System for Cross-domain Identity Management (SCIM)

Capacity Answer Engine supports System for Cross-domain Identity Management (SCIM, RFC 7642-7644) standard for auto-provisioning users connected to your enterprise Identity Provider (IdP). This functionality requires additional license considerations and offers powerful syncronization capabilities for large-scale management of your Capacity users. As configured, users will be automatically provisioned, updated, and deprovisioned as they lifecycle through your identity provider, and may be used to manage authorization of both the Answer Engine and access to content and personalization via Roles and Attributes.

In this guide are the steps to configure System for Cross-domain Identity Management (SCIM) in Azure Entra (Formerly Active Directory)

Prerequisites

The person implementing this guide must have administrative privileges in the source Microsoft Azure tenant with sufficient access to create the application and grant it the required permissions. 

Admin access to Answer Engine is required to view users and manage Roles and Attributes within the platform.

A member of the Capacity Engineering team will assist in support and in making the final connection between receiving the SCIM users and assigning them to the appropriate Roles or Attributes as desired for this scenario.

Implementation Guide

Step 1: Register an Application in Azure

  1. Navigate to Azure:

  2. Register a new application:

    • Select App registrations > New registration.

    • Enter a name for the application (e.g., "Capacity SCIM Provisioning App").

    • Choose the supported account types. For SCIM, you typically select "Accounts in this organizational directory only."

    • Click Register.

Step 2: Configure API Permissions

  1. API permissions:

    • After registration, go to API permissions.

    • Click Add a permission > Microsoft Graph > Application permissions.

    • Add the necessary permissions for SCIM. Typically, you will need:

      • User.Read.All

      • Group.Read.All

    • Click Add permissions.

  2. Grant admin consent:

    • Click Grant admin consent for [Your Organization].

Step 3: Generate Client Secret

  1. Client secrets:

    • Go to Certificates & secrets.

    • Click New client secret.

    • Add a description and set the expiration period.

    • Click Add.

    • Copy the generated client secret value. You'll need this later.

Step 4: Configure SCIM Provisioning

  1. Enterprise Applications:

    • Go to Enterprise applications in Azure.

    • Click New application.

    • Select Create your own application.

    • Enter a name and select Integrate any other application you don't find in the gallery.

    • Click Create.

  2. Provisioning:

    • After the application is created, go to Provisioning.

    • Click Get started.

  3. Provisioning Mode:

    • Set the Provisioning Mode to Automatic.

  4. Admin Credentials:

    • Enter the SCIM endpoint URL (provided by the Capacity Engineering).

    • Enter the client secret generated earlier.

    • Click Test Connection to ensure connectivity.

  5. Mappings:

    • Capacity Engineering team will assist with mapping between Entra and Capacity Answer Engine Roles and Attributes as needed.

  6. Scope:

    • Set the provisioning scope to Sync all users and groups as needed.

Step 5: Assign Users and Groups (Optional)

  1. Assign users and groups:

    • Go to Users and groups for the application.

    • Click Add user/group.

    • Assign the users and/or groups that should be provisioned to Capacity.

Step 6: Start Provisioning

  1. Provisioning Status:

    • Go back to the Provisioning section.

    • Set Provisioning Status to On.

    • Click Save to start the provisioning process.

  2. Monitor Provisioning:

    • Monitor the provisioning logs to ensure that users and groups are being provisioned correctly.

Troubleshooting

Monitor Provisioning:

  • Go to the Provisioning section of the application.

    • Check the Provisioning logs to see if there are any errors or warnings.

Restart Provisioning:

  • If users are not synced within an hour and there are no clear errors in the logs, you may need to restart the sync process:

    • Go to the Provisioning section.

    • Set the Provisioning Status to Off.

    • Click Save.

    • Wait a few minutes to ensure the sync process is fully stopped.

    • Set the Provisioning Status back to On.

    • Click Save to restart the provisioning process.

Re-Test Connection:

  • If restarting provisioning doesn't resolve the issue, go to the Admin Credentials section.

    • Re-enter the SCIM endpoint URL and the client secret.

    • Click Test Connection to ensure the connection is still valid.

Verify Attribute Mappings:

  • Ensure that the attribute mappings between Entra and Capacity Answer Engine are correctly configured. Incorrect mappings can cause synchronization issues.

    • Go to Mappings in the Provisioning section.

    • Review and adjust the mappings as needed.

Check API Permissions:

  • Ensure that the application has the necessary API permissions in Azure.

    • Go to API permissions for the registered application.

    • Verify that the required permissions (User.Read.All, Group.Read.All) are granted and have admin consent.


Was this article helpful?