SSO SCIM Synchronization with Entra ID

This document is about SSO SCIM synchronization with Azure Active Directory.

Setup IDmelon For Provisioning


Log in to the IDmelon panel, go to Users > All Users, click Import Users, and select SCIM Connector.

alt

Select Microsoft Entra ID as identity provider, then click Next.

alt

Click Generate New Token.

alt

The newly generated token will be shown only once. Make sure to copy and save it.

Finally click Active button.

alt

Now IDmelon is ready for provisioning.

alt

Setup Azure For Provisioning


Step 1 - Login to azure

Login to the admin azure panel from here: https://portal.azure.com/#home , and click the Enterprise applications.

alt

Step 2 - Enterprise applications

From the All appliacations menu, click to the New application .

alt

Step 3 - Create your own new application

Click on the Create your own application.

alt

Step 4 - Configure your own new application

Fill fields of opened from as:

  • What’s the name of your app?
    • IDmelon
  • What are you looking to do with your application?
    • Integrate any other application you don’t find in the gallery (Non-gallery)

And then Click Create button.

alt

Step 5 - Provisioning

In the opened page, click the Get started of the Provision User Accounts section.

alt

Step 6 - Provisioning

And then in the next page, click the Get started from main again.

alt

Step 7 - Update credentials

And then in the next page, fill fields of opened from as:

  • Provisioning mode
    • Automatic

And in the Admin Credentials section:

  • Tenant URL

    • https://skm.idmelon.com/api/scim/v2/
  • Secret Token

    • PASTE THIS VALUE FROM IDMELON PANEL

And click Test connection to check the connection to IDmelon is successful.

Then click Save.

alt

Step 8 - Update Settings

Based on your situation, change the Scope to Sync all users and groups

alt

Step 9 - User Attribute mapping

Expand the Mapping section and click on Provision Microsoft Entra ID Users

alt

Step 10 - User attribute mapping - advance options

In the Attribute Mappings section, check the Show advanced options option, and then click on the Edit attribute list for customappsso:

alt

Add a new immutableId field based as picture and below table and then click the Save.

alt

NameType
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:immutable_idString

Step 11 - User attribute mapping

Back to the Attribute Mappings section, and from the default list, apply these two changes and then click the Save.

  • Change the objectId field by clicking on the Edit button.
  • Add immutableId field by clicking the Add New Mapping.
customappsso AttributeMicrosoft Entra ID AttributeMatching precedence
objectIdexternalId
immutableIdurn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:immutable_id

alt alt alt alt

Step 12 - Group Attribute mapping

Expand the Mapping section and click on Provision Microsoft Entra ID Group

alt

Step 13 - Group attribute mapping - advance options

In the Attribute Mappings section, check the Show advanced options option, and then click on the Edit attribute list for customappsso:

alt

Add a new description field based as picture and below table and then click the Save.

alt

NameType
descriptionString

Step 14 - Group attribute mapping

Back to the Attribute Mappings section, and from the default list, apply this change and then click the Save.

  • Add description field by clicking the Add New Mapping.
customappsso AttributeMicrosoft Entra ID AttributeMatching precedence
descriptiondescription

alt alt alt


Adding Custom Attributes

To configure custom attributes for SCIM provisioning in Microsoft Entra ID, follow these steps:

Step 1 - User attribute mapping

Back to the Attribute Mappings section, check the Show advanced options option, and then click on the Edit attribute list for customappsso:

alt

Step 2 - Edit attribute list

Add new custom fields as shown in picture and then click the Save.

alt

Add new custom fields as shown in picture and below table and then click the Save.

You can map up to five custom attributes, using the following target fields.

NameType
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute1String
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute2String
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute3String
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute4String
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute5String

Step 3 - User attribute mapping

Back to the Attribute Mappings section once more and click the Add New Mapping

alt

Step 4 - Edit attribute

Select the desired EntraID attribute to map in the Source attribute field, then choose the corresponding custom IDmelon attribute for the Target attribute field. Once both are selected, click Ok.

alt

Finally save your changes.


Deprovisioning

The rules of deprovisioning are as follows:

Sync Only Assigned Users and Groups

If you have set the SCIM sync to be dependent on specific users and groups (Sync only assigned users and groups), removing a user on the IDmelon side can be done in the following ways:

  • Method 1: Remove the user from the specified group on the Entra ID side.
  • Method 2: Disable the user on the Entra ID side.
  • Method 3: Delete the user on the Entra ID side.

Sync All Users and Groups

If the SCIM sync is set to include all users and groups (Sync all users and groups), removing a user on the IDmelon side can be done as follows:

  • Method 1: Disable the user on the Entra ID side.
  • Method 2: Delete the user on the Entra ID side.