Configuring Azure SCIM with Bridge

Table of Content

Create a new Azure SCIM Token

Azure AD needs a long-lived OAuth2 token that it can send with each request as a Bearer token in order to authenticate with Bridge. This token has to be generated by an Implementation Consultant, please reach out for assistance in obtaining this token.

Configuring Azure AD for SCIM

These are step-by-step instructions to create a new enterprise application and configure the provisioning as needed for Bridge.

1. Log on to the Azure portal and select the Azure AD tile at the top

2. Select Enterprise Applications from the Manage menu on the left 

3. Create a new application by clicking the + New Application button 

4. Click + Create your own application to create a custom application 

5. Enter a name for the application (any name is fine) and make sure the Integrate any other application you don't find in the gallery (Non-gallery) radio button is selected, then click Create 

6. After the application finishes creating, the application Overview page will be displayed

7. Select Provisioning from the Manage menu on the left 

8. Click the Get Started button
9. Change the Provisioning Mode to Automatic

10. Fill in the Tenant URL, which should be the same as their Bridge URL with /api/scim on the end. Example: https://azurescimcustomer.bridgeapp.com/api/scim

11. Fill in the Secret Token generated by support

12. Click Test Connection to validate the configuration 

13. After the connection test completes, save the configuration

14. Expand the Mappings section 

15. Click the Provision Azure Active Directory Groups mapping, disable the mapping, and click Save 

16. Click the Provision Azure Active Directory Users mapping
17. Remove unnecessary mappings (see following sections for mappings)
18. Use the Add New Mapping link to add additional mappings

19. If the desired target attributes do not exist, click the Show advanced options checkbox at the bottom of the page and then click the Edit attribute list for customappsso link 

20. Scroll to the bottom of the page and enter the attribute name and select type String 

21. Once the new attributes have been added, click the Save button to save the newly added attributes
22. The Attribute Mapping page will need to be refreshed to allow mapping of the newly added attributes

 

Attributes Mappings

Required Attributes

This is the minimum set of attributes that are recommended for use.

Azure Active Directory Attribute (Source)

customappsso Attribute (Target) Bridge Attribute
Switch([IsSoftDeleted], , "False", "True", "True", "False") active

Create or delete user

mail

emails[type eq "work"].value

Email

familyName

name.familyName

Last Name

givenName

name.givenName

First Name

userPrincipalName

userName

uid

 

Optional Attributes

These are additional attributes you can specify that will map to standard attributes on the Bridge user.

Azure Active Directory Attribute (Source)

customappsso Attribute (Target) Bridge Attribute

Various*

urn:ietf:params:scim:schemas:core:2.0:User:hrisId

HRIS Identifier

?**

urn:ietf:params:scim:schemas:core:2.0:User:hireDate

Hire Date

jobTitle

urn:ietf:params:scim:schemas:core:2.0:User:title

Job Title

department urn:ietf:params:scim:schemas:core:2.0:User:department Department
manager

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

* The HRIS Identifier needs to be a unique value for each user. employeeId might be a good source attribute, if populated in Azure AD.
** There is no good source attribute by default in Azure AD. If a custom Azure AD attribute is present that could be used here, it can be passed to Bridge.

 

Custom Attributes

Any other attribute from Azure AD that is desired to be stored in Bridge as a Bridge custom attribute can be added with a Target attribute of urn:scim:schemas:extension:custom:2.0:User:<attribute name>

Example: urn:scim:schemas:extension:custom:2.0:User:StreetAddress

To delete a custom attribute, you need to ensure it is not configured as a rule in a smart group, once this is done, you can delete an attribute by selecting "Add via CSV" and clicking the 'x' next to the attribute; there's no need to process a user import.

Example attribute mapping configuration

Here is a full attribute mapping example with required, optional, and custom attributes.

 

Deleting a user in Bridge (soft delete)

To delete a user in Bridge, we actually have to unassign the user from the Bridge SCIM Azure app and then run a provisioning cycle or wait for the provisioning cycle to process that user. 

NOTE: if you DEACTIVATE the user in Azure before unassigning them, they will NOT be deleted in Bridge. They must first be unassigned in Azure from the Bridge SCIM app.

The Azure admin on the client-side can also utilize “Provision on-demand” if they do not want to wait for the provisioning cycle.

You can find out more about Azure provisioning here: Understand how Application Provisioning in Azure Active Directory

 

List of SCIM endpoints

SCIM endpoints can only be reached using a SCIM API token generated by a Bridge support user

  • GET /api/scim/Users/ - Retrieves all SCIM users
  • GET /api/scim/Users/:user_id - Retrieves a specific SCIM user based on it’s Bridge ID
  • PATCH/PUT /api/scim/Users/:user_id  - Updates a specific SCIM user based on its Bridge ID (this will also soft delete the user if a “deleted_at” field is populated or “active”:false).
  • POST /api/scim/Users/ - Creates a new user with SCIM
  • GET /api/scim/Groups - Retrieves all SCIM groups

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request