What is SCIM?
The System for Cross-domain Identity Management (SCIM) is a specification designed to make managing user identities in cloud-based applications and services easier.
You can leverage SCIM to automatically sync user profiles from your identity provider (i.e Microsoft Azure AD / Entra ID) to streamboxy.
This saves you a lot of time for manual user maintenance whe users are joining or leaving our organization.
Prerequisites
The following preconditions must be met in order to be able to use SCIM:
- You need a SCIM capable identity provider (i.e Entra Id, Okta etc.)
- You need a custom SSO Provider to be configured for your Tenant or your Azure AD Domain to be Whitelisted for SCIM.
Please contact your Customer Sucess Manager or Streamboxy Sales.
How to Enable The Scim Sync?
To enable SCIM for a tenant and generating its SCIM Integration token, go to the 'Settings'.
You will find the settings in the upper left corner of the STREAMBOXY Backstage.
In the navigation bar that opens click on 'Integrations' and then on 'Configure'.
How to Use it with the Example of Azure AD / Entra ID?
The Azure AD (renamed to Microsoft Entra ID) needs to be configured in order to sync users using SCIM. To configure auto provisioning using SCIM in Microsoft Entra Id go to the Azure Portal -> 'Microsoft Entra ID'.
Step 1: Create Enterprise Application
An Enterpise application needs to be created on "Mcrosoft Entra ID" in order to configure the SCIM sync of a certain Authentication type.
to create an Enterprise Applicaiton click on 'Enterprise applications' on 'Microsoft Entra ID' page and then on 'New application'
Click on 'Create your own application'. Enter the name of the application and choose 'Integrate any other application you don't find in the gallery (Non-gallery)'. Click on Create.
Step 2: Create App Roles
This article describes App Roles as a way do map Streamboxy Roles to Entra ID in a flexible way.
You can also accomplish the same thing using a fixed value for role or user profile attributes.
To map the Entra ID roles to Streamboxy Roles, one needs to first create 'App Roles' on the Enterprise Application created in the previous step.
Details on Streamboxy Roles can be found here. The steps below creates App Roles for an Enterprise application.
Click on 'App registrations' on 'Microsoft Entra ID' page on Azure portal.
On the 'App registrations' page if the previously created Entreprise App is not present then click on 'All applications'.
Choose the earlier created Entreprise App. Click on 'App roles' and then 'Create app role'.
Create an app role by filling in the mandatory fields. The Value of the App role needs to be of the format 'Sbxy_<Streamboxy Role>'.
The details about Streamboxy roles can be be found here.
The Streamboxy Role values allowed are below:
Streamboxy Role Value | Description |
---|---|
Sbxy_Admin | administrator |
Sbxy_TenantReadOnly | Read only access |
Sbxy_TenantEventAdmin | Event administrator |
Sbxy_TenantEventAttendeeManager | Event user administrator |
Sbxy_NoAccess | No Access |
Step 3: Create Groups
This article describes how to create groups.
Click on "Groups" on the "Microsoft Entra ID" page in the Azure portal.
Then click on "New group", enter the desired name and description.
You can add users to the group under "Members".
Step 4: Assign Users/Groups to the Enterprise Application
This Step allows you to define Users or Groups of Users that are supposed to be synced.
Click on "User and groups" and then 'Add user/group'
Select users or group to be assigned by clicking on "None Selected" and choose the users to be assigned for SCIM sync.
Click on 'Select'. (If a Group is selected then the members of the Group would be synced)
Choose the Role to be assinged to the selected users or groups which were created in Step 2.
Click on Assign to assign User, groups and roles to Enterprise Application.
Step 4: Configure automatic provisioning
On the previously created 'Enterprise Application' page click on 'Provisioning'.
Click on 'Provisioning' on Provisioning page.
Choose "Automatic" Provisioning mode.
Enter the credentials created in Streamboxy Integration and click on 'Test Connection'.
Once the credentials is validated, click on 'Save'.
Disable Group provisioning if not supported.
To configure the mapping of the User properties click on 'Provision Azure Active Directory Users'.
The Streamboxy specific attributes needs to enabled before the mapping. To enable Sbxy attributes click on 'Show advanced options' and then on 'Edit attribute list for customappsso'. Add the below mentioned Streamboxy specific attributes and click on Save.
Attribute Value | Required? |
---|---|
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider | True |
Auth Provider type for the user being created. The allowed values are 'Microsoft' and 'CustomSSO'. For Auth Provider type Microsoft, the email domains must be whielisted. Please contact [email protected] to whitelist email domain. | |
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId | False |
The CustomSSO Provider Id to which the user is associated with. This is a must have if the authProvider type is CustomSSO. |
Delete the attributes except the ones below in the snapshot and 'roles'.
Change the attribute mapping with custommapsso attribute 'externalId' to Azure AD attrubute 'objectId'.
Update the 'userName' customappsso to Expression type with values as below:
- Microsot Type: Append("Microsoft", Append("_", [userPrincipalName]))
- CustomSSO: Append("CustomSSO", Append("_", [userPrincipalName]))
Click on Add New Mapping to map the newly created Streamboxy specific attributed.
Add/Update the below 3 attrubutes mapping.
1. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider
2. [Update] roles
Expression Value = AssertiveAppRoleAssignmentsComplex([appRoleAssignments])
3. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId
Constant Value = Custom SSO Provider Id from Streamboxy Settings => Login page.
After all the needed the attributes mapping is done, the overall User attribute mapping would look like the one below.
Save the attribute mapping by clicking on Save.
After the attrubutes mapping configuration, the automatic SCIM provisioning needs to be started.
Go to the 'Overview' tab in 'Provisioning' page of the Enterprise App and click on 'Start provisioning'.
With this the SCIM sync of users is configured on Azure AD (Microsoft Entra ID).
The logs and errors of the automatic provisioning can be viewed by clicking on 'View provisioning logs'.
Current Limitations
- Currently we don't support Streamboxy USer Custom Properties for SCIM sync (lifted in a future release)