What is SCIM?
The System for Cross-domain Identity Management (SCIM) is a specification designed to make managing user identities in cloud-based applications and services easier.
You can leverage SCIM to automatically sync user profiles from your identity provider (i.e. Microsoft Azure AD / Entra ID) to Streamboxy.
This saves you a lot of time for manual user maintenance when users are joining or leaving your organization.
Prerequisites
The following preconditions must be met in order to be able to use SCIM:
- You need a SCIM capable identity provider (i.e. Entra ID, Okta etc.)
- You need a custom SSO Provider to be configured for your Tenant or your Azure AD Domain to be Whitelisted for SCIM.
Please contact your Customer Sucess Manager or Streamboxy Sales.
How to Enable The SCIM Sync?
To enable SCIM for a tenant and generate its SCIM Integration token, go to the Settings.
You will find the Settings in the upper left corner of the STREAMBOXY Backstage.
In the navigation bar that opens click on Integrations and then on Configure.
How to Use it with the Example of Azure AD / Entra ID?
The Azure AD (renamed to Microsoft Entra ID) needs to be configured in order to sync users using SCIM. To configure auto provisioning using SCIM in Microsoft Entra ID go to the Azure Portal -> Microsoft Entra ID.
Step 1: Create Enterprise Application
An Enterprise application needs to be created on "Microsoft Entra ID" to configure the SCIM sync of a certain Authentication type.
to create an Enterprise Application, click on 'Enterprise applications' on the Microsoft Entra ID page and then on New application
1. Azure Portal Entra ID Page
2. Entra ID Enterprise Application page
Click on Create your own application. Enter the name of the application and choose Integrate any other application you don't find in the gallery (Non-gallery). Click on Create.
1. Create Enterprise Application
2. Create Enterprise Application
Step 2: Create App Roles
This article describes App Roles as a way do map Streamboxy Roles to Entra ID in a flexible way.
You can also accomplish the same thing using a fixed value for role or user profile attributes.
To map the Entra ID roles to Streamboxy Roles, one needs to first create App Roles on the Enterprise Application created in the previous step.
Details on Streamboxy Roles can be found here. The steps below create App Roles for an Enterprise application.
1. Click on App registrations on the Microsoft Entra ID page in the Azure portal.
2. On the App registrations page, if the previously created Enterprise App is not present, then click on All applications.
3. Choose the earlier created Enterprise App. Click on App roles and then Create app role.
Create an app role by filling in the mandatory fields. The Value of the App role needs to be of the format:
Sbxy_<Streamboxy Role>
The details about Streamboxy roles can be be found here.
The Streamboxy Role values allowed are below:
| Streamboxy Role Value | Description |
|---|---|
| Sbxy_Admin | administrator |
| Sbxy_TenantReadOnly | Read only access |
| Sbxy_TenantEventAdmin | Event administrator |
| Sbxy_TenantEventAttendeeManager | Event user administrator |
| Sbxy_NoAccess | No Access |
Step 3: Create Groups
This article describes how to create groups.
- Click on Groups on the Microsoft Entra ID page in the Azure portal.
2. Then click on New group, enter the desired name and description.
You can add users to the group under Members.
Step 4: Assign Users/Groups to the Enterprise Application
This Step allows you to define Users or Groups of Users that are supposed to be synced.
1. Click on User and groups and then Add user/group
2. Select users or group to be assigned by clicking on None Selected and choose the users to be assigned for SCIM sync.
Click on Select. (If a Group is selected then the members of the Group would be synced)
3. Choose the Role to be assinged to the selected users or groups which were created in Step 2.
Click on Assign to assign User, groups and roles to Enterprise Application.
Step 4: Configure automatic provisioning
On the previously created Enterprise Application page click on Provisioning.
Click on Provisioning on the Provisioning page.
Choose "Automatic" Provisioning mode.
Enter the credentials created in Streamboxy Integration and click on Test Connection.
Once the credentials is validated, click on Save.
Disable Group provisioning if not supported.
To configure the mapping of the User properties, click on Provision Azure Active Directory Users.
The Streamboxy specific attributes need to be enabled before the mapping. To enable Sbxy attributes, click on Show advanced options and then on Edit attribute list for customappsso. Add the below-mentioned Streamboxy specific attributes and click on Save.
| Attribute Value | Required? |
|---|---|
| urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider | True |
| Auth Provider type for the user being created. The allowed values are Microsoft and CustomSSO. For Auth Provider type Microsoft, the email domains must be whitelisted. Please contact [email protected] to whitelist the email domain. | |
| urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId | False |
|
The CustomSSO Provider Id to which the user is associated with. This is a must-have if the authProvider type is CustomSSO. | |
Delete the attributes except the ones below in the snapshot and roles.
Change the attribute mapping with custommapsso attribute externalId to the Azure AD attribute objectId.
Update the userName customappsso to Expression type with values as below:
- Microsot Type: Append("Microsoft", Append("_", [userPrincipalName]))
- CustomSSO: Append("CustomSSO", Append("_", [userPrincipalName]))
Click on Add New Mapping to map the newly created Streamboxy specific attributed.
Add/Update the below 3 attrubutes mapping.
1. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider
2. [Update] roles
Expression Value = AssertiveAppRoleAssignmentsComplex([appRoleAssignments])
3. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId
Constant Value = Custom SSO Provider Id from Streamboxy Settings => Login page.
After all the needed the attributes mapping is done, the overall User attribute mapping would look like the one below.
Save the attribute mapping by clicking on Save.
Add roles to the groups
First of all, groups must be activated.
As with the user under Show advanced options and then under Edit attribute list for customappsso add ‘roles’. Be sure that it appears with type string, Required and Multi-Value checkboxes are checked.
Then go back to the attribute mapping of the groups, click on Add new Mapping and insert the following: AssertiveAppRoleAssignmentsComplex([appRoleAssignments]):
After that you should see the following.
Step 5: Start automatic provisioning
After the attributes mapping configuration, the automatic SCIM provisioning needs to be started.
Go to the Overview tab in the Provisioning page of the Enterprise App and click on Start provisioning.
With this the SCIM sync of users is configured on Azure AD (Microsoft Entra ID).
The logs and errors of the automatic provisioning can be viewed by clicking on View provisioning logs.
Current Limitations
- Currently we don't support Streamboxy User Custom Properties for SCIM sync (lifted in a future release)
- A user's email can only be updated within a single Streamboxy Tenant with a whitelisted domain. If multiple Streamboxy Tenants share the same whitelisted domain, only the first whitelisted tenant is permitted to make the update. If a different tenant needs to update the email, please contact your Customer Success Manager or Streamboxy Sales.