Create Ticket My Tickets Post Discussion
Welcome
Login  Sign up

Provisioning Users and Single Sign On with Azure Active Directory

TABLE OF CONTENTS

This guide provides the steps required to configure SCIM 2.0 based user provisioning and OpenID Connect based single sign-on via Azure Active Directory.

Features 

Azure Active Directory can perform the following actions automatically against our platform:

  • Add new users
  • Update selected details on users
  • Deactivate users
  • Authenticate users when they log in via our web portal or apps.

The following provisioning features are supported:

  • Users created through Azure Active Directory will also be created in our platform.
  • Updates made to the user's profile through Azure Active Directory will be pushed to us.
  • Deactivating the user or disabling the user's access to the application through Azure Active Directory will deactivate the user on our platform.
  • Users can be imported from our platform into Azure Active Directory

Prerequisites

Before you configure provisioning, check the following in your platform account:

  • Ensure you are subscribed to our Enterprise Edition plan, since this unlocks our Azure Active Directory integration options.
    Please contact your representative or email us at support@formonsfire.com.

  • Go to the Menu -> Organization Setup page and find the section titled "External User Authentication & Provisioning." Click the Add Connector link and select the "Azure Active Directory" option from the list of available connectors; this will save the Organization Setup page and reload it.
  • Make note of the SCIM URL, User Name, Password, and OpenID Connect Login Redirect URI values that display on the Azure Active Directory connector details. You will need these for the Azure Active Directory configuration steps below.


Configuring User Provisioning through Azure AD (via SCIM) 

Our platform supports a SCIM profile which can be connected to Azure Active Directory using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 40 minutes where it queries the application's SCIM endpoint for assigned users and groups and creates or modifies them according to the assignment details.

1. Sign in to the Azure portal.


2. Browse to Azure Active Directory > Enterprise Applications, and select New application > All > Non-gallery application.


3. Enter a name for your application and click Add icon to create an app object.


4. In the resulting screen, select the Users and Groups tab in the left column. Assign the Users or Groups you want to Provision.


5. Select the Provisioning tab in the left column.


6. In the Provisioning Mode menu, select Automatic.


7. In the Tenant URL field, enter the SCIM URL found on your Organization Setup page.

8. In the Secret Token field, enter the Password found on your Organization Setup page.

9. Click the Test Connection button to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempts fail, error information is displayed.

10. If the attempts to connect to the application succeed, then click Save to save the admin credentials.

11. Under Settings, the Scope field defines which users and or groups are synchronized. Selecting "Sync only assigned users and groups" (recommended) will only sync users and groups assigned in the Users and Groups tab.

12. Once your configuration is complete, change the Provisioning Status to On.

13. Click Save to start the Azure AD provisioning service.

Once the initial synchronization has started, you can use the Audit Logs tab to monitor progress, which shows all actions performed by the provisioning service on your app. You should also see the users and groups appearing/updating in our platform under the Users & Groups area.


Configuring Single Sign On (OIDC Identity Provider)

14. Log in to your Azure account and navigate to Azure Active Directory > App registrations.



15. Select the app that was created for the SCIM Provisioning


16. In the Redirect URI's section, enter the two Redirect URI values found on your Organization Setup page into the forms below. The first Redirect URI's type should be set to Public client (mobile & desktop). The second Redirect URI's type should be set to Web.

17. In the Certificated & Secrets section, click on the New Client Secret button to add a new client secret.


18. Enter a descriptive client secret name and set a desired expiration date (we recommend using never).


19. Copy the client secret value that was generated, and paste that into the Client Secret field found on your Organization Setup page.


20. In the API permissions page, click on the Add a permission button.


21. Click on the Microsoft Graph section.



22. Then select delegated permissions and scroll down to find the user permissions section.



23. Select User.Read, under the User permissions section, and then click on Add permissions.



24. After the user read permission has been added, you might be prompted that the permissions have changed and that one of your Azure admins will need to give consent. If this happens one of your admins will need to click on the Grant Consent button for the changes to take effect. This can be found on the same API Permissions page.


25. Navigate to the overview section and copy the Application (client) ID and paste it into the OpenID Connect - Client Id field found on your Organization Setup page.



26. While still on the same overview section, copy the Directory (tenant) ID from the overview screen and combine it with the default Azure login URL.

https://login.microsoftonline.com/{tenant}.

Example based on the overview image above:

https://login.microsoftonline.com/FFFFFFFF-GGGG-HHHH-IIII-JJJJJJJJJJJJ


Copy this complete tenant URL and paste it into the OpenID Connect - Authority/Issuer URL field found on your Organization Setup page. Remember to save your Organization Setup before leaving the page.

You can now assign people to the app (if needed) and finish the application setup.

Troubleshooting & Tips 

Required Values for Provisioning

The following values must be specified on Azure Active Directory users in order for them to successfully provision on our platform:

  • First Name
  • Last / Family Name
  • Email (this must be unique per user since it is used as our username)

Assigning Website Access to Azure Active Directory Users

By default, users that are provisioned via Azure Active Directory will only be granted app login access. If you wish to assign web portal access, then you must specify one of the following Role values on the Azure Active Directory user's application profile:

  • ReadOnly
  • User
  • Admin
  • EnterpriseAdmin

The capabilities of the above roles can be seen on the hints for Access Roles as found on the Edit User page of our platform.


Assigning User Metadata to Azure Active Directory Users


This requires a custom attribute name of urn:ietf:params:scim:schemas:extension:2.0:Metadata:{{MetaDataKey}} for each metadata item you want to use. In the Provisioning section of Enterprise Application, there is an option to Update credentials, select this option.


Give the page some time to load, and then select Mappings > Provision Azure Active Directory Users.

Below the list of mappings, click the link Show advanced options. This will then display a previously hidden section which will have a link Edit attribute list for {{Your applications' name}}. Click this link. In the screenshot below our application's name is "customappsso".

In the table that appears, add a new Attribute with the following details: 

  • Name: urn:ietf:params:scim:schemas:extension:2.0:Metadata:{{MetadataKey}}
  • Type: string (You can set others, but our platform will convert it to a string which may change the value)

When done, click Save at the top of the page and then Yes to confirm your changes. Below are some example metadata keys: 

You now need to add a new mapping for the attribute(s) you just created. Click on Add New Mapping on the page that you are returned to. The link is just above the Show advanced options that you clicked previously. 

In the popup window, you will need to map one of the attributes of the Azure AD user to the newly created attribute for SCIM. 

Within the Edit Mapping page popup window you need to set the attribute mapping as follows: 

  • Mapping type: Direct
  • Source Attribute: The attribute in Azure ADyou are mapping from (We are using extension attributes in the screenshots, but you could use any attribute supported by Azure AD).
  • Default value if null (optional): A default value to use, but this is optional.
  • Target attribute: urn:ietf:params:scim:schemas:extension:2.0:Metadata:{{MetadataKey}}
  • Match objects using this attribute: No
  • Apply this mapping: We recommend setting this to Always, but if you have a business case that requires another setting, then it can be changed.

Below is an example of how we configured it for one of our mappings: 


Click OK  to save the changes, then be sure to also click on Save at the top of the page. 

When Azure AD does it's next synchronization with our platform, the attributes will be populated into the user's metadata. 


Toggle User Authentication Method

Once Azure AD is enabled, all users will be authenticated externally unless disabled. However, for temporary or external users that are not registered in Azure AD, you can choose to use out platform's built-in authentication instead. 

Toggling between Azure AD and Built-In authentication for a user can be achieved when editing a user's details (Admin > Users & Groups) under the Access & Security > Login Method dropdown.




Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.