# SCIM Setup for Microsoft Entra ID ### Overview This technical guide offers comprehensive insights into the integration capabilities of MangoApps with Microsoft Entra ID (formerly Azure Active Directory) using the System for Cross-domain Identity Management (SCIM) standard. SCIM is an open standard designed to automate user provisioning and lifecycle management. MangoApps seamlessly integrates with Microsoft Entra ID through SCIM provisioning using the Security Assertion Markup Language (SAML). This integration provides organizations with automated user provisioning and lifecycle management, ensuring a streamlined and efficient process. *** ### **Required Roles** To successfully configure SCIM provisioning between MangoApps and Microsoft Entra ID, the following administrative roles are required: * **MangoApps Domain Admin** * Access to the MangoApps Admin Portal is required to configure SSO connections, enable SCIM provisioning, and manage user mappings. * Responsibilities include setting up the SAML connection, copying essential URLs/tokens, and validating the SCIM integration. * **Microsoft Entra ID Administrator (Azure AD Admin)** * Must have access to the Azure portal to create and configure enterprise applications. * Responsible for setting up SAML-based SSO, inputting SCIM details (Base URL and Bearer Token), and assigning users/groups to the enterprise application. *** ### MangoApps Setup To begin, navigate to the **Admin Portal > SSO > Connections > SAML** and click the **Add SSO** **Connection** button within MangoApps.

Click the **Add SSO Connection** button to bring up the **Add SSO Connection pop-up** menu.

Select **Microsoft EntraID** from the identity provider dropdown menu and provide an easily identifiable name for the connection. **JIT User Provisioning**: When **enabled**, this feature automatically creates and activates a user within the MangoApps domain after successful authentication with the Single Sign-On (SSO) provider. This feature **only** applies when the user's credentials are nonexistent or when the user is in a deactivated state within the MangoApps domain. If the user already exists within the domain but is in a suspended state, MangoApps will **not** activate the user. {% hint style="info" %} This feature can remain toggled **off** as, in this case, user provisioning will be automatically handled through SCIM. {% endhint %} **Remember User**: When enabled, this feature retains the user's session, allowing for automatic login during their subsequent visits. The user session is cleared only when the user explicitly logs out. **Metadata**: If your IDP provides a metadata URL, MangoApps can directly read the xml and auto-populate the fields below. {% hint style="info" %} This field will remain blank as we will be inputting configurations manually. {% endhint %} **Configure Manually**: The fields in this dropdown menu allow you to add manual configuration information. **Most of these fields will populate automatically during the setup process.** {% hint style="info" %} Copy the **ACS URL (HTTPS)** to a notepad or other documentation program as we will make use of it later. {% endhint %} *** ### Microsoft Entra ID **Portal Setup** Once the above information has been entered, navigate to your Microsoft Entra ID portal: From here, navigate to **Enterprise applications** and create a new application.

On the **Create your own applications** screen to the right, enter a name for the app which we will be integrating into MangoApps and select the last option from the multiple choice field, "Integrate any other application you don't find in the gallery (Non-gallery)". Since we will be integrating with a third party application.

If need be, refresh your Enterprise Application page, otherwise you will be automatically directed to your new application. From this new application menu, navigate to the **Single Sign-On** section from the left hand navigation menu or click **Get Started** under **Setup up single sign on** from the center menu.

Select **SAML** as your SSO method. This will direct you to the **SAML-based Sign-on** options. Within this menu, we will be editing the **Basic SAML Configuration** section.

*** #### Basic SAML Configuration Menu In the configuration menu, paste the **ACS URL (HTTPS)** we copied earlier from our MangoApps domain in the **Reply URL** field.

Click **Add Identifier** under **Identifier (Entity ID)** and paste in the Microsoft Entra Identifier.

{% hint style="info" %} **Sign on URL**, **Relay State**, and **Logout URL** are all optional in this case. {% endhint %} Click **Save** to save your configuration. {% hint style="danger" %} Double check the **Attributes & Claims** section as, depending on the identifier your company uses for users, you may need to use Object ID or the principle name. This Identifier **cannot** be different than how your users are signing in. {% endhint %} *** ### SAML Setup in MangoApps While still in the Microsoft Entra ID portal, scroll down to the **SAML Certificates** section. Copy the **App Federation Metadata URL.**

Moving back to the **MangoApps Admin Portal**, paste the URL copied from the Microsoft Entra ID portal to the **Metadata** field. Click **Read from URL** to populate the manual configuration fields and double check all fields are correct. **Save** the configuration.

{% hint style="warning" %} If you encounter an error with the link populated into the SAML 2.0 Endpoint field, please contact your Account Management Team for troubleshooting support or view the vendor video below. {% endhint %} *** #### Configure User Mappings with SAML Connection After testing your SAML connection and verifying all fields are correct, click **Configure User Mappings** next to the newly created SAML connection. This will bring up the **User Mappings** window.

