Azure AD User and Group provisioning via SCIM protocol

Provisioning
1

Prerequisites:

  • Administrative access to senhasegura to create an access provider;
  • Network communication from senhasegura to Azure;
  • Network communication from Azure to senhasegura for Token requests and user provisioning through the SCIM API;
  • An Enterprise Application configured in Azure;
  • Azure Groups must have exactly the same name as User Groups in senhasegura. Do not include spaces in the name;
  • Azure Roles must have exactly the same name as roles in senhasegura. Do not include spaces in the name;
  • senhasegura must have a DSN with a valid published certificate;
  • Update the system URL.

Reference documentation:

1. Create an Identity Management (IGA) provider

image
image1920×945 106 KB

In the Authentication tab, enter the permitted source IP addresses. In this demonstration, all addresses will be allowed. Validate this configuration according to your production environment requirements.

image
image784×526 18.8 KB

After creating the provider, collect the Client ID and Client Secret information, as they will be required in subsequent steps.

image
image1920×945 110 KB

2. Create an Enterprise Application

Access Microsoft Entra ID and create the Enterprise Application.

image

image
image215×519 14.1 KB

image
image1248×545 72.6 KB

image
image1897×722 96.1 KB

3. Initiate the provisioning configuration

Access the Provisioning tab of the Enterprise Application and click on Introduction to create the provisioning configuration.

image
image1578×526 31 KB

Select the provisioning mode and expand the Admin Credentials section.

The Authentication Method must be set to OAuth 2.0 client credentials grant.

Configure the remaining authentication parameters according to the values provided by the Segura® provider:

Segura® Azure
Base URL Tenant URL
Token URL Token Endpoint
Client ID Client Identifier
Client Secret Client Secret

image
image641×411 12.1 KB

4. Configure Group mappings

After completing step 3, expand the Mappings option and select Provision Azure Active Directory Groups.

Configure as illustrated below and save the changes:

image
image1751×838 29 KB

5. Configure User mappings

After completing step 4, select Provision Azure Active Directory Users.

Only the attributes listed below are required:

image
image1698×845 44.4 KB

If the attribute AssertiveAppRoleAssignmentsComplex([appRoleAssignments]) is not available, it must be created.

To do so, select Show advanced options and then Edit attribute list for customappsso.

image
image968×166 5.92 KB

Add a new attribute as illustrated below and save the configuration.

image
image875×146 13.9 KB

Afterward, return to the Mapping screen and select Add New Mapping.

image
image1686×679 29.4 KB

Change the Mapping type to Expression and, in the corresponding field, enter:

AssertiveAppRoleAssignmentsComplex([appRoleAssignments])

In Target attribute, select entitlements and save the configuration.

image
image843×719 29.6 KB

Save the provisioning Mappings and return to the main provisioning configuration screen.

6. Create the App roles

After completing step 5, proceed with the creation of the App roles.

In Segura®, permissions for actions, menu visibility, and related configurations are defined through Roles. To manage these via SCIM, it is necessary to create App roles and associate them with Azure Groups.

:warning: App roles must not contain spaces or accented characters in their names. If compound names are required, use the underscore “_” or hyphen “-” characters instead of spaces.

To create them, access Microsoft Entra ID → App registrations and locate the application previously configured. Then navigate to Manage → App roles and create the role that will be assigned to provisioned users, as illustrated below.

image
image1919×905 55.8 KB

7. Associate App roles with Groups

After completing step 6, associate the App roles with the corresponding Azure Groups.

To do so, access Microsoft Entra ID → Enterprise applications and locate your application. Select Users and groups → Add user/group and associate the desired Group(s) with the created App role(s).

image
image1920×905 35 KB

image
image1920×905 53.2 KB

8. Enable provisioning

image
image750×862 24.2 KB

Once enabled, provisioning will run automatically and synchronize Azure AD users with Segura® every 40 minutes.

:light_bulb: Additional information

SAML

To enable authentication of Segura® users with Azure, it is necessary to configure the Single sign-on SAML integration, according to the supporting documentation below: