User Provisioning in Azure with SCIM
Important: Before you setup SCIM with Azure, you will need to open a support ticket with Infosec to enable the provisioning on your Infosec IQ account. The provisioning settings will not be available by default.
Before you setup SCIM with Azure, be sure you already have an Azure SSO application configured by following the Azure SSO setup instructions here: Azure Active Directory SAML SSO.
To turn on SCIM in your Azure SSO application for Infosec, follow the below steps:
- Navigate to the Infosec application in Azure that you had previously setup.
- Select Provisioning, under the Manage section.
- Click the Get started button in the middle of the page.
- In a new tab, open the Infosec Accounts dashboard by navigating to Infosec IQ, clicking the gear icon in the top right corner, and selecting Learner Authentication (SSO)
- Select Automatic as the provisioning mode.
- To proceed in Azure, you’ll need two things from this page–the Service Provider URL and a personal access token.
- Service Provider URL: You can find this in the below screenshot.
-
Personal access token: Select ‘create a new one’ in the text above the provider URL. Give the token a name and expiration date. Leave the SCIM provisioning box checked, and click Save. Take note of the token (note: you will not be able to retrieve this later).
- Back in Azure, fill in the Tenant URL field with the Service Provider URL, and the Secret Token field with the Personal access token. Then click the Test Connection button to ensure the connection is working. A notification in the top right corner of the window will alert you as to whether the test was successful.
Important: By default, SCIM with Azure will not send updates to disable users who have been termed. If you would like Azure to also handle de-provisioning, you’ll need to make a modification to the tenant url to let Microsoft know that you’d like it to send those updates, by adding
?aadOptscim062020
to the end.
For example:
https://account.infosecinstitute.com/scim/xxxx/v2/?aadOptscim062020
- Click the Save button at the top the page.
- Two new fields will appear at the bottom of the page–Mappings and Settings. These will provide optional settings as described below, but the default settings are most likely fine.
- Mappings: Here you can change how properties for both users and groups are mapped from Azure to Infosec IQ. Learn more about this from Microsoft–Here
- Settings: Here you can elect to receive an email notification if Microsoft detects an error.
- Now return to the Azure application settings, and select Start Provisioning
Now, all users and groups assigned to the application in the Users and Groups section of the application settings will sync into Infosec Accounts. They will not yet show up in Infosec IQ in the Learners section. To turn on the sync from Infosec Accounts to Infosec IQ follow the remaining steps
- Navigate back to the Infosec Accounts Dashboard and select the Overview tab
- Check Sync Enabled? box in the Application links section.
Managing the sync from Infosec Accounts to Infosec IQ
As mentioned in the instructions above, once the sync has happened from Azure to Infosec Accounts, it will be synced to Infosec IQ. To manage how these users in Accounts are converted to learners in Infosec IQ and to ensure that users are permanently deleted to free up licenses, see our article about the the receiving end of learner syncs, Learner Sync Documentation.