Skip to main content

SCIM Setup for Microsoft Entra ID

This walkthrough shows how to set up a SCIM app on Microsoft Entra ID to automatically provision users and teams into Catalog.

Contact Catalog Ops

This setup requires you to contact Catalog ops (support@coalesce.io or Slack) to generate and share the required SCIM token you will use to connect your SCIM app to Catalog's SCIM API.

1. Creating an Enterprise App

  • You will need a dedicated Catalog Enterprise app in the Azure Portal. It will be used to assign users and teams to provision into the app.
  • If you already have a Catalog app for SAML login, you can go directly to the second part of this documentation.

  1. First, go to the Enterprise applications list in the Azure Portal.

    Azure Enterprise applications list

  2. Click on + New application

    New application button

  3. Then Create your own application

    Create your own application option

  4. Give it a name and tick Integrate any other application...

    Application name and integration option

2. Setting Up Provisioning

  1. Once in the application, go to the Provisioning menu entry.

    Provisioning menu

  2. If not already set up, click on Get started

    Get started button for provisioning

  3. There you will set up provisioning information:

    • Choose Automatic provisioning mode
    • Input Tenant URL as:
      • https://api.castordoc.com/auth/scim for accounts using app.castordoc.com
      • https://api.us.castordoc.com/auth/scim for accounts using app.us.castordoc.com
    • Add the secret token the Catalog ops provided you (or reach out: support@coalesce.io or via Slack)
    • Test the connection, then save
    Provisioning configuration with Tenant URL and token

3. Configuring Mappings

  • In this part you will craft the mapping between your user and team information in Microsoft Entra ID and their Catalog accounts.
Attribute mappings configuration
  • Groups
    • Keep only those 3 fields and no others. Theoretically this should be the mapping by default, nothing to change here.
Groups attribute mapping
  • Users
    • We only use a limited amount of Microsoft Entra ID fields in Catalog, so you need to refine the attributes list to keep only the ones feeding our SCIM API.
    • Attributes (4) to keep as default:
      • userName
      • active
      • name.givenName
      • name.familyName
    • Attribute (1) to edit:
      • Edit the externalId attribute so it matches objectId instead of mailNickname
externalId attribute mapping to objectId
  • Delete all other attributes.
  • End result should look like this:
Final Users attribute mapping

4. Trigger Provisioning

  • Once the mapping updates are done, you can start assigning users and groups that will be provisioned to Catalog
Assign users and groups to Catalog app
  • Review groups that can access the Catalog app. All users in these groups will be provisioned with a Catalog account.
  • When everything is set up, you can start triggering the provisioning from the Overview section. It will start importing users and teams into Catalog, and every new user and team update will be forwarded to Catalog in the next 40 minutes.
Provisioning overview and trigger

Troubleshooting

  • If your Catalog user appears without first and last name, ensure their givenName and familyName are filled in their Microsoft Entra ID profile.
  • If you had an issue or leakage of your token, reach out to Catalog ops (support@coalesce.io) to reset the token.