Reputation: 484
Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)
I'm trying to build an Enterprise App in Azure that will support SSO using OpenID Connect and User Provisioning using a SCIM API.
When I create the application using the OpenID Connect approach I don't have an option to enable user provisioning. If I do the Non-gallery approach I can enable user provisioning and test out my SCIM API. Am I missing something? Why is that option not available for OpenID Connect?
I followed this diagram to pick the correct SSO. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/plan-sso-deployment#single-sign-on-options
Then selected the "App you're developing" option in Azure.
Once I go to the Provisioning part the "Get started" button is disable:
BUT if I choose the Non-Gallery option when creating the application the Provisioning part is enabled and allows we to step through the wizard to wireup to a SCIM API:
Upvotes: 2
Views: 914
Answers (3)
Reputation: 404
so just came across your post, we had some queries regarding sso and scim, since you are also doing sso(using openid) and scim, what is your approach, we do the following
- Get the users using scim(Here in azure ad attribute mapping we have mapped the oid with external id, so when we get the users , we get oid as well as other attributes ie firstname , lastname etc, this we store )
- when the user does sso, we make sure that we decode the token, and get the oid, this oid we check with the oid stored in the step1 and if yes we give access to the api, let me know if you are following the same approcah
Let me know if the same approach you follow, and let me know what we are following is a proper approcah, as i couldnt find any documentation or steps on how to use both together,
thanks in advance
Upvotes: 0
Reputation: 912
You've already identified what works right now - non-gallery OIDC apps can't support SCIM provisioning today, so you'll need a second app. We're (Microsoft) looking to enable the ability to enable SCIM provisioning on non-gallery OIDC apps, but there are some security/privilege escalation issues that need to be addressed first.
Upvotes: 1
Reputation: 10831
According to Azure ad app-provisioning-known-issues -microsoft docs
If you create an app registration, the corresponding service principal in enterprise apps won't be enabled for automatic user provisioning. Your app needs to be in the gallery to have provisioning enabled.For that You'll need to either request the app be added to the gallery, if intended for use by multiple organizations, or create a second non-gallery app for provisioning.
To get your app in the gallery, see how to-app gallery listing
See SaaS App Integration Tutorials for use with Azure AD | Microsoft Docs
References:
- Azure AD Enterprise application not showing 'automatic' provisioning mode - Stack Overflow
- Problem configuring user provisioning to an Azure Active Directory Gallery app | Microsoft Docs
Upvotes: 3
Related Questions
- Azure AD: how to key users when using OIDC and SCIM
- Azure AD SCIM client implementation - Users/Groups clarification
- Azure AD Automatic User Provisioning With App registration
- Azure App Registration and Service Principal
- Azure Active directory app registration vs enterprise application
- Azure AD enterprise application provisioning
- SCIM endpoint and user provisioning with Azure Active Directory & Symfony
- provisioning using SCIM
- Azure AD User Provisioning with SCIM 2.0
- Azure using enterprise Active Directory