SCIM
  • 04 Jan 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

SCIM

  • Dark
    Light
  • PDF

Article summary

Introduction

System for Cross-domain Identity Management (SCIM) is an open standard that supports automating user provisioning. The implementation uses the third-party library UnboundID SCIM 2 SDK.

Configurations

SCIM can be enabled by going to the Piloting->LDAP Directory section. In the LDAP Directory interface, you must choose the right directory service. At this time, only the Azure AD provider is supported.


Configurations in Constellio

  1. Go to «Administration» -> LDAP directory;
  2. Choose the SCIM-Azure AD directory service;
  3. Check the box "Enable LDAP";
  4. In the "Authentication" tab, enter an application authentication token that will be used by Azure AD to validate requests.
    1. A random string of 32 alphanumeric characters with uppercase and lowercase letters provides good protection. 
  5. On the Synchronization tab, select the collections that will be synchronized with Azure AD users.
    1. You must at least select a collection, otherwise synchronization will give errors.
  6. Click Save.


Configurations in the Azure AD portal

  1. Open the Azure AD portal;
  2. Go to Azure Active Directory;
  3. Go to Enterprise applications and select the right application;
  4. Go to Provisioning;
  5. In the Admin Credentials tab
    1. Holding url
      1. You must enter the url of the scim server of your Constellio.
      2. Normally, the url will look like this: http://monserveur-constellio.com/constellio/scimv2 
    2. Secret Token
      1. You must enter the authentication token chosen in step 4 of the previous section
  6. In the Mappings tab
    1. Provision Azure Active Directory Users
      1. You must remove the mapping mailNickname/externalId 
      2. You need to add a new objectId/externalID mapping
      3. You can delete the mappings below, they will never be synchronized by Constellio.
      4. For the address, the physicalDeliveryOfficeName attribute (in the user profile on Azure, this is the "Office" label) is used to synchronize the full address.
      5. Save everything.
  7. In the Settings tab
    1. Email notification
      1. You can enter an email if you would like to receive an email when a failure occurs.
    2. Scope
      1. You can choose whether all users/groups will be synchronized or not. If you want to synchronize only a few users/groups, they will need to be specified in the "Users and groups" section of the application.
  8. Start provisioning and after a while, users and groups should be synchronized in Constellio.



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.