How to set up Azure AD identity provisioning on Segura®

This document provides information about how to set up the integration and identity provisioning from Azure Active Directory (Azure AD) to Segura® using the SCIM protocol.

To perform Azure AD identity provisioning in Segura®, Segura® needs to be open to the Internet. If you do not wish to open Segura® to the Internet, you can allow only the Azure AD IPs that perform the communication. More information about the IP range in Azure IP Ranges and Service Tags – Public Cloud and IP Ranges.

Requirements

Administrative access to Segura® to create an access provider.
Established network connection between Azure and Segura® for token request and user provisioning on the SCIM API.
A configured enterprise application in Azure.
Groups created in Azure must have exactly the same name as the existing user groups in Segura®. Avoid spaces in group names.
Roles created in Azure must have exactly the same name as the roles existing in Segura®. Avoid spaces in role names.
Segura® must have a DNS with a valid certificate published.
The system URL in Segura® must be correctly configured.

Create a provider in Segura®

On Segura®, in the navigation bar, hover over the Products Menu and select Settings.
In the side menu, select Provisioning > Identity Management (IGA) > Providers.
Click Add.
In the Name * field, enter a name for the provider.
In the Protocol * field, select the SCIM protocol.
In the Add users to Domum? *, select the type of Domum connection.
In the Enabled * field, select to enable or disable the provider.
Optional: In the Description field, enter a description for the provider.
Optional: In the Tags field, enter tags to identify the provider.
In the Authentication method * field, select OAuth 2.0 as the provider’s authentication method.
In the Date/Time Expiration field, enter the expiration date and time of the authentication.
In the Allowed IPs (Put * to allow any IP) table, click + Add to enter the allowed IPs.
In the Allowed HTTP referrers (empty list for any source) table, click + Add to enter the allowed HTTP referrers.
Click Save.

After creating the provider, save the Client ID and Client Secret values. This information will be used later.

Create an enterprise application in Azure

Access Azure’s platform.
Login to your Azure account.
Locate the Microsoft Entra ID service.
In the side menu, click Manage > Enterprise applications.
Click New application.
Click Create your own application.
Enter a name for your application, and select Integrate any other application you don’t find in the gallery (Non-gallery).
In your enterprise application, click Manage > Provisioning.
In the overview of your application, click Manage > Provisioning.
In the Provisioning Mode field, select Automatic.
In the Admin Credentials tab, fill the following fields:
1. In the Authentication Method field, select Bearer Authentication.
2. In the Tenant URL * field, enter the Base URL value obtained from viewing the details of the provider in Segura®.
3. In the Secret Token field, enter the access token. To obtain the access token, use a tool such as Postman, informing the Client ID and Client Secret obtained in the Create a provider in Segura® section. Copy the access token obtained.
4. After filling the fields, click Test Connection to test the connection with Segura®. Azure will send a request to Segura® to validate the connection.
Continue the setup in the Configure user mappings section.

Configure user mappings

After creating the enterprise application, click Provision Microsoft Entra ID Users.
In the Attribute Mappings section, delete the entitlements.value parameter.
Tick the Show advanced options checkbox and click Edit attribute list for customappsso.
In the new window, create the following attributes.
1. In the userName attribute, tick the checkbox in the Required? column.
2. In the email attribute, do not tick any checkbox.
3. In the displayName attribute, do not tick any checkbox.
4. In the name.givenName attribute, do not tick any checkbox.
5. In the name.formatted attribute, do not tick any checkbox.
6. In the active attribute, do not tick any checkbox.
7. A new attribute called entitlements, String type, and tick the Multiple values? checkbox.
Click Save.
Back to the Attribute Mappings section, click Add new mapping, and add the following attributes as mappings:
1. userName attribute:
  1. In the Mapping type field, select Direct.
  2. In the Source attribute * field, select userPrincipalName.
  3. In the Target attribute * field, select userName.
2. email attribute:
  1. In the Mapping type field, select Direct.
  2. In the Source attribute * field, select mail.
  3. In the Target attribute * field, select email.
3. displayName attribute:
  1. In the Mapping type field, select Direct.
  2. In the Source attribute * field, select displayName.
  3. In the Target attribute * field, select displayName.
4. name.givenName attribute:
  1. In the Mapping type field, select Direct.
  2. In the Source attribute * field, select givenName.
  3. In the Target attribute * field, select name.givenName.
5. name.formatted attribute:
  1. In the Mapping type field, select Expression.
  2. In the Source attribute * field, select Join(“ “, [givenName], [surname]).
  3. In the Target attribute * field, select nameFormatted.
6. active attribute:
  1. In the Mapping type field, select Expression.
  2. In the Source attribute * field, select Switch ([isSoftDeleted], , “False”, “True”, “True”, “False”).
  3. In the Target attribute * field, select nameFormatted.
7. entitlements attribute:
  1. In the Mapping type field, select Expression.
  2. In the Source attribute * field, select AssertiveAppRoleAssignmentsComplex([appRoleAssignments]).
  3. In the Target attribute * field, select entitlements.
Click Save and go back to the provisioning menu informed in step 9. of the Create an enterprise application in Azure section.

Enable provisioning

In the initial provisioning configuration screen, enable the Provisioning status field.

From this point on, provisioning will run, synchronizing users from Azure AD with Segura®.