SCIM, System for Cross-domain Identity Management, is an open standard for automating user provisioning. With SCIM, it's easy to add, update or remove users across different applications simultaneously. The solution is built using the SCIM 2.0 specification.
In order to set up user provisioning with Microsoft Entra ID, it has to be configured both in Scoro and Microsoft Entra ID.
1. Set up SCIM in Scoro
- SCIM settings can be found under Settings → Integrations → SCIM.
- Admin users can set the default values for new users created via SCIM:
- Default entity (only available in case of multiple entities)
- Default user type
- Email notification with account data - In order to enable the SCIM API, you must generate an OAuth bearer token.
- After SCIM is enabled, the API credentials allow you to set up SCIM from the Microsoft Entra ID.
2. Set up Microsoft Entra ID Enterprise Application
- If you are planning to use both User Provisioning and Single Sign-On, please check the manual for connecting Scoro and SSO and do it before continuing with the SCIM configuration.
- If you don’t have SSO and you are not planning to add it, please make sure that you have an Enterprise Application before continuing.
- In the Microsoft Entra ID Portal, select Enterprise Applications and click New application.
- Click Create your own application.
- Give your application a Name, choose “Integrate any other application you don't find in the gallery (Non-gallery)” and click Create.
- In the Microsoft Entra ID Portal, select Enterprise Applications and click New application.
3. Configure Microsoft Entra ID Provisioning
Note! Microsoft Entra ID has known issues with SCIM 2.0 protocol compliance and it requires some extra configuration, which is explained in detail in the next paragraph. Read more about the situation here.
- In the Manage tab of the new application, choose Provisioning.
- Choose the Automatic provisioning mode.
- Enter Admin Credentials, which you will find from the Scoro SCIM setup page.
- Tenant URL = Company base URL + “/?aadOptscim062020” (special flag for compliance fix)
- Secret token = Bearer token
- Click Test Connection.
- If credentials are correct, you will see a success message in the top right corner and you will be able to Save the settings.
4. Map user attributes
After you have successfully saved the credentials, you will need to configure the Mappings and Settings sections
- Open Mappings to configure the mapping between Scoro and Microsoft Entra ID
- Disable Groups provisioning since this is not supported by Scoro SCIM
- Open Users provisioning to map out correct fields between Scoro and Microsoft Entra ID
- Keep only the fields that can be synced with Scoro SCIM:
- userName- name.givenName- name.familyName- name.formatted- title- active- email- phoneNumbers- userType * (doesn’t exist by default) - Other listed attributes can be deleted because these can’t be updated in Scoro.
- Keep only the fields that can be synced with Scoro SCIM:
- Configure/check the following fields:
- Activate/deactivate users
- Keep the Microsoft Entra ID attribute Switch ([IsSoftDeleted], , "False", "True", "True", "False") active
- Keep the first letters of values “True” and “False” capitalized
- You can read more about application provisioning.
- Keep the Microsoft Entra ID attribute Switch ([IsSoftDeleted], , "False", "True", "True", "False") active
- Update userType
- Add a new mapping for userType
- You can use user types that are defined for your application or define new user types
- The values that Scoro can use are “user” and “admin”
- If user type names don’t match with the user types in Scoro, the expression builder can be used to switch the values:
- Example with Role: (Switch([Role], , "Member", "user", "Admin", "admin")) - Alternatively, you can remove the matching and manage user types in Scoro only
- Update emails and phoneNumbers
- Email and phoneNumbers support only filtering by type (emails/phoneNumbers[type eq "work"].value)
- All other filter mappings are not supported
- Email and phoneNumbers support only filtering by type (emails/phoneNumbers[type eq "work"].value)
- Activate/deactivate users
- The complete list of mapped values
- Configure Settings
- We recommend to choose Scope - “Sync only assigned users and groups”
- You can also choose whether you want to receive email notifications or not
- Save the changes after you have added all the mappings
- You can enable/disable provisioning by choosing Start/Stop provisioning or edit details by choosing Edit provisioning
- User provisioning between Scoro and Microsoft Entra ID is now configured.
Note!
- Active values have to be “True” and “False” with the first letter capitalized, otherwise the on-demand provisioning can’t be enabled.
- Scoro SCIM supports only the “work” type filter for phoneNumbers and emails (emails[type eq "work"].value)