Configuring SCIM User Provisioning with Azure AD

The Clumio service can integrate with Azure AD for SCIM Provisioning. This article describes the steps to configure SCIM provisioning with Azure AD.

Prerequisites

  • Azure AD account with admin privileges
  • Clumio account with Super Admin Role
  • The app is assigned to the required groups***
  • SSO with Azure AD enabled

Supported features

  • Create users
  • Update user attributes
  • Deactivate users

Configure SCIM provisioning

In Azure AD

  1. Open the Azure AD Admin console.
  2. Go to Enterprise Applications > Clumio.
  3. Navigate to the App's Provisioning section, and select Automatic as the Provisioning Mode.
  4. Get the SCIM base URL, and SCIM API token from Clumio (see step 5 in the Clumio configuration section), expand the Admin Credentials section and paste them in the appropriate fields.
  5. Expand the Mappings section and make sure both Provision Azure Active Directory Groups and Provision Azure Active Directory Users mappings are enabled.
  6. When setting up the Provision Azure Active Directory Users mapping, it is important to remove the mailNickname mapping. This is necessary for the Auto User Provisioning feature to function properly. If this mapping is retained, group names may be changed to their corresponding UUIDs during periodic syncs on Azure AD. This can cause Auto User Provisioning rule evaluations to fail.
  7. Click Save.
  8. Set the Provisioning Status to On.
  9. In the Overview section of the App’s provisioning settings. Click Start Provisioning to complete the SCIM setup.

In Clumio

  1. Log on to Clumio.
  2. Navigate to Administration > Access management > Auto user provisioning.
  3. Create a user provisioning rule, give it a name, select the conditions to apply the rule, give the group a name, select the Super Admin Role, and assign that role to an OU. See Creating a user provisioning rule for details.
  4. Click Configure SCIM.
  5. Copy the SCIM base URL, generate and download the SCIM API token. These will be needed for the IdP side setup. Once done, click Close.
  6. Click Provisioning method (optional), and enable the toggle for SCIM Provisioning.
  7. Ensure that the logged-in user is a part of the group that is assigned the Super Admin role, and groups have been pushed from Azure AD (See step 9 above).
  8. Click Enable Auto User Provisioning.
  9. You can now create additional rules per your requirements by clicking Create Auto User Provisioning Rule.

Once Auto User Provisioning is enabled, all users are evaluated per the rules you created and any changes to users within Azure AD are automatically reflected in Clumio.


Note: When you assign a group to an application, only users in that group will have access. The assignment does not cascade to nested groups and will need to be assigned to the app explicitly. Additionally, access is only granted to group members and not group owners.



Contact [email protected] with any questions or clarifications.