Overview
This article explains the process of configuring Azure AD SCIM with your VIDIZMO on-prem application. The information and steps mentioned in this article will help you enable SCIM endpoint in VIDIZMO to allow user account provisioning from Azure AD over SCIM 2.0 protocol.
System for Cross-Domain Identity Management (SCIM) is an open standard protocol used to automate the exchange of users and groups information between Identity providers and Enterprises. SCIM ensures that users added to the Identity Management System should have their accounts automatically created in VIDIZMO.
Before you begin
- Make sure you are logged in as Manager+ role in VIDIZMO to be able to configure Azure AD SCIM Provisioning App in VIDIZMO.
- Before provisioning users and groups from Azure AD through SCIM protocol, make sure you have an Azure Active Directory account so that you can login to Azure portal.
- Make sure you have the necessary administrative rights for the Azure Active Directory to set up Enterprise applications.
Prerequisites
- An Azure AD tenant with Azure AD Premium P1 or Premium P2 (or EMS E3 or E5). Using this feature requires Azure AD Premium P1 licenses.
- Administrator role for installing the agent. This task is a one-time effort and requires an Azure account that's either a hybrid administrator or a global administrator.
- Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions).
- A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.
Configuration Steps
This section explains the step-by-step process to configure your VIDIZMO application and Azure Active Directory for successful SCIM integration.
VIDIZMO configuration
In this scenario, VIDIZMO exposes the SCIM endpoint URL that would service the user provisioning from Azure AD. Below are the steps to configure SCIM in VIDIZMO application.
1. Log in to VIDIZMO portal and from the Portal's Homepage:
- Click on the Navigation menu on the left corner of the page.
2.From the Portal Settings page:
- Click on Apps option to expand it.
ii. Navigate to the Provisioning Tab and click to open it.
iii. Navigate to the Configuration icon of SCIM Azure AD and click to open it.
3. To enable the SCIM app first you need to perform the following actions:
- Select a default role (Note: The default role is the role that will be assigned to the users by default during the time of provisioning from Azure AD).
ii. Click on Add New to generate an API key against your domain for authorization purposes.
4. Provide the expiry date and click Add to generate an API Key (Note: The provisioning and de-provisioning management will be revoked from Azure AD once the expiry date limit exceeds).
5.Copy the generated API token to the clipboard and save the changes from the Save Changes button (Note: This API Key will be used during the configuration of API Integration in Azure portal).
6. This BASE URI (Tenant URL) will be used while configuring the connection to On-premises SCIM app API and synchronize user data in Azure portal.
7. If you want to configure the following option of setting rules for automatic role assignment specifically for users belonging to specialized groups, then refer to this article How to Configure Rules for Automatic Role Assignment using SCIM.
8. Enable the app by clicking on the toggle button.
Note: A notification will appear stating "Portal Information Updated Successfully".
Deploy Azure AD provisioning agent
The Azure AD Provisioning agent can be deployed on the same server hosting VIDIZMO application, or on a separate server, providing it has line of sight to VIDIZMO's SCIM endpoint URL. In this example, we are using the same server system that hosts VIDIZMO application for the deployment of Azure AD provisioning agent.
- Download the provisioning agent installer and copy it on the virtual machine or server that your VIDIZMO application is hosted on.
- Run the provisioning agent installer, agree to the terms of service, and select Install.
- Once installed, locate, and launch the AAD Connect Provisioning Agent wizard, and when prompted for extensions select On-premises provisioning.
- For the agent to register itself with your tenant, provide credentials for an Azure AD admin with administrator permissions.
- When prompted for SSL certificate configuration, select the existing certificate that’s configured on the web server (with your VIDIZMO application).
- Select Confirm to confirm the installation was successful.
Azure AD configuration
Once the agent is installed, no further configuration is necessary on-prem, and all provisioning configurations are then managed from the Azure portal.
Follow the steps below in Azure portal for building a connection with VIDIZMO portal to implement automatic user provisioning.
Note: To proceed Provisioning that supports SCIM you must first add “On-premises SCIM app” from gallery in your Azure Portal.
Note: Make sure you are in the right tenant. Learn more about creating and accessing tenant at QuickStart - Access & create new tenant - Azure AD | Microsoft Docs
- Login your Azure portal and navigate to the Azure Active Directory in the left pane from the navigation menu in the top bar.
2. In Azure Active Directory, navigate to the Enterprise applications.
3. Under Enterprise applications, click New Application to add a new application.
3. Under “Browse Azure AD Gallery”, search for On-premises SCIM app. Click on the “On-premises SCIM app” and add it.
5. Once the app is added, click on it from the list under your AAD Enterprise Applications.
6. From the left-hand menu navigate to the Provisioning option.
7. Select Get started and then select Automatic from the dropdown list and expand the On-Premises Connectivity option.
8. Select the agent that you installed from the dropdown list and select Assign Agent(s).
9. Now either wait 10 minutes or restart the Microsoft Azure AD Connect Provisioning Agent before proceeding to the next step & testing the connection.
10. In the Tenant URL field, provide the SCIM endpoint URL for your VIDIZMO application. For example, your Tenant URL should look like ‘https://<YOUR VIDIZMO PORTAL URL>/api/v1/SCIM/SCIMAzureAD’.
11. In the Secret Token field, provide the secret token that you generated in VIDIZMO app (in step 5 under previous section “VIDIZMO Configuration”).
12. Select “Test Connection” to test the connection to your VIDIZMO app. Please note that your VIDIZMO application’s SCIM endpoint must be actively listening for inbound provisioning requests for successful connection, otherwise the test will fail. Use the steps here if you run into connection issues.
13. Configure any attribute mappings or scoping rules required for your on-premises SCIM application.
14. Add users to scope by assigning users and groups for on-premises SCIM application.
15. Test provisioning a few users on demand.
16. Add more users into scope by assigning them to your on-premises SCIM application.
17. Go to the Provisioning pane and select Start provisioning.
Following are the steps to manage provisioning of users and groups in Azure Active Directory to VIDIZMO portal.
Add Users and Groups
To add users/groups in the VIDIZMO portal, follow the steps below.
1. In the On-premises SCIM app in Azure AD (under Enterprise Applications):
a. Click on the Users and groups tab.
b. Navigate to the Add users/groups to select users from the Active directory.
3. Navigate to your VIDIZMO application, and under “Users and Groups” you will find the new users provisioned. See below screenshot.
De-provisioning
To deprovision users and groups, unassign the users/groups from the On-premises SCIM app as shown below:
Note: In VIDIZMO, removing the user from Azure AD will set the "IsActive" property of user to false in VIDIZMO database. Also, to learn more about how De-provisioning works in Azure AD read HERE
Remove Users and Groups
1. From the users and groups tab in the On-premises SCIM app in Azure Portal:
a. Select the users and groups that you wish to remove.
b. Click on Remove to un-assign the selected user from the application.
2. Wait for the provisioning time interval to complete and then check your VIDIZMO portal > Users and Groups.
3.Additionally, you can check provisioning logs to review provisioning activity status.
Limitations
- Users cannot be permanently deleted from VIDIZMO, they will be deactivated instead. A deactivated user can be reactivated. When a user is deactivated via SCIM, VIDIZMO immediately disables their membership to their account, ensuring that their access is immediately revoked. The user is treated as an anonymous user in the VIDIZMO portal
- Provisioned users cannot change their user profile information because they are treated as a Federated User in the VIDIZMO portal
- Provisioning and deprovisioning can be enabled only on portals that are created under the subdomain policy. Learn more about domain options in VIDIZMO from Understanding Domain Options for a Portal