SCIM
- 04 Jan 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
- PDF
SCIM
- Updated on 04 Jan 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Introduction
System for Cross-domain Identity Management (SCIM) is an open standard that supports automating user provisioning. The implementation uses the third-party library UnboundID SCIM 2 SDK.
Configurations
SCIM can be enabled by going to the Piloting->LDAP Directory section. In the LDAP Directory interface, you must choose the right directory service. At this time, only the Azure AD provider is supported.
Configurations in Constellio
- Go to «Administration» -> LDAP directory;
- Choose the SCIM-Azure AD directory service;
- Check the box "Enable LDAP";
- In the "Authentication" tab, enter an application authentication token that will be used by Azure AD to validate requests.
- A random string of 32 alphanumeric characters with uppercase and lowercase letters provides good protection.
- On the Synchronization tab, select the collections that will be synchronized with Azure AD users.
- You must at least select a collection, otherwise synchronization will give errors.
- Click Save.
Configurations in the Azure AD portal
- Open the Azure AD portal;
- Go to Azure Active Directory;
- Go to Enterprise applications and select the right application;
- Go to Provisioning;
- In the Admin Credentials tab
- Holding url
- You must enter the url of the scim server of your Constellio.
- Normally, the url will look like this: http://monserveur-constellio.com/constellio/scimv2
- Secret Token
- You must enter the authentication token chosen in step 4 of the previous section
- Holding url
- In the Mappings tab
- Provision Azure Active Directory Users
- You must remove the mapping mailNickname/externalId
- You need to add a new objectId/externalID mapping
- You can delete the mappings below, they will never be synchronized by Constellio.
- For the address, the physicalDeliveryOfficeName attribute (in the user profile on Azure, this is the "Office" label) is used to synchronize the full address.
- Save everything.
- Provision Azure Active Directory Users
- In the Settings tab
- Email notification
- You can enter an email if you would like to receive an email when a failure occurs.
- Scope
- You can choose whether all users/groups will be synchronized or not. If you want to synchronize only a few users/groups, they will need to be specified in the "Users and groups" section of the application.
- Email notification
- Start provisioning and after a while, users and groups should be synchronized in Constellio.
Was this article helpful?