Using SCIM 2.0 via Entra ID Updated October 07, 2024 10:47 SCIM is a widely accepted open standard that allows for the automation of user provisioning. It is designed to make managing user identities in cloud-based applications and services easier. SCIM has a set of default contracts for users and groups which can be extended to work hand-in-hand with Azure. Note: This article describes how to use SCIM 2.0 with an Enterprise application. If you do not need automatic provisioning, you can use the Showpad app available on the Microsoft Azure Marketplace. Key features Provision your users & groups Map users and groups Assign users and groups to Showpad You need this to succeed Entra ID with users and groups assigned in Showpad Permissions to set up and configure new enterprise apps A Showpad Personal Access Token The Schema files for users and/or groups from Showpad, attached here See it in a flash Create a new Enterprise application Creating and configuring your SCIM application Start provisioning Assigning users and groups Do this step by step Create a new Enterprise application Open the Azure Dashboard and select Microsoft Entra ID from the resource blade. Select Enterprise applications from the left-hand menu. Click New application from the top menu, then Create your own application. Enter the name of your application and select non-gallery app. Click Create. Creating and configuring your SCIM application Admin credentials Open the enterprise application you just created. Click either Provisioning from the left-hand menu or select Provisioning Users Accounts from the Getting Started screen and then click Get started. Select automatic for Provisioning Mode. Obtain your Secret Token from Admin Settings by selecting API Tokens in the Showpad Admin portal. Enter the Tenant URL, Secret Token and click Test Connection.The tenant URL is your Showpad Web Address followed by /api/users/scim/v2/?aadOptscim062020 Note: The ?aadOptscim062020 parameter is needed for full SCIM compliance of the Entra ID implementation. See this Microsoft page for more information. You will see a green checkmark and a success message when the connection is complete.After successfully testing the connection, click Save. The next section will cover configuration steps for Mappings and Settings, now that they are enabled. Mappings Azure automatically adds two default mappings to your enterprise application: Groups and Users. User mappings Within the management pane of your custom enterprise app, click Provisioning on the left column. Select Edit attribute mappings under Manage provisioning. Expand Mappings and click on Provision Azure Active Directory Users to configure the user mappings. Ensure that User Mapping is Enabled and the Source Object is set to User. If required, you can define scope filters in the Source Object Scope. For a full provisioning service, ensure that Create and Update are checked in the Target Object Actions settings. Check Delete if you want users deleted in Entra ID permanently deleted in Showpad. Uncheck Delete if you want users deleted in Entra ID to be deactivated in Showpad. Scroll to the end of the page and activate the Show Advanced Options button. Click Review your Schema here. Copy and Paste the target application field schema from the Schema file provided by Showpad, here at the bottom of this article. Save the new schema and return to the Attribute Mapping screen. Delete non-required fields not available in Showpad from the Mappings, e.g., city, state, mailNickname. Check out this article in our Developer Portal, which contains an up-to-date list of available fields. Map remaining or additional fields to the appropriate Showpad field. Make sure to define the field that should be used for matching unique values between both systems.Here are some examples: Entra ID Attribute customappsso Attribute userPrincipalName userName mail emails[type eq "work"].value givenName name.givenName surname name.familyName objectId externalId Switch([IsSoftDeleted], , "False", "True", "True", "False") active Click Save when you've finished building your schema. Group Mappings Click on Provision Azure Active Directory Groups to configure the group mappings. Ensure that Group Mapping is Enabled and the Source Object is set to Group. You can define scope filters in the Source Object Scope if needed. For a full provisioning service, ensure that Create, Update, and Delete are activated from the Target Object Actions settings. Scroll to the end of the page and activate the Show Advanced Options button. Click Review your Schema here. Copy and paste the target application field schema from the schema file attached to this article. Save the new schema and return to the Attribute Mapping screen. Delete non-required fields not available in Showpad from the Mappings, e.g., city, state, mailNickname. Check out this article in our Developer Portal for an up-to-date list of available fields. Map remaining or additional fields to the appropriate Showpad field. Make sure to define the field that should be used for matching unique values between both systems. Save your changes. Note: To use Entra user attributes as Showpad user groups, consider creating Dynamic Membership Groups using membership rules in Azure. Learn more about managing rules for dynamic membership groups here. Test your configuration Before enabling the automatic provisioning, we highly recommend testing the configuration using the provision on-demand functionality. Assign a user to your custom enterprise application. Next, return to the Provisioning page of the app. Select Provision on-demand from the top navigation bar. Search for the user account that you assigned to the app and select it. Click Provision at the bottom of the page. The provisioning will start and list the result of each step as it's completed. When all steps were successful, you can switch over to Showpad and confirm the user was successfully created with all the mapped properties assigned. Start provisioning From the provisioning home screen click the Start provisioning button to start the automatic process. From this screen, you may also Stop, Restart, and Edit your provisioning, as well as configure Provisioning on demand. Click Refresh as needed. Assigning users and groups To provision or de-provision users and groups, they must be assigned to the enterprise app. To do so, go to the Overview section of your SCIM enterprise application. Select Users and Groups from the left-hand navigation. Click Add users/groups from the top navigation bar. Search for users and/or groups you would like to add to this application and select them Click Assign. Back to Top Attachments USER SCHEMA Showpad SCIM Users 220128.json 90 KB Download GROUP SCHEMA Showpad SCIM Groups 220128.json 90 KB Download Related articles Using Entra ID for SSO with Showpad Okta user provisioning with SCIM Web apps and HTML content guidelines Use SFTP Provisioning to add and remove users and groups Utilizing the SharePoint sync updates (legacy)