This topic describes how to synchronize users or groups in Azure Active Directory (Azure AD) to CloudSSO by using System for Cross-domain Identity Management (SCIM). Azure AD is shortened to AAD.

Background information

All configuration operations in AAD must be performed by an administrator that is assigned global administrative rights. For more information about how to create a user and assign the global administrative rights to the user in AAD, see AAD documentation.

Step 1: Create SCIM credentials in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the User Synchronization Configuration section of the Settings page, click Generate SCIM Credential.
  4. In the SCIM Credential Generated dialog box, copy the generated SCIM credential and click Close.
  5. Optional:In the User Synchronization Configuration section of the Settings page, click Generate New SCIM Credential to create the second SCIM credential.

Step 2: Enable SCIM synchronization in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the User Synchronization Configuration section of the Settings page, turn on SCIM Synchronization Disabled. After you turn on the switch, SCIM synchronization is enabled.

Step 3: Create an application in AAD

  1. Log on to the Azure portal as an administrator.
  2. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. On the page that appears, click New application.
  5. On the Browse Azure AD Gallery page, click Create your own application.
  6. In the Create your own application panel, enter a name for your application. In this example, enter CloudSSODemo. Then, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

Step 4: Assign users or groups to the application in AAD

  1. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  3. In the application list of the page that appears, click CloudSSODemo in the Name column.
  4. In the left-side navigation pane, click Users and groups.
  5. In the upper-left corner of the page that appears, click Add user/group.
  6. Select users or groups.
  7. Click Assign.

Step 5: Configure SCIM synchronization in AAD

  1. In the left-side navigation pane of the CloudSSODemo page, click Provisioning.
  2. On the Provisioning page, click Get started.
  3. On the page that appears, select Automatic for Provisioning Mode.
  4. In the Admin Credentials section, configure the parameters.
    1. Configure Tenant URL. To obtain the URL, go to the Settings page of the CloudSSO console and view the value of SCIM Endpoint.
    2. Configure Secret Token. To obtain the token, go to the Settings page of the CloudSSO console. For more information, see Manage SCIM credentials.
    3. Click Test Connection.
      After the test succeeds, click Save and go to the next step.
  5. In the Mappings section, configure attribute mappings.
    • Click Provision Azure Active Directory Users to configure attribute mappings for users.
      1. On the page that appears, find externalId in the customappsso Attribute column of the Attribute Mappings section. Then, change the value of Source attribute to objectId.
      2. Retain only the attribute mappings shown in the following figure and delete all other attribute mappings. Attribute mappings for users
    • Click Provision Azure Active Directory Groups to configure attribute mappings for groups. Retain only the attribute mappings shown in the following figure and delete all other attribute mappings. Attribute mappings for groups
  6. In the Settings section, select Sync only assigned users and groups for Scope.
  7. In the Provisioning Status section, turn on the switch.
  8. Click Save.
  9. Go to the Provisioning page, refresh the page, and then view the synchronization results.

Verify the synchronization results

  1. Log on to the CloudSSO console.
  2. Go to the User or Group page to view the synchronized users or groups.

    Source for the synchronized users or groups is automatically displayed as SCIM Synchronization.

    For more information, see View user information and View the information about a group.