This topic describes how to synchronize users or groups in Azure Active Directory (Azure AD) to CloudSSO by using System for Cross-domain Identity Management (SCIM). Azure AD is shortened to AAD.

Background information

All configuration operations in AAD must be performed by an administrator that is assigned global administrative rights. For more information about how to create a user and assign the global administrative rights to the user in AAD, see AAD documentation.

Step 1: Create SCIM credentials in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the User Synchronization Configuration section of the Settings page, click Generate SCIM Credential.
  4. In the SCIM Credential Generated dialog box, copy the generated SCIM credential and click Close.
  5. Optional:In the User Synchronization Configuration section of the Settings page, click Generate New SCIM Credential to create the second SCIM credential.

Step 2: Enable SCIM synchronization in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the User Synchronization Configuration section of the Settings page, turn on SCIM Synchronization Disabled. After you turn on the switch, SCIM synchronization is enabled.

Step 3: Create an application in AAD

  1. Log on to the Azure portal as an administrator.
  2. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  4. On the page that appears, click New application.
  5. On the Browse Azure AD Gallery page, click Create your own application.
  6. In the Create your own application panel, enter a name for your application. In this example, enter CloudSSODemo. Then, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

Step 4: Assign users or groups to the application in AAD

  1. In the upper-left corner of the AAD homepage, click the SSO_AAD_icon icon.
  2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.
  3. In the application list of the page that appears, click CloudSSODemo in the Name column.
  4. In the left-side navigation pane, click Users and groups.
  5. On the page that appears, click Add user/group.
  6. Select users or groups.
  7. Click Assign.

Step 5: Configure SCIM synchronization in AAD

  1. In the left-side navigation pane of the CloudSSODemo page, click Provisioning.
  2. On the Provisioning page, click Get started.
  3. On the page that appears, select Automatic for Provisioning Mode.
  4. In the Admin Credentials section, configure the parameters.
    1. Enter the SCIM endpoint for Tenant URL.
      To obtain the URL, go to the Settings page of the CloudSSO console and copy the value of SCIM Endpoint.
    2. Enter a SCIM credential for Secret Token.
      To obtain the credential, perform the operations in Step 1: Create SCIM credentials in the CloudSSO console.
    3. Click Test Connection to test the connectivity of the compute engine.
      After the test succeeds, click Save and go to the next step.
  5. In the Mappings section, configure attribute mappings.
    • Click Provision Azure Active Directory Users to configure attribute mappings for users.
      1. On the page that appears, find externalId in the customappsso Attribute column and click the value in the Azure Active Directory Attribute column. In the panel that appears, change the value of Source attribute to objectId.
      2. Retain only the attribute mappings shown in the following figure and delete all other attribute mappings. Attribute mappings for users
    • Click Provision Azure Active Directory Groups to configure attribute mappings for groups. Retain only the attribute mappings shown in the following figure and delete all other attribute mappings. Attribute mappings for groups
    Note The names of CloudSSO users and user groups have requirements on characters. If the name of an AAD user or user group contains characters that are not supported in the names of CloudSSO users or user groups, the mapping fails. To handle the failure, click displayName in the Azure Active Directory Attribute column. On the page that appears, set the Mapping type parameter to Expression and enter an expression for Expression. The expression that you enter is applied to remove the unsupported characters or replace the unsupported characters with supported characters. For more information, see AAD documentation.
  6. In the Settings section, select Sync only assigned users and groups for Scope.
  7. In the Provisioning Status section, turn on the switch.
  8. Click Save.
  9. Go to the Provisioning page, refresh the page, and then view the synchronization results.

Verify the synchronization results

  1. Log on to the CloudSSO console.
  2. Go to the User or Group page to view the synchronized users or groups.

    Source for the synchronized users or groups is automatically displayed as SCIM Synchronization.

    For more information, see View user information and View the information about a group.