Setup SCIM on Azure

Introduction

The System for Cross-domain Identity Management (SCIM) is a standardized way to provision and manage /Users and /Groups entities in a system. It uses a REST API to manage CRUD operations relating to user management entities. SCIM 2.0 has a predefined schema for all user and group attributes (i.e. username, first name, email, etc.). This allows a SCIM-compliant client application to automatically provision users, and to perform CRUD operations to the /Users endpoint.

SCIM can securely automate the exchange and management of user identities between your company's identity provider (i.e. Azure AD) which acts as the SCIM client and a SaaS application like Oneflow.

Setup SCIM on Azure Active Directory

This guide will help you configure SCIM Provisioning for the Oneflow Enterprise Application in Azure AD.

Stage 1: Activate the Oneflow Extension

1. Login to your Oneflow account
2. Navigate to Admin > Extensions > SCIM
3. Activate the SCIM extension in Oneflow.
   1. This will generate a secret token that will be used for authentication by Azure. Save it in a safe place. If you lose it you can deactivate and then reactivate the SCIM extension to generate a new one.

Stage 2: Configure the provisioning settings in Azure AD

To automatically provision users in Azure AD into Oneflow, we first need to establish attribute mappings between Azure and Oneflow's SCIM API.

1. Login to Azure
2. Navigate to the Enterprise Application you've created for Oneflow.
3. In the left-hand menu, click Provisioning, followed by Edit Provisioning at the top menu.
4. Select Automatic in Provisioning Mode
5. Enter https://api.oneflow.com/scim/v1/?aadOptscim062020 as the Tenant URL.
6. Enter the secret token you received when activating the SCIM extension.
7. Click Test Connection to verify that these two settings were entered correctly.
8. In the settings section, select "Sync only assigned users and groups" as the scope.
9. In the mappings section, click Provision Azure Active Directory Users.
10. In the section "Target Object Actions", select the Create, Update, and Delete checkboxes. 
11. The configuration listed below is an example of a simple straightforward setup, but you can adjust these mappings according to your needs.
    objectID > externalId
    This mapping helps the AAD keep track of the Oneflow user.

    email > userName

    OR

    userPrincipalName > userName

    This syncs either the email or userPrincipalName of the AAD user as the username/email in Oneflow.

    Note that this must be the same value as the NameID claim sent by the SSO.displayName > displayName

    The name of the user.

    Update the mapping expression for the active field to:

    Not([IsSoftDeleted])

12. Click Save.
13. In the Mappings section, navigate to Provision Azure Active Directory Groups.
14. In the "Target Object Actions" section, select the Create, Update, and Delete checkboxes
    Attribute mappings for groups are straightforward direct mappings:
15. Click Save.

Stage 3: Time to test it!

1. Go back to the Provisioning page of the Enterprise Application.
2. Click Provision on demand.
3. Select a user and click Provision.
   1. If the test reports success, then you can validate that the user looks correct in Oneflow.
   2. If the test fails, reach out to us with the error message and we'll assist in interpreting it.
   3. If the testing looks good, then you can go back to the Provisioning page of the Enterprise Application and click Start Provisioning which will schedule the sync process.
   4. The link/button "View provisioning logs" is useful to troubleshoot errors that occur during sync.

SCIM Role setup instructions

This will help you set up SCIM roles in Azure AD for the Oneflow Enterprise application.

Go into the attribute mappings for the Oneflow Enterprise Application.

Stage 1

1. Go into the attribute mappings for the Oneflow Enterprise Application.
2. Go to user attributes.
3. Click Show advanced options.
4. Click Edit attribute list for Oneflow.
5. We want to add a new attribute, simply called roles.
   1. It should have "multi-valued" checked while the other settings are left unchecked.
6. Click Save!

Stage 2

1. Add a new attribute mapping of the type expression, for the new "roles" attribute.

   AppRoleAssignmentsComplex([appRoleAssignments])

2. Click Save!

Stage 3

Time to add the new roles that will control whether users are active or have a license.

1. Go to App Registrations in the AAD portal.
2. Click the All applications tab.
3. Select the Oneflow app from your list.
4. Go to App roles.
   1. You should already have a "User" role here that AAD created together with the Enterprise App.
   2. We want to create two more roles.
   3. The display name and description of these roles are up to you to decide on.
   4. The important part is the "value" of each role. We want one role with the value active and the other role with the value standard_license.

Example:

Stage 4

Time for a provisioning test.

1. Perform an on-demand provisioning of a user that is in scope for the enterprise application.

2. The result in the Data Flow tab should look something like this:

   1. This screenshot shows two roles, but you'll most likely only have one; the AAD default "User" role, which is perfectly fine, we'll fix that in the next couple of steps.

Stage 5

1. Go back to the Users & Groups page in the Oneflow enterprise app.
2. You can now assign either the standard_license or active role (or both) to a group and that will then be used to control whether or not the corresponding properties on their members.
3. For groups that are only used to control access inside Oneflow, you simply assign any other role, either the default "User" role or another custom role.

Example: