Skip to main content

SCIM setup for Microsoft Entra ID

Here is a walkthrough to set up a SCIM app on Microsoft Entra ID to automatically provision users and teams into Catalog.

Please note that this setup requires you to get in touch with a Catalog ops (catalog-support@coalesce.io or Slack) to generate and share with you the required SCIM token you will use to login your SCIM app against Catalog’s SCIM API.

1. Creating an Entreprise App

  • You’ll need a dedicated Catalog Entreprise app in the Azure Portal. It will be used to assign users and teams to provision into the app.
  • If you already have a Catalog app for SAML login, you can go directly to the second part of this documentation.
  • First, go to the Enterprise applications list (link)
  • Click on + New application
  • Then Create your own application
  • Give it a name and tick Integrate any other application...

2. Setting up provisioning

  • Once in the application, go to the Provisioning menu entry
  • If not already setup, click on Get started

  • There you’ll setup provisioning infos

    • Choose Automatic provisioning mode
    • Input Tenant URL as:
      • https://api.castordoc.com/auth/scim for accounts using app.castordoc.com
      • https://api.us.castordoc.com/auth/scim for accounts using app.us.castordoc.com
    • And the secret token the Catalog’s ops provided you (or reach out to one: catalog-support@coalesce.io or via Slack)
    • Test the connection, then save

3. Configuring mappings

  • In this part we’ll craft the mapping between your user and team infos in Microsoft Entra ID and their Catalog accounts.
  • Groups
    • We need only to keep those 3 fields and no others, theoretically this should be the mapping by default, nothing to touch here.

  • Users

    • We only use a limited amount of Microsoft Entra ID’s fields in Catalog so we need to refine these attributes list to keep only the one feeding our SCIM API.

    • Attributes (4) to keep as default

      • userName
      • active
      • name.givenName
      • name.familyName

    • Attribute (1) to edit

      • Then edit the externalId attribute so it matches objectId instead of mailNickname

    • You can then Delete all other attributes.

    • End result should be:

4. Trigger provisioning

  • Once the mapping updates done, you can start assigning users and groups that will be provisioned to Catalog
  • Review groups that can access Catalog app. As all these users of these groups will be provisioned with a Catalog account
  • When everything is all setup you can start triggering the provisioning from the Overview submenu. It will start importing users and teams into Catalog and every new user and team updates will be forwarded to Catalog in the next 40mn.

Troubleshooting

  • If ever your Catalog user appears without first and last name, please ensure their givenName and familyName are filled in their Microsoft Entra ID profile.
  • If ever you had an issue or leakage of your token, please reach out to a Catalog ops (catalog-support@coalesce.io) to reset the token.