Establishing a SCIM connection in Microsoft Azure Active Directory

The System for Cross-Domain Identity Management (SCIM) user management API enables automatic provisioning of users between the Living Security Training Platform and Azure AD (AAD).


azure-to-livingsecurity-scim-diagram

Requirements


  • Cloud application administrator role or higher in Azure Active Directory
  • SCIM support enabled by a customer support representative (help@livingsecurity.com).

Note: Group-based assignment requires Azure Active Directory Premium P1 or P2 licensing. See here for more details.

Creating a custom application


  1. Login to your Microsoft Azure Portal and click Azure Active Directory in the left-hand portal menu. Alternatively, you can search for it in the top search bar.
  2. Once inside your AAD Tenant, find and click Enterprise applications in the left-hand menu.
  3. Click New Application, then Create your own application. In the menu that appears fill out a name for the app to integrate and leave the bubble selected for Integrate any other application you don't find in the gallery (Non-gallery). Note: It may take a few minutes for the application to be deployed. The status can be monitored under the Notifications dropdown on the top ribbon.
  4. Once the deployment is finished click the Enterprise applications link beneath the search bar to find your newly created application. 

Configuring Provisioning


  1. Click Provisioning, then Get Started.
  2. Use the dropdown box to select Automatic, enter the Tenant URL of https://platform.api.livingsecurity.com/users/scim and your secret API token. Finally, click Test Connection and observe the successful test. Now click Save.
  3. After saving your configuration the Mappings section becomes available. Azure offers both user and group object mapping. For the Living Security application we'll be mapping user objects. Expand Mappings and then click Provision Azure Active Directory Users.
In the new pane accept the default actions of createupdate, and delete. The Living Security application requires mail mapped to userName. Please refer to the image below for a valid mapping example. See here for supported and mandatory attributes. Alternatively, checking the Columns dropdown in your LS user management dashboard can be insightful when making mapping decisions.
While not required, Scoping is a helpful feature to set up additional criteria to include or exclude users for provisioning. Please note that if mapping roles, the mapping cannot be directly mapped, it must be mapped via expression.

 

Adding users and groups


  1. Now is the time to add users or groups to the application. Navigate back to the main dashboard of the application you created, select Users and groups then Add user/group to begin adding objects to be provisioned.

Provisioning


  1. Once you are satisfied with the users and/or groups you've added to the application, click Provisioning in the left menu and then Start Provisioning.
  2. Once the Provisioning cycle is complete navigate to your LS user management dashboard and observe that the users have come in correctly with the attributes of your choosing.

Note: For technical support or questions please email help@livingsecurity.com.