Provisioning Users and Single Sign On with Azure Active Directory

This guide provides the steps required to configure SCIM 2.0 based user provisioning and OpenID Connect based single sign on via Azure Active Directory.

  • Features
  • Prerequisites
  • Configuration Steps
  • Troubleshooting Tips

Features

Azure Active Directory is able to perform the following actions automatically against our platform:

  • Add new users
  • Update selected details on users
  • Deactivate users
  • Authenticate users when they log in via our web portal or apps.

The following provisioning features are supported:

  • Users created through Azure Active Directory will also be created in our platform.
  • Updates made to the user’s profile through Azure Active Directory will be pushed to us.
  • Deactivating the user or disabling the user’s access to the application through Azure Active Directory will deactivate the user on our platform.
  • Users can be imported from our platform into Azure Active Directory

Prerequisites

Before you configure provisioning, check the following in your platform account:

  • Ensure you have added our Enterprise Toolkit option to your account, since this unlocks our Azure Active Directory integration options.
    Enterprise Toolkit can be enabled via your Billing page in the platform.
  • Go to the Menu -> Organisation Setup page and find the section titled “External User Authentication & Provisioning“.
    Click the Add Connector link and select the “Azure Active Directory” option from the list of available connectors – this will save the Organisation Setup page and reload it.
  • Make note of the SCIM Url, User Name, Password and OpenID Connect Login Redirect URI values that display on the Azure Active Directory connector details.
    You will need these for the Azure Active Directory configuration steps below.

Configuring User Provisioning through Azure AD (via SCIM)

Our platform supports a SCIM profile which can be connected to Azure Active Directory using the “non-gallery application” feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronisation process every 40 minutes where it queries the application’s SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.

  1. Sign in to the Azure portal.
  2. Browse to Azure Active Directory > Enterprise Applications, and select New application > All > Non-gallery application.
  3. Enter a name for your application, and click Add icon to create an app object.

  4. In the resulting screen, select the Provisioning tab in the left column.
  5. In the Provisioning Mode menu, select Automatic.

  6. In the Tenant URL field, enter the SCIM Url found on your Organisation Setup page.
  7. In the Secret Token field, enter the Password found on your Organisation Setup page.
  8. Click the Test Connection button to have Azure Active Directory attempt to connect to the SCIM endpoint.
    If the attempts fail, error information is displayed.
  9. If the attempts to connect to the application succeed, then click Save to save the admin credentials.
  10. Under Settings, the Scope field defines which users and or groups are synchronised.
    Selecting “Sync only assigned users and groups” (recommended) will only sync users and groups assigned in the Users and groups tab.
  11. Once your configuration is complete, change the Provisioning Status to On.
  12. Click Save to start the Azure AD provisioning service.
  13. If syncing only assigned users and groups (recommended), be sure to select the Users and groups tab and assign the users and/or groups you wish to sync.

Once the initial synchronisation has started, you can use the Audit logs tab to monitor progress, which shows all actions performed by the provisioning service on your app.
You should also see the users and groups appearing/updating in our platform under the Users & Groups area.

Configuring Single Sign On (OIDC Identity Provider)

  1. Log in to your Azure account and navigate to Azure Active Directory > App registrations.
  2. Select the app that was created for the SCIM Provisioning
  3. In the Redirect URI’s section, enter the two Redirect URI values found on your Organisation Setup page into the forms below. The first Redirect Uri’s type should be set to Public client (mobile & desktop). The second Redirect Uri’s type should be set to Web.
  4. In the Certificated & Secrets section, Click on the New Client Secret button to add a new client secret.
  5. Enter a descriptive client secret name, and set to desired expiry date. (we recommend using never)
  6. Copy the client secret value that was generated, and paste that into the Client Secret field found on your Organisation Setup page.
  7. In the API permissions page, Click on the Add a permission button.
  8. Click on the Microsoft Graph section.
  9. Then select delegated permissions and scroll down to find the user permissions section.
  10. Select User.Read, under the User permissions section, and then click on Add permissions
  11. After the user read permission has been added, you might be prompted that the permissions have changed, and that one of your azure admins will need to give consent. If this happens one of your admins will need to click on the Grant Consent button in order for the changes to take effect.
    This can be found on the same API Permissions page.
  12. Navigate to the overview section and copy the Application (client) ID and paste it into the OpenID Connect – Client Id field found on your Organisation Setup page.
  13. Whilst still on the same overview section, copy the Directory (tenant) ID from the overview screen, and combine it with the default azure login url. https://login.microsoftonline.com/{tenant}.

    Example based on overview image above:
    https://login.microsoftonline.com/FFFFFFFF-GGGG-HHHH-IIII-JJJJJJJJJJJJ

    Copy this complete tenant url, and paste that into the OpenID Connect – Authority/Issuer URL field found on your Organisation Setup page.

You can now assign people to the app (if needed) and finish the application setup.

Troubleshooting & Tips

Required Values for Provisioning

The following values must be specified on Azure Active Directory users in order for them to successfully provision on our platform:

  • First Name
  • Last / Family Name
  • Email (this must be unique per user, since it is used as our username

Assigning Website Access to Azure Active Directory Users

By default, users that are provisioned via Azure Active Directory will only be granted app login access.
If you wish to assign web portal access, then you must specify one of the following Role values on the Azure Active Directory user’s application profile:

  • ReadOnly
  • User
  • Admin
  • EnterpriseAdmin

The capabilities of the above roles can be seen on the hints for Access Roles as found on the Edit User page of our platform.