All Products
Search

This Product

    CloudSSO:Synchronize users or groups in Azure AD by using SCIM

    Document Center

    CloudSSO:Synchronize users or groups in Azure AD by using SCIM

    Last Updated:Jan 04, 2024

    This topic describes how to synchronize users or groups in Azure Active Directory (Azure AD) to CloudSSO by using System for Cross-domain Identity Management (SCIM).

    Background information

    All configuration operations in Azure AD must be performed by an administrator that is assigned global administrative rights. For more information about how to create a user and assign the global administrative rights to the user in Azure AD, see Azure AD documentation.

    Step 1: Create SCIM credentials in the CloudSSO console

    1. Log on to the CloudSSO console.
    2. In the left-side navigation pane, click Settings.
    3. In the User Synchronization Configuration section of the Settings page, click Generate SCIM Credential.
    4. In the SCIM Credential Generated dialog box, copy the generated SCIM credential and click Close.
    5. Optional:In the User Synchronization Configuration section of the Settings page, click Generate New SCIM Credential to create the second SCIM credential.

    Step 2: Enable SCIM synchronization in the CloudSSO console

    1. Log on to the CloudSSO console.

    2. In the left-side navigation pane, click Settings.

    3. In the SCIM-based User Synchronization Configuration section of the Settings page, turn on the switch.

    Step 3: Create an application in Azure AD

    1. Log on to the Azure portal as an administrator.

    2. In the upper-left corner of the homepage, click the SSO_AAD_icon icon.

    3. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

    4. On the page that appears, click New application.

    5. On the Browse Azure AD Gallery page, click Create your own application.

    6. In the Create your own application panel, enter a name for your application. In this example, enter CloudSSODemo. Then, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

    Step 4: Assign users or groups to the application in Azure AD

    1. In the upper-left corner of the Azure AD homepage, click the SSO_AAD_icon icon.

    2. In the left-side navigation pane, choose Azure Active Directory > Enterprise applications > All applications.

    3. In the application list of the page that appears, click CloudSSODemo in the Name column.

    4. In the left-side navigation pane, click Users and groups.

    5. On the page that appears, click Add user/group.

    6. Select users or groups.

    7. Click Assign.

    Step 5: Configure SCIM synchronization in Azure AD

    1. In the left-side navigation pane of the CloudSSODemo page, click Provisioning.

    2. On the Provisioning page, click Get started.

    3. On the page that appears, select Automatic for Provisioning Mode.

    4. In the Admin Credentials section, configure the parameters.

      1. Enter the SCIM endpoint for Tenant URL.

        To obtain the endpoint, go to the Settings page of the CloudSSO console and copy the value of SCIM Endpoint.

      2. Enter a SCIM credential for Secret Token.

        To obtain the credential, perform the operations in Step 1: Create SCIM credentials in the CloudSSO console.

      3. Click Test Connectivity.

        After the test succeeds, click Save and go to the next step.

    5. In the Mappings section, configure attribute mappings.

      • Click Provision Azure Active Directory Users to configure attribute mappings for users.

        1. On the page that appears, find externalId in the customappsso Attribute column and click the value in the Azure Active Directory Attribute column. Then, change the value of Source attribute to objectId.

        2. Retain only the attribute mappings shown in the following figure and delete all other attribute mappings.用户属性映射

      • Click Provision Azure Active Directory Groups to configure attribute mappings for groups. Retain only the attribute mappings shown in the following figure and delete all other attribute mappings.用户组属性映射

      Note

      The names of CloudSSO users and groups have requirements on characters. If the name of an Azure AD user or group contains characters that are not supported in the names of CloudSSO users or groups, the mapping fails. To handle the failure, click displayName in the Azure Active Directory Attribute column. Then, set Mapping type to Expression and enter an expression for Expression. The expression that you enter is applied to remove the unsupported characters or replace the unsupported characters with supported characters. For more information, see relevant documentation provided by Azure AD.

    6. In the Settings section, select Sync only assigned users and groups for Scope.

    7. In the Provisioning Status section, turn on the switch.

    8. Click Save.

    9. Go to the Provisioning page, refresh the page, and then view the synchronization results.

    Verify the synchronization results

    1. Log on to the CloudSSO console.

    2. Go to the User or Group page to view the synchronized users or groups.

      Source for the synchronized users or groups is automatically displayed as SCIM Synchronization.

      For more information, see View user information and View the information about a group.

    References

    Configure SSO logon from Azure AD to CloudSSO