Skip to main content
Skip table of contents

SCIM: Implementing the Microsoft Entra ID connection

Read this article in: Deutsch, Français, Dutch

We have implemented an interface according to SCIM2 standard to connect Active Directories. Users and groups can be synchronized between Microsoft Entra ID and SoSafe. For this purpose, Microsoft compares the stored data with your SoSafe user data base and sends updates to our interface. Which users, groups and data are shared can be configured in Microsoft Entra ID and our SoSafe Manager.

You can set up our interface using the Azure "Enterprise Applications".

We are listed as an enterprise application in the Microsoft Entra ID Gallery.

Supported functions are:

  • Creating users and groups in SoSafe

  • Removing users from SoSafe groups

  • Synchronizing users and groups in SoSafe

  • Provisioning of groups and group membership of SoSafe

  • Listing in the Microsoft App Gallery

Functions not currently supported 

  • Nested groups
     

Requirements

  • An Microsoft Entra ID client

  • A user account in Microsoft Entra ID with permission to configure staging

  • An administrator account for SoSafe

  • We are working on providing you with the client URL and access token directly in the SoSafe manager, at the moment these are still created manually
     

Preparation

  • Please tell your Implementation Manager your Tenant ID.

  • Please tell your Implementation Manager, whether you want to group your users through Azure Groups or through attributes.

 

Set-up instructions

Step 1: Create your own application

Log in to the Azure portal. Select "Enterprise applications" and then "All applications" and click on "New application". Now you can select "SoSafe" application from the Gallery.

image-20240819-115726.png

Step 2: Deploying users and groups

Add users and groups you want to synchronize to the application

image-20240214-153517.png

We recommend starting small. Test your deployment with a small group of users and groups before you share it with everyone. If the staging area is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. If the scope is set to all users and groups, you can specify an attribute-based scope filter.

Step 3: Setting up user provisioning

Select the Provisioning tab and click Get started.

image-20240214-153551.png

You will receive the client URL and the access token later in our manager, at the moment a SoSafe technician will support you with the set up.

Set the Provisioning mode to automatic and insert the client URL, the Access Token and the notification mail.

image-20240214-153555.png

Step 4: Checking the attribute assignment

Check the attribute assignment of users.

image-20240214-153617.png

You can remove all but the assignments shown here.

image-20240214-153625.png

(instead of Switch, there is a possibility that your Azure Version shows Not([IsSoftDeleted]))

  • We support the exchange of all attributes of the standard assignment as well as user-defined assignments. These must be entered accordingly in SoSafe Manager.

  • However, we actively use only the fields shown here plus academic title and salutation/gender, which can be transferred via user-defined fields.

  • Please leave the Target Object Actors (Create, Update, Delete) activated, so you can change Attributes in the SoSafe Manager.

Here you can check the group attributes. However, if you want to use your security groups as SoSafe user groups, all three attributes are required.

If instead you are using a user attribute to establish your SoSafe user groups, you can disable provisioning of the security groups altogether.

image-20240214-153639.png

Step 5: Start provisioning

Once you start the provisioning, you can check the synchronization in the manager.

image-20240214-153643.png

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.