Azure AD User and Group provisioning via SCIM protocol

Provisioning
1

Prerequisites:

  • Administrative access to senhasegura to create an access provider;
  • Communication from senhasegura to Azure;
  • Communication from Azure to senhasegura for token request and user provisioning in the SCIM API;
  • Having a business application in Azure;
  • Azure groups must have exactly the same name as senhasegura USER groups. Do not include spaces in the name;
  • Azure roles must have exactly the same name as senhasegura roles. Do not include spaces in the name;
  • senhasegura must have a DSN with a valid certificate published;
  • Change the system URL.

Base document:
https://docs.senhasegura.io/docs/user-management-azure-ad-provisioning

1. Create an “Identity Management” provider.

image
image1920×945 106 KB

In the “Authentication” tab, enter the allowed source IPs. In this demo we will cover everything. Validate this in your production environment.

image
image784×526 18.8 KB

After creating the provider, collect the Client ID and Secret data.

image
image1920×945 110 KB

2. Create a business application if you don’t already have one.

2.1 Access “Microsoft Entra ID”.

image

2.2 Create the business application.

image
image215×519 14.1 KB

image
image1248×545 72.6 KB

image
image1897×722 96.1 KB

3. Access the “Provisioning” tab of your business application and click on “introduction” to create your provisioning.

image
image1578×526 31 KB

Select the provisioning mode and expand the Admin Credentials tab.

In Tenant URL, enter the “Base URL” value obtained when clicking on the provider details insenhasegura.

image
image784×526 19.7 KB

In the “Secret Token” field, the “Access Token” must be inserted based on the Client ID and Client Secret
also obtained from the provider’s details insenhasegura. I use a tool like Postman to obtain the token.

image
image1130×673 45.3 KB

image

Copy the contents of the highlighted token.

image

Using the access token, test the connection tosenhasegura. At this point, Azure will send a request tosenhasegura.

Click “Save”.

image
image1903×568 38.8 KB

4. Configure the Group mappings.

After completing step 3, expand the “Mappings” option and click on “Provision Azure Active Directory Groups”.

Configure as below and save:

image
image1751×838 29 KB

4.1 Configure User mappings.

After completing step 4, click on “Provision Azure Active Directory Users”.

Only the attributes below are required:

image
image1698×845 33.7 KB

If the “SingleAppRoleAssignment([appRoleAssignments])” attribute does not exist, it will need to be created.
To do this, click on “Show advanced options” and “Edit attribute list for customappsso”.

image
image968×166 5.92 KB

Add a new attribute as below and save.

image
image1871×33 952 Bytes

After that, go back to the Mapping screen and click on “Add New Mapping”.

image
image1686×679 29.4 KB

Change the “Mapping type” to “Expression” and in the respective field enter:

SingleAppRoleAssignment([appRoleAssignments])

Em “Target attribute” selecione “entitlements.value” e salve.

image
image739×734 17.5 KB

Save the Provisioning Mappings and return to the initial provisioning configuration screen.

5. Enable provisioning.

image
image750×862 24.2 KB

From this moment on, provisioning will be performed and will synchronize users from Azure AD to senhasegura.

About synchronization: The user group in Azure must have the same name as thesenhasegura User Group, without spaces and accents.

learn.microsoft.com

About roles: The role assigned to the user in Azure AD must have the same name as a Role insenhasegura, without spaces and accents.

learn.microsoft.com

In order for the Azure user to authenticate withsenhasegura, it will be necessary to create a new integration with SAML. To do this, follow the step-by-step instructions below.

https://docs.senhasegura.io/docs/user-management-saml-2-0