Azure AD SCIM provisioning

Currently Ultimo supports SCIM 2.0 to integrate Ultimo with an IDP like Microsoft Azure AD or Okta.

Creating new enterprise application

This step is already described in https://developer.ultimo.net/azure-documentation/azure-authentication#creating-new-enterprise-application. In case you already registered one for SSO, you can use that one.

Setup provisioning

Under Enterprise Application created at the above step, click on Provisioning:

On the Provisioning page click Get started.

Under Provisioning Mode, select Automatic.

Under Admin Credentials enter Tenant Url and Secret token.

Tenant Url: <customurl>.ultimo.net/scim

Secret token: Taken from Ultimo Configuration Tool

Under Mappings, click on Provision Azure Active Directory Groups. This opens the Attribute Mapping dialog for groups.

Disable Provision Azure AD for groups. This is not supported by Ultimo.

Under Mappings, click on Provision Azure Active Directory Users. This opens the Attribute Mapping dialog for users.

Enable Provision Azure AD for users.

Under Target Object Actions check Create, Update and Delete

In Attribute Mappings, map the customappsso Attributes to the Azure Active Directory Attributes as follows (you should check the Attribute mappings sub-chapter for more details on the attributes supported by Ultimo SCIM provisioning):

This is an important step, please carefully look at the mapping. Compare a user in Azure AD to see what attributes are in use and how this is linked to Ultimo otherwise, SCIM might not work as intended.

Click Save.

Optional: Under Settings > Scope section select Sync only assigned users and groups. This setting is advised. The alternative is to sync all users and groups but this might lead to the creation of many accounts.

Optional: Go to Source Object Scope (default all records) and add a filter to limit the dataset. In that way, only objects that meet the criteria will be synchronized.

Set the Provisioning Status to On.

Click Save.

Under the Overview page make sure provisioning is started.

In the menu option ‘Users and groups’, specific users or groups can be added which is important when the scope is set to: Sync only assigned users and groups.

Azure AD runs a SCIM synchronization every 40 minutes. Changes in Azure AD are not reflected immediately in Ultimo.

Attribute-mappings

Under Mappings you can edit the user attributes that are supported by target application. For now, Ultimo supports user accounts provisioning and in order to function as expected the following attributes should be configured:

• username attribute in Ultimo is populated with the userPrincipalName value of the Azure AD user. In Ultimo this value is used as user's identifier.

• active attribute is a boolean value indicating the users's adiministrative status. To set the value is recommended to use expression 'Switch([IsSoftDeleted], , "False", "True", "True", "False")'. In Ultimo the user is activated(when value is true)/deactivated(when value is false).

• displayName attribute should be the full name of the user being described and direct mapped to the displayName of Azure AD user. In Ultimo this value is used as user's description.

• title represents the user's title and should be mapped to the jobTitle of Azure AD user. In Ultimo this represents the user's profession.

• emails[type eq "work"].value: email values with attribute's function of type work. In Ultimo only the preferred attribute (primary = true) email of type work is stored as user's email address.

• name.givenName: represents the first name of the User. It's recommended to be populated with the givenName value of Azure AD user.

• name.familyName represents the family name of the user. It is recommended to be populated with the surname value of Azure AD user.

• phoneNumbers[type eq "work"].value: phoneNumber values with attribute's function of type work. In case of multiple values it is selected the one with the preferred attribute true (primary = true). If there is only one value then that one is selected. In Ultimo user's phone will be populated with this value.

• phoneNumbers[type eq "mobile"].value: phoneNumber values with attribute's function of type mobile. In case of multiple values it is selected the one with the preferred attribute true (primary = true). If there is only one value then that one is selected. In Ultimo user's mobile phone will be populated with this value.

• employeeNumber: represents a string identifier assigned to a user. In Ultimo this is used to set the employee code.

• department: represents the name of department. When provided and the value is valid, user's department is updated in Ultimo.

• organization: represents the office location of Azure AD user. When provided and the value is valid, user's company is updated in Ultimo.

• User's site can be updated in Ultimo. There is no default Azure AD property mapped for this, feel free to choose the AD property which represents the site in Ultimo.

Remarks

New users are added to a default group which can be set in the application.

When the source attribute is updated in the (IDP) to an empty value, the SP (IFS Ultimo) won't be notified.

Additional information:

• How provisioning works in Azure Active Directory

• System for Cross-domain Identity Management: Protocol

• System for Cross-domain Identity Management: Core Schema