SCIM Setup for Microsoft Entra ID
Overview
This technical guide offers comprehensive insights into the integration capabilities of MangoApps with Microsoft Entra ID (formerly Azure Active Directory) using the System for Cross-domain Identity Management (SCIM) standard. SCIM is an open standard designed to automate user provisioning and lifecycle management.
MangoApps seamlessly integrates with Microsoft Entra ID through SCIM provisioning using the Security Assertion Markup Language (SAML). This integration provides organizations with automated user provisioning and lifecycle management, ensuring a streamlined and efficient process.
Required Roles
To successfully configure SCIM provisioning between MangoApps and Microsoft Entra ID, the following administrative roles are required:
MangoApps Domain Admin
Access to the MangoApps Admin Portal is required to configure SSO connections, enable SCIM provisioning, and manage user mappings.
Responsibilities include setting up the SAML connection, copying essential URLs/tokens, and validating the SCIM integration.
Microsoft Entra ID Administrator (Azure AD Admin)
Must have access to the Azure portal to create and configure enterprise applications.
Responsible for setting up SAML-based SSO, inputting SCIM details (Base URL and Bearer Token), and assigning users/groups to the enterprise application.
MangoApps Setup
To begin, navigate to the Admin Portal > SSO > Connections > SAML and click the Add SSO Connection button within MangoApps.
Click the Add SSO Connection button to bring up the Add SSO Connection pop-up menu.
Select Microsoft EntraID from the identity provider dropdown menu and provide an easily identifiable name for the connection.
JIT User Provisioning: When enabled, this feature automatically creates and activates a user within the MangoApps domain after successful authentication with the Single Sign-On (SSO) provider. This feature only applies when the user's credentials are nonexistent or when the user is in a deactivated state within the MangoApps domain. If the user already exists within the domain but is in a suspended state, MangoApps will not activate the user.
Remember User: When enabled, this feature retains the user's session, allowing for automatic login during their subsequent visits. The user session is cleared only when the user explicitly logs out.
Metadata: If your IDP provides a metadata URL, MangoApps can directly read the xml and auto-populate the fields below.
Configure Manually: The fields in this dropdown menu allow you to add manual configuration information. Most of these fields will populate automatically during the setup process.
Microsoft Entra ID Portal Setup
From here, navigate to Enterprise applications and create a new application.
On the Create your own applications screen to the right, enter a name for the app which we will be integrating into MangoApps and select the last option from the multiple choice field, "Integrate any other application you don't find in the gallery (Non-gallery)". Since we will be integrating with a third party application.
If need be, refresh your Enterprise Application page, otherwise you will be automatically directed to your new application.
From this new application menu, navigate to the Single Sign-On section from the left hand navigation menu or click Get Started under Setup up single sign on from the center menu.
Select SAML as your SSO method. This will direct you to the SAML-based Sign-on options.
Within this menu, we will be editing the Basic SAML Configuration section.
Basic SAML Configuration Menu
In the configuration menu, paste the ACS URL (HTTPS) we copied earlier from our MangoApps domain in the Reply URL field.
Click Add Identifier under Identifier (Entity ID) and paste in the Microsoft Entra Identifier.
Click Save to save your configuration.
Double check the Attributes & Claims section as, depending on the identifier your company uses for users, you may need to use Object ID or the principle name. This Identifier cannot be different than how your users are signing in.
SAML Setup in MangoApps
While still in the Microsoft Entra ID portal, scroll down to the SAML Certificates section. Copy the App Federation Metadata URL.
Moving back to the MangoApps Admin Portal, paste the URL copied from the Microsoft Entra ID portal to the Metadata field. Click Read from URL to populate the manual configuration fields and double check all fields are correct. Save the configuration.
If you encounter an error with the link populated into the SAML 2.0 Endpoint field, please contact your Account Management Team for troubleshooting support or view the vendor video below.
Configure User Mappings with SAML Connection
After testing your SAML connection and verifying all fields are correct, click Configure User Mappings next to the newly created SAML connection. This will bring up the User Mappings window.
Take note of the SCIM Base URL and the SCIM Bearer Token, as we will be using these shortly.
