Skip to main content

User management

    Use SCIM 2.0 via Entra ID

    • Updated

    SCIM is a widely accepted open standard that automates user provisioning. It’s designed to simplify user identity management in cloud-based applications and services. SCIM has a set of default contracts for users and groups that can be extended to work with Azure.

    Note: This article describes how to use SCIM 2.0 with an Enterprise application. If you do not need automatic provisioning, use the Showpad app from the Microsoft Azure Marketplace.

    Key features

    • Provision your users and groups
    • Map users and groups
    • Assign users and groups to Showpad

    You need this to succeed

    Plan: eOS Expert, eOS Advanced, eOS Professional
    Permissions: Administrator
    Prerequisites:

    The quick way

    1. Create a new Enterprise application
    2. Create and configure your SCIM application
    3. Assign users and groups
    4. Start provisioning

    Do this step by step

    Create a new Enterprise application

    1. Open the Azure Dashboard and select Microsoft Entra ID from the resource panel.
    2. Under Manage, select Enterprise applications from the left-hand menu.
    3. Click New application from the top menu.
    4. Click Create your own application.
    5. Enter the name of your application and select the Non-gallery app option.
    6. Click Create.
    Back to Top

    Create and configure your SCIM application

    1. Open the enterprise application you just created.

    2. From the Getting Started screen, find Provision Users Accounts.

    3. Click Get Started.

    4. For Provisioning Mode, select Automatic.

    5. Navigate to the Admin App, then click the gear icon to open Settings.

    6. Under Integrations, click API.

    7. Select API Tokens.API_Tokens.png

    8. Enter the name of the token, and click Add.

    9. Copy the token’s name.

    10. Back in Azure, enter the Tenant URL, which is your Showpad web address (ex: https://myorganization.showpad.biz) followed by /api/users/scim/v2/?aadOptscim062020

      Note: The ?aadOptscim062020 parameter is needed for full SCIM compliance of the Entra ID implementation. See this Microsoft page for more information.

    11. Select your preferred Settings.

    12. Click Test Connection. When the connection is complete, you will see a green checkmark and a success message.

    13. After successfully testing the connection, click Save.

    Back to Top

    User mappings

    1. Under the Manage tab of your custom enterprise app, click Provisioning in the left column.
    2. Select Edit attribute mappings.
    3. Expand Mappings and click on Provision Microsoft Entra ID Users to configure the user mappings.
    4. Ensure that User Mapping is Enabled and the Source Object is set to User.
    5. If required, you can define scope filters in the Source Object Scope.
    6. For a full provisioning service, ensure that Create and Update are checked in the Target Object Actions settings.
      • Check Delete if you want users deleted in Entra ID to be permanently deleted in Showpad.
      • Uncheck Delete if you want users deleted in Entra ID to be temporarily deactivated in Showpad.
    7. Scroll to the end of the page and activate the Show Advanced Options box.
    8. Click the Review your Schema here link.
    9. Copy and Paste the target application field schema from the schema file provided by Showpad at the bottom of this article.
    10. Save the new schema and return to the Attribute Mapping screen.
    11. Delete the fields that are not available in Showpad, e.g., city, state, mailNickname.

      Tip: Check out our Developer Portal article, which contains an up-to-date list of available fields.

    12. Map remaining or additional fields to the appropriate Showpad fields. Make sure to define the field that should be used for matching unique values between both systems.
    13. Click Save when you've finished building your schema.

    Here are some examples:

    Entra ID Attribute customappsso Attribute

    userPrincipalName

    		 userName
    mail emails[type eq "work"].value
    givenName

    name.givenName

    surname

    		 name.familyName
    objectId externalId
    Switch([IsSoftDeleted], , "False", "True", "True", "False") active
    Back to Top

    Group Mappings

    1. Ensure that User Mapping is Enabled and the Source Object is set to User.

    2. If required, you can define scope filters in the Source Object Scope.

    3. Under the Manage tab of your custom enterprise app, click Provisioning in the left column.

    4. Select Edit attribute mappings.

    5. Expand Mappings and click on Provision Microsoft Entra ID Groups to configure the group mappings.

    6. Ensure that Group Mapping is Enabled and the Source Object is set to Group.

    7. You can define scope filters in the Source Object Scope if needed.

    8. For a full provisioning service, ensure that Create, Update, and Delete are activated from the Target Object Actions settings.

    9. Scroll to the end of the page and activate the Show Advanced Options box.

    10. Click the Review your Schema here link.

    11. Copy and Paste the target application field schema from the schema file provided by Showpad at the bottom of this article.

    12. Save the new schema and return to the Attribute Mapping screen.

    13. Delete non-required fields not available in Showpad from the Mappings, e.g., city, state, mailNickname.

      Tip: Check out our Developer Portal article, which contains an up-to-date list of available fields.

    14. Map remaining or additional fields to the appropriate Showpad field. Make sure to define the field that should be used for matching unique values between both systems.

    15. Save your changes.

    Back to Top

    Assign users and groups

    To provision or de-provision users and groups, they must be assigned to the enterprise app.

    1. Go to the Overview section of your SCIM enterprise application.
    2. Click Assign users and groups.
    3. Click Add user/group from the top navigation bar.
    4. Click the link under Users.
    5. Search for users and/or groups you would like to add to this application and select them.
    6. Click Assign.
    Back to Top

    Test your configuration

    Before enabling automatic provisioning, we recommend using the Provision on demand functionality to manually provision users or groups. This allows you to validate that your configuration works as expected.

    1. Navigate to the Provisioning page of your app.

    2. Select Provision on-demand from the top navigation bar.

    3. Search for the user account that you assigned to the app and select it.

    4. Click Provision at the bottom of the page.

    5. The provisioning will start and list the result of each step as it's completed.

    6. In Showpad, navigate to the Users tab and search for the user you’ve just provisioned to verify they were successfully created with all the mapped properties assigned.

    Back to Top

    Start provisioning

    1. From the provisioning home screen, click the Start provisioning button to start the automatic process.

    2. From this screen, you can also Stop, Restart, and Edit your provisioning as well as Provision on demand. Click Refresh when needed.

    Back to Top

    Attachments

    Related articles

    Get the latest apps and email integrations

    iOS App Store Google Play Store Microsoft Store