Take note of the **SCIM Base URL** and the **SCIM Bearer Token**, as we will be using these shortly. Switching back to the **Microsoft Entra ID Portal SAML App Settings**, navigate to the **Provisioning** section on the left hand navigation menu.

Select **Get Started**. On the subsequent menu you will want to set the following: * Set the Provisioning Mode as Automatic * Paste the **SCIM Base URL** you copied to the **Tenant URL** section on Microsoft Entra ID. * Paste the **SCIM Bearer Token** copied from MangoApps to the **Secret Token** section in Microsoft Entra ID. * Click on **Test Connection** to ensure it is a success. Make sure to save the connection again in MangoApps before testing.

The SCIM provisioning is now complete! The SCIM will run automatically or you can provision on demand if need be. *** ### Add Users Once the provisioning settings are setup and tested successfully, navigate to **Users and groups** within the Microsoft Entra ID Portal. If this section does not already have Users for your organization populated, click **+Add user/group** from the top menu to begin adding users.

Once users have been added in this way, Microsoft Entra ID will automatically sync them to MangoApps. *** ### **Testing Considerations** Thorough testing is critical before enabling SCIM provisioning in a production environment. Consider the following: * Test the SAML-based login flow with a pilot user to confirm that authentication succeeds and user attributes are mapped correctly. * Use the **Test Connection** button in the Microsoft Entra ID Provisioning section after entering the SCIM Base URL and Bearer Token to verify that communication with MangoApps is successful. * Start with a limited group of users during initial tests to validate attribute synchronization, user creation, updates, and deactivations. * Confirm that attributes such as usernames, email addresses, and IDs used for mapping are consistent across both systems. Misalignment may prevent provisioning. * Monitor provisioning logs in Microsoft Entra ID for any sync issues or attribute mismatches. Resolve any configuration errors before proceeding with full rollout. *** ### **Security Considerations** Implementing SAML and SCIM integration between MangoApps and Microsoft Entra ID must be done with careful attention to security: * The SCIM Bearer Token provides access to user provisioning APIs. Handle it securely and avoid sharing or storing it in unsecured locations. * Always validate the metadata and manually populated SAML fields to avoid misconfigurations that could impact authentication or expose sensitive information. * The "Remember User" option enables persistent sessions. Consider organizational policies regarding session timeouts and logout behavior to mitigate unauthorized access. * MangoApps does not automatically reactivate suspended users via SCIM. Establish a policy for managing suspended user accounts and communicating reactivation needs. * Limit SCIM provisioning and SAML setup permissions to trusted admins only. Changes to these configurations can affect domain-wide access. *** ### **End User Experience** With SCIM and SAML integration configured correctly, the end user experience will be easy and secure: * **Single Sign-On (SSO)** * Users can log in to MangoApps using their Microsoft credentials, eliminating the need to remember multiple passwords. * **Automated Provisioning** * Users added in Microsoft Entra ID are automatically created and provisioned in MangoApps with appropriate attributes. * **Immediate Access** * Provisioned users can access MangoApps immediately after being added, without waiting for manual account creation. * **No Change to Existing Sessions** * Users who were already using MangoApps will retain their sessions unless they are explicitly logged out or re-provisioned. *** ### **Rollout Recommendations** To ensure a smooth deployment, consider these phased rollout steps: 1. Start with a small group of users to validate SAML authentication and SCIM provisioning end-to-end. 2. Prepare internal documentation for IT staff and helpdesk teams outlining login flows, common issues, and escalation procedures. 3. Gradually expand provisioning to larger user groups to avoid overloading support teams and to monitor sync performance. 4. Regularly review sync logs, user reports, and access issues during the rollout phase. 5. After full deployment, audit user accounts to confirm that all intended users have been provisioned and assigned correct roles. 6. Periodically review configuration settings and update mappings if changes occur in your identity provider or MangoApps structure. *** ### Vendor Walkthrough Video In the following video, we will guide you through the integration setup of MangoApps with Azure Active Directory (AD) using Entra ID, incorporating Single Sign-On (SSO) with Security Assertion Markup Language (SAML) connections. This video will offer a step-by-step walkthrough of the System for Cross-domain Identity Management (SCIM) provisioning process. We aim to provide comprehensive guidance on each stage of the integration, ensuring a smooth and efficient setup. We will also tackle two common troubleshooting issues that may arise during the configuration process. Our goal is to address these challenges proactively in the event they should occur. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://guides.mangoapps.com/integrations-guide/single-sign-on/sso-integrations-by-provider/sso-integrations-for-microsoft/scim-setup-for-microsoft-entra-id.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.