Switching back to the Microsoft Entra ID Portal SAML App Settings, navigate to the Provisioning section on the left hand navigation menu.
Select Get Started. On the subsequent menu you will want to set the following:
Set the Provisioning Mode as Automatic
Paste the SCIM Base URL you copied to the Tenant URL section on Microsoft Entra ID.
Paste the SCIM Bearer Token copied from MangoApps to the Secret Token section in Microsoft Entra ID.
Click on Test Connection to ensure it is a success. Make sure to save the connection again in MangoApps before testing.
The SCIM provisioning is now complete! The SCIM will run automatically or you can provision on demand if need be.
Add Users
Once the provisioning settings are setup and tested successfully, navigate to Users and groups within the Microsoft Entra ID Portal. If this section does not already have Users for your organization populated, click +Add user/group from the top menu to begin adding users.
Once users have been added in this way, Microsoft Entra ID will automatically sync them to MangoApps.
Testing Considerations
Thorough testing is critical before enabling SCIM provisioning in a production environment.
Consider the following:
Test the SAML-based login flow with a pilot user to confirm that authentication succeeds and user attributes are mapped correctly.
Use the Test Connection button in the Microsoft Entra ID Provisioning section after entering the SCIM Base URL and Bearer Token to verify that communication with MangoApps is successful.
Start with a limited group of users during initial tests to validate attribute synchronization, user creation, updates, and deactivations.
Confirm that attributes such as usernames, email addresses, and IDs used for mapping are consistent across both systems. Misalignment may prevent provisioning.
Monitor provisioning logs in Microsoft Entra ID for any sync issues or attribute mismatches. Resolve any configuration errors before proceeding with full rollout.
Security Considerations
Implementing SAML and SCIM integration between MangoApps and Microsoft Entra ID must be done with careful attention to security:
The SCIM Bearer Token provides access to user provisioning APIs. Handle it securely and avoid sharing or storing it in unsecured locations.
Always validate the metadata and manually populated SAML fields to avoid misconfigurations that could impact authentication or expose sensitive information.
The "Remember User" option enables persistent sessions. Consider organizational policies regarding session timeouts and logout behavior to mitigate unauthorized access.
MangoApps does not automatically reactivate suspended users via SCIM. Establish a policy for managing suspended user accounts and communicating reactivation needs.
Limit SCIM provisioning and SAML setup permissions to trusted admins only. Changes to these configurations can affect domain-wide access.
End User Experience
With SCIM and SAML integration configured correctly, the end user experience will be easy and secure:
Single Sign-On (SSO)
Users can log in to MangoApps using their Microsoft credentials, eliminating the need to remember multiple passwords.
Automated Provisioning
Users added in Microsoft Entra ID are automatically created and provisioned in MangoApps with appropriate attributes.
Immediate Access
Provisioned users can access MangoApps immediately after being added, without waiting for manual account creation.
No Change to Existing Sessions
Users who were already using MangoApps will retain their sessions unless they are explicitly logged out or re-provisioned.
Rollout Recommendations
To ensure a smooth deployment, consider these phased rollout steps:
Start with a small group of users to validate SAML authentication and SCIM provisioning end-to-end.
Prepare internal documentation for IT staff and helpdesk teams outlining login flows, common issues, and escalation procedures.
Gradually expand provisioning to larger user groups to avoid overloading support teams and to monitor sync performance.
Regularly review sync logs, user reports, and access issues during the rollout phase.
After full deployment, audit user accounts to confirm that all intended users have been provisioned and assigned correct roles.
Periodically review configuration settings and update mappings if changes occur in your identity provider or MangoApps structure.
Vendor Walkthrough Video
In the following video, we will guide you through the integration setup of MangoApps with Azure Active Directory (AD) using Entra ID, incorporating Single Sign-On (SSO) with Security Assertion Markup Language (SAML) connections.
This video will offer a step-by-step walkthrough of the System for Cross-domain Identity Management (SCIM) provisioning process. We aim to provide comprehensive guidance on each stage of the integration, ensuring a smooth and efficient setup. We will also tackle two common troubleshooting issues that may arise during the configuration process. Our goal is to address these challenges proactively in the event they should occur.
Last updated
