SSO SCIM Synchronization with Entra ID
This document is about SSO SCIM synchronization with Azure Active Directory.
Setup IDmelon For Provisioning
Log in to the IDmelon panel, go to Users > All Users, click Import Users, and select SCIM Connector.
Select Microsoft Entra ID
as identity provider, then click Next
.
Click Generate New Token
.
The newly generated token will be shown only once. Make sure to copy and save it.
Finally click Active
button.
Now IDmelon is ready for provisioning.
Setup Azure For Provisioning
Step 1 - Login to azure
Login to the admin azure panel from here: https://portal.azure.com/#home ,
and click the Enterprise applications
.
Step 2 - Enterprise applications
From the All appliacations
menu, click to the New application
.
Step 3 - Create your own new application
Click on the Create your own application
.
Step 4 - Configure your own new application
Fill fields of opened from as:
- What’s the name of your app?
- IDmelon
- What are you looking to do with your application?
- Integrate any other application you don’t find in the gallery (Non-gallery)
And then Click Create
button.
Step 5 - Provisioning
In the opened page, click the Get started
of the Provision User Accounts
section.
Step 6 - Provisioning
And then in the next page, click the Get started
from main again.
Step 7 - Update credentials
And then in the next page, fill fields of opened from as:
- Provisioning mode
- Automatic
And in the Admin Credentials
section:
Tenant URL
- https://skm.idmelon.com/api/scim/v2/
Secret Token
- PASTE THIS VALUE FROM IDMELON PANEL
And click Test connection
to check the connection to IDmelon
is successful.
Then click Save
.
Step 8 - Update Settings
Based on your situation, change the Scope to Sync all users and groups
Step 9 - User Attribute mapping
Expand the Mapping
section and click on Provision Microsoft Entra ID Users
Step 10 - User attribute mapping - advance options
In the Attribute Mappings
section, check the Show advanced options
option,
and then click on the Edit attribute list for customappsso
:
Add a new immutableId
field based as picture and below table and then click the Save
.
Name | Type |
---|---|
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:immutable_id | String |
Step 11 - User attribute mapping
Back to the Attribute Mappings
section, and from the default list, apply these two changes and then click the Save
.
- Change the
objectId
field by clicking on theEdit
button. - Add
immutableId
field by clicking theAdd New Mapping
.
customappsso Attribute | Microsoft Entra ID Attribute | Matching precedence |
---|---|---|
objectId | externalId | |
immutableId | urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:immutable_id |
Step 12 - Group Attribute mapping
Expand the Mapping
section and click on Provision Microsoft Entra ID Group
Step 13 - Group attribute mapping - advance options
In the Attribute Mappings
section, check the Show advanced options
option,
and then click on the Edit attribute list for customappsso
:
Add a new description
field based as picture and below table and then click the Save
.
Name | Type |
---|---|
description | String |
Step 14 - Group attribute mapping
Back to the Attribute Mappings
section, and from the default list, apply this change and then click the Save
.
- Add
description
field by clicking theAdd New Mapping
.
customappsso Attribute | Microsoft Entra ID Attribute | Matching precedence |
---|---|---|
description | description |
Adding Custom Attributes
To configure custom attributes for SCIM provisioning in Microsoft Entra ID, follow these steps:
Step 1 - User attribute mapping
Back to the Attribute Mappings
section, check the Show advanced options
option,
and then click on the Edit attribute list for customappsso
:
Step 2 - Edit attribute list
Add new custom fields as shown in picture and then click the Save
.
Add new custom fields as shown in picture and below table and then click the Save
.
You can map up to five custom attributes, using the following target fields.
Name | Type |
---|---|
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute1 | String |
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute2 | String |
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute3 | String |
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute4 | String |
urn:ietf:params:scim:schemas:extension:IDmelon:2.0:User:extraAttribute5 | String |
Step 3 - User attribute mapping
Back to the Attribute Mappings
section once more and click the Add New Mapping
Step 4 - Edit attribute
Select the desired EntraID attribute to map in the Source attribute
field, then choose the corresponding custom IDmelon attribute for the Target attribute
field. Once both are selected, click Ok
.
Finally save
your changes.
Deprovisioning
The rules of deprovisioning are as follows:
Sync Only Assigned Users and Groups
If you have set the SCIM sync to be dependent on specific users and groups (Sync only assigned users and groups
), removing a user on the IDmelon side can be done in the following ways:
- Method 1: Remove the user from the specified group on the Entra ID side.
- Method 2: Disable the user on the Entra ID side.
- Method 3: Delete the user on the Entra ID side.
Sync All Users and Groups
If the SCIM sync is set to include all users and groups (Sync all users and groups
), removing a user on the IDmelon side can be done as follows:
- Method 1: Disable the user on the Entra ID side.
- Method 2: Delete the user on the Entra ID side.