotating the SCIM token before it expires, you continually secure automatic provisioning of user and group information.
The frequency of the token-about-to-expire email notification is 60, 30, 15, 7 days, and daily if less than 7 days until the token expires or is rotated.
SCIM configuration in Microsoft Entra ID
Create the Service Provider Application
From the Microsoft Entra admin center, on the left menu, open the Identity > Applications menu, then click on the sub menu called Enterprise Applications:
Click on the + New Application button:
Click on the + Create your own application button:
Add the name you wish for your application on the What's the name of your app? input field, and also select the third radio button option: Integrate any other application you don't find in the gallery (Non-gallery):
Finally, click on the Create button located at the bottom of the page:
Once the application has been created successfully you should see the following screen:
Tenant URL & Secret Token Configuration
From the Microsoft Entra admin center, on the left menu, open the Identity > Applications menu, then click on the sub menu called Enterprise Applications, and select the recently created application:
When entering the application information, you will see the Overview section:
Under Provision User Accounts, click Get started:
You will see the other Overview section, click on the Get started button:
On the Provisioning Mode, select Automatic:
Under the Admin Credentials section set the information like this:
For the Tenant URL input field: add the URL obtained in the Arcules Web Portal SCIM configuration section.
For the Secret Token input field: add the token obtained in the Arcules Web Portal SCIM configuration section.
Note: As you can see in the Tenant URL, there is a flag added: aadOptscim062020. Currently, this flag is mandatory to ensure SCIM compliance, otherwise some features (like soft deletion) won't work properly. More information about this can be found here.
Click the Test Connection button. You should see a confirmation that the SCIM connection is successful.
Click the Save button.
Groups Mapping Attributes
From the Microsoft Entra admin center, on the left menu, open the Identity > Applications menu, then click on the sub menu called Enterprise Applications, and select the recently created application. You will see the Overview screen, then select the Provisioning option:
In the Provisioning screen, select the option Edit attribute mappings:
Select the Mappings option:
In the Mappings section select Provision Microsoft Entra ID Groups:
To adhere to Microsoft Entra ID default mapping suggestions, you need to add custom mappings for the customappsso column:
Note 1: Attribute mappings define how attributes are synchronized between Microsoft Entra ID and customappsso.
Note 2: customappsso refers to the Arcules application in Entra ID.
customappsso (Arcules) Attribute | Microsoft Entra ID Attribute |
displayName | displayName |
externalId | objectId |
members | members |
After finishing configuring the group mappings, click on the Save button.
Users Mapping Attributes
Go back to the Provisioning section, and select the Provision Microsoft Entra ID Users option:
Configure your mappings to match the table below.
customappsso (Arcules) Attribute | Microsoft Entra ID Attribute |
userName | userPrincipalName |
active | Switch([IsSoftDeleted], , "False", "true", "True", "false") |
preferredLanguage | preferredLanguage |
name.givenName | givenName |
name.familyName | surname |
name.formatted | Join(" ", [givenName], [surname]) |
externalId | mailNickname |
Note 1: For the current version, the userName represents the email (this is enforced in Entra ID, and it is used as the email field when creating a user).
Note 2: The Switch attribute is added as an Expression mapping type. For more information about expressions, see Reference for writing expressions for attribute mappings in Microsoft Entra ID.
User Provisioning Example
The following diagram depicts an example describing the steps required for each persona (IT Admin, End User) to perform their corresponding tasks and illustrate the general workflow for a SCIM integration with the Arcules Web Platform.
Note: After a group is created in Entra ID, and subsequently created in the Arcules Web Portal, the group at the Arcules Web Portal is created permissionless. It's required for a user (i.e., IT Admin) to access the Arcules Web Portal and configure the desired permissions for the created group. For more information about permissions in the Arcules Web Portal, see How to manage users, groups & permissions.