Azure SCIM 2.0 User Provisioning enables you to connect your Azure Active Directory to your Phriendly Phishing account. When an individual is configured in your Active Directory (AD) they will automatically be synchronised in your Phriendly Phishing account as a Learner. When an individual is removed from your Azure AD, the individual will be removed from your Phriendly Phishing account.
This article will take you through how to:
- Create a New Enterprise Application
- Provision Your Enterprise Application
- Map Attributes and Assign Provisioning Scope
- Configure with Phriendly Phishing account
- What are the required steps to switch from Email to ID as the Unique Identifier (applicable for existing SCIM set-up)
Important: Please confirm with Support what attribute is used to store your primary email addresses in Azure AD.
1. Create a New Enterprise Application in Azure AD
a. Sign into the Azure Active Directory Portal.
b. Select Enterprise applications.
c. Select New Application and then Create your own application.
d. Enter a name for your application, choose the option "integrate any other application you
don't find in the gallery" and select Create to add the new application. Once added it should open up to the application overview.
2. Provision Your Enterprise Application
a. You will need details from the Phriendly Phishing Portal to configure the application.
b. Log into your account, select Settings then User Synchronisation.
c. Select Azure SCIM then expand 'Azure SCIM synchronisation'. This will show you the URL and token that is required in step 3.
d. On the Overview page of the application you created, select Provisioning in the left panel.
e. Select Get Started
f. Set Provisioning Mode to 'Automatic' and under Admin Credentials enter the tenant URL and Secret token you retrieved in step 2 from the Phriendly Phishing Portal.
g. Select Test Connection, then if the connection is successful, select Save.
3. Mapping required attributes and Assigning Provisioning Scope
a. Select the Provisioning tab, then Edit Attribute Mapping.
b. Expand 'Mappings' then select Provision Azure Active Directory Users.
c. Scroll to the bottom and select Show Advanced Options, then Edit Attribute List for Customerappsso.
d. At the bottom of the list, enter these custom attributes in the Name column, leaving
defaults for the other columns. (see the below screenshot)
Default Attributes(Required)
-
-
- First name of learner =urn:ietf:params:scim:schemas:extension:PH2:2.0:User:givenName
- Surname of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:surName
- Email of learner = urn:ietf:params:scim:schemas:extension:PH2:2.0:User:mail
-
Additional Attributes (optional)
If you wish to add additional attributes the name must follow the pattern shown in the example
below. The “CustomAttribute" can be customised to what you want shown in the portal.
urn:ietf:params:scim:schemas:extension:PH2:2.0:User:CustomAttribute
Examples:
-
-
- urn:ietf:params:scim:schemas:extension:PH2:2.0:User:Department
- urn:ietf:params:scim:schemas:extension:PH2:2.0:User:location
- urn:ietf:params:scim:schemas:extension:PH2:2.0:User:jobTitle
-
e. Once all have been added select Save, then Yes.
f. Adjust the mappings so they match the following screenshot.
This can be done by selecting the AD Attribute, editing the Target Attribute then selecting Ok. If you added additional attributes in the previous step, map them to the associated AD attribute, eg. Department in the example below.
g. You will also need to set the Matching Precedence value for Objectid to 1. You can do this by editing the attribute, set Match object using this attribute to Yes, then enter the value 1. Then select Ok
Note: You may be required to edit the matching precedence for UserPrincipalName as only a single attribute can be set to 1.
Steps below on how to set the Matching Precedence value for Objectid to1:
-
- Select the attribute that has customappsso attribute as "externalId"
-
- Edit the source attribute to "objectId" and select "Yes" for Match objects using this attribute and "2" for matching precedence and OK to save (As matching precedence is default mapped to userPrincipalName)
-
- Select userPrincipalName and edit Match objects using this attribute to "No" and Matching precedence to "0"
-
- Again, select objectId and edit Matching precedence to "1"
h. Once complete, select Save and then Yes.
i. Expand 'Settings' and assign scope to be Sync Only assigned Users and Group.
4. Assigning Groups to Provisioning
a. On the Overview page of the application, select Users and Groups.
b. Select Add user/group.
c. Select User and Groups to search the group(s) you want to assign.
d. Select Assign.
5. Start Provisioning
a. In the Overview page of the application, select Provisioning then Start Provisioning.
6. Configuring Phriendly Phishing Platform
a. In the platform where you retrieved the URL and token, add the group name/s that you previously assigned and select Save.
Important Things to Note:
- It is crucial to have the correct name of the group for the sync to work, if the group isn't being identified there could be a ' ' (space) at the end of a group name.
- Users from nested groups are not recognised. If you do have users in nest groups you will need to specify those groups in the configuration too.
- The AD security group name will be shown as a Segment under the Learners page.
We recommend using External ID as the unique identifier as it will update learners if their email address changes.
b. Select Trigger Sync.
c. In the preview section you can download the process CSV to review the user that will be synchronised and ensure it is correct.
d. Once you have confirmed the user list you can enable Azure SCIM Synchronisation to apply it.
e. You can select the notifications icon to see the summary of the sync.
What are the required steps to switch from Email to ID as the Unique Identifier (applicable for existing SCIM set-up)
-
- Disable the User Synchronisation > Learner Synchronisation button
- Switch the mapping value from Email to Unique Identifier and Save Settings
- Click Trigger Sync button (via button or by pushing new data from ADFS script)
- Preview processed data and if learners are being erroneously removed, contact support to remediate.
You have now completed the implementation of Azure SCIM Provisioning!
Comments
0 comments
Please sign in to leave a comment.