SCIM 2.0 User Provisioning and Synchronization : Streamboxy Service Portal

What is SCIM?

The System for Cross-domain Identity Management (SCIM) is a specification designed to make managing user identities in cloud-based applications and services easier.

You can leverage SCIM to automatically sync user profiles from your identity provider (i.e Microsoft Azure AD / Entra ID) to streamboxy.

This saves you a lot of time for manual user maintenance whe users are joining or leaving our organization.

Prerequisites

The following preconditions must be met in order to be able to use SCIM:

You need a SCIM capable identity provider (i.e Entra Id, Okta etc.)
You need a custom SSO Provider to be configured for your Tenant or your Azure AD Domain to be Whitelisted for SCIM.
Please contact your Customer Sucess Manager or Streamboxy Sales.

How to Enable The Scim Sync?

To enable SCIM for a tenant and generating its SCIM Integration token, go to the 'Settings'.

You will find the settings in the upper left corner of the STREAMBOXY Backstage.

In the navigation bar that opens click on 'Integrations' and then on 'Configure'.

Streamboxy Integration

Scim enabled

How to Use it with the Example of Azure AD / Entra ID?

The Azure AD (renamed to Microsoft Entra ID) needs to be configured in order to sync users using SCIM. To configure auto provisioning using SCIM in Microsoft Entra Id go to the Azure Portal -> 'Microsoft Entra ID'.

Step 1: Create Enterprise Application

An Enterpise application needs to be created on "Mcrosoft Entra ID" in order to configure the SCIM sync of a certain Authentication type.

to create an Enterprise Applicaiton click on 'Enterprise applications' on 'Microsoft Entra ID' page and then on 'New application'

Azure Portal EntraID Page

EntraID Enterprise Application page

Click on 'Create your own application'. Enter the name of the application and choose 'Integrate any other application you don't find in the gallery (Non-gallery)'. Click on Create.

Create Enterprise Application - Step 1

Create Enterprise Application - Step 2

Step 2: Create App Roles

This article describes App Roles as a way do map Streamboxy Roles to Entra ID in a flexible way.
You can also accomplish the same thing using a fixed value for role or user profile attributes.

To map the Entra ID roles to Streamboxy Roles, one needs to first create 'App Roles' on the Enterprise Application created in the previous step.

Details on Streamboxy Roles can be found here. The steps below creates App Roles for an Enterprise application.

Click on 'App registrations' on 'Microsoft Entra ID' page on Azure portal.

Create App Roles - Step 1

On the 'App registrations' page if the previously created Entreprise App is not present then click on 'All applications'.

Choose the earlier created Entreprise App. Click on 'App roles' and then 'Create app role'.

Create App Roles - Step 2

Create App Roles - Step 3

Create App Roles - Step 4

Create an app role by filling in the mandatory fields. The Value of the App role needs to be of the format 'Sbxy_<Streamboxy Role>'.

The details about Streamboxy roles can be be found here.

The Streamboxy Role values allowed are below:

Streamboxy Role Value	Description
Sbxy_Admin	administrator
Sbxy_TenantReadOnly	Read only access
Sbxy_TenantEventAdmin	Event administrator
Sbxy_TenantEventAttendeeManager	Event user administrator
Sbxy_NoAccess	No Access

Create App Roles - Step 5

Step 3: Assign Users to the Enterprise Application

This Step allows you to define Users or Groups of Users that are supposed to be synced.

Click on "User and groups" and then 'Add user/group'

Assign User to Enterprise APP - Step 1

Assign User to Enterprise APP - Step 2

Select users to be assigned by clicking on "None Selected" and choose the users to be assigned for SCIM sync.

Click on 'Select'.

Assign User to Enterprise APP - Step 3

Choose the Role to be assinged to the selected users which were created in Step 2.

Click on Assign to assign User and roles to Enterprise Application.

Assign User to Enterprise APP - Step 4

Step 4: Configure automatic provisioning

On the previously created 'Enterprise Application' page click on 'Provisioning'.

Click on 'Provisioning' on Provisioning page.

Enable auto provisioning -Step 1

Enable auto provisioning -Step 2

Choose "Automatic" Provisioning mode.

Enter the credentials created in Streamboxy Integration and click on 'Test Connection'.

Once the credentials is validated, click on 'Save'.

Enable auto provisioning -Step 3

Disable Group provisioning if not supported.

Enable auto provisioning -Step 4

Enable auto provisioning -Step 5

To configure the mapping of the User properties click on 'Provision Azure Active Directory Users'.

Enable auto provisioning -Step 6

The Streamboxy specific attributes needs to enabled before the mapping. To enable Sbxy attributes click on 'Show advanced options' and then on 'Edit attribute list for customappsso'. Add the below mentioned Streamboxy specific attributes and click on Save.

Attribute Value	Required?
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider	True
Auth Provider type for the user being created. The allowed values are 'Microsoft' and 'CustomSSO'. For Auth Provider type Microsoft, the email domains must be whielisted. Please contact info@streamboxy.de to whitelist email domain.
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:role	True
The role of the user in Streamboxy.
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId	False
The CustomSSO Provider Id to which the user is associated with. This is a must have if the authProvider type is CustomSSO.

SCIM attribute mapping - Step 1

Delete the attributes except the ones below in the snapshot.

Change the attribute mapping with custommapsso attribute 'externalId' to Azure AD attrubute 'objectId'.

Update the 'userName' customappsso to Expression type with values as below:

Microsot Type: Append("Microsoft", Append("_", [userPrincipalName]))
CustomSSO: Append("CustomSSO", Append("_", [userPrincipalName]))

Click on Add New Mapping to map the newly created Streamboxy specific attributed.

Add the below 3 attrubutes mapping.

1. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider

SCIM attribute mapping - Step 2

2. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:role

Expression Value = SingleAppRoleAssignment([appRoleAssignments])

SCIM attribute mapping - Step 3

3. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId

Constant Value = Custom SSO Provider Id from Streamboxy Settings => Login page.

SCIM attribute mapping - Step 4

After all the needed the attributes mapping is done, the overall User attribute mapping would look like the one below.

Save the attribute mapping by clicking on Save.

After SCIM attribute mapping

After the attrubutes mapping configuration, the automatic SCIM provisioning needs to be started.

Go to the 'Overview' tab in 'Provisioning' page of the Enterprise App and click on 'Start provisioning'.

With this the SCIM sync of users is configured on Azure AD (Microsoft Entra ID).

The logs and errors of the automatic provisioning can be viewed by clicking on 'View provisioning logs'.

Start Auto Provisioning

Current Limitations

Currently we don't support provisioning of Groups via SCIM (lifted in a future release)
Currently we don't support Streamboxy USer Custom Properties for SCIM sync (lifted in a future release)

Streamboxy Service Portal

We are here to help you!