With Cerby, you can configure automatic provisioning for Azure Active Directory (AD) using the System for Cross-domain Identity Management (SCIM) specification to manage the creation and synchronization of user accounts based on the user and group assignments.
This article describes how to configure both the Cerby enterprise application and Azure AD. When configured, Azure AD automatically provisions and deprovisions users and groups to Cerby using the Azure AD Provisioning service. For more details on what this service does, how it works, and frequently asked questions, see the What is app provisioning in Azure Active Directory? article.
Supported Features
The following are the supported features for configuring automatic user provisioning for Azure AD:
Create users in Cerby.
Remove users in Cerby when they no longer require access
Keep user attributes synchronized between Azure AD and Cerby.
Implement the Single Sign-On (SSO) authentication feature to Cerby.
Requirements
The following are the requirements to configure automatic user provisioning for Azure AD:
An Azure AD tenant. For more information, see the Quickstart: Set up a tenant article
A user account in Azure AD with permission to configure provisioning. For example:
Application Administrator
Cloud Application Administrator
Application Owner
Global Administrator
A user account in Cerby with the Workspace Owner role
The Cerby SAML2-based integration must be set up. Follow the instructions in the How to Configure the Cerby App Gallery SAML App with Your Azure AD Tenant article to set up the integration
A SCIM API authentication token. Follow the instructions in the How to Retrieve the SCIM API Authentication Token from Cerby article to retrieve the token
NOTE: If you need to regenerate the SCIM API authentication token, see the Regenerating the SCIM API authentication token section.
Configuring Automatic User Provisioning for Azure AD
To configure automatic user provisioning for Azure AD, you must complete the following main steps:
The following sections describe each main step.
1. Plan Your Provisioning Deployment
To plan your provisioning deployment with Azure AD, you must complete the following steps:
Learn about how the provisioning service works. For more information, see the What is app provisioning in Azure Active Directory? article.
Determine who will be in scope for provisioning. For more information, see the Attribute-based application provisioning with scoping filters article.
Determine what data to map between Azure AD and Cerby. For more information, see the Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory article.
The next step is 2. Configure Cerby to support provisioning with Azure AD.
2. Configure Cerby to Support Provisioning with Azure AD
Cerby has enabled by default the provisioning support for Azure AD. You must only follow the instructions from the How to Retrieve the SCIM API Authentication Token from Cerby article to retrieve the SCIM API authentication token.
The next step is 3. Add Cerby from the Azure AD application gallery.
3. Add Cerby from the Azure AD Application Gallery
You must add the Cerby enterprise application from the Azure AD application gallery to start managing provisioning to Cerby.
If you have previously set up Cerby for SSO, you can use the same application. However, we recommend that you create a separate app when testing out the integration initially. For more information about adding an application from the gallery, see the Quickstart: Add an enterprise application article.
The next step is 4. Define who will be in scope for provisioning.
4. Define the Scope for Provisioning
The Azure AD provisioning service enables you to scope who will be provisioned based on assignment to the application and or based on attributes of the user and group.
Scope based on assignment: Follow the instructions from the Assign users and groups to an application article to assign users and groups to the application.
Scope based on attributes of the user or group: Use a scoping filter as described in the Attribute-based application provisioning with scoping filters article.
The following are some recommendations when defining the scope:
Start small. Test with a small set of users and groups before rolling out to everyone. When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an attribute-based scoping filter, according to the Attribute-based application provisioning with scoping filters article.
If you need additional roles, you can update the application manifest. For more information, see the Add app roles to your application and receive them in the token article.
The next step is 5. Configure automatic user provisioning to Cerby.
5. Configure Automatic User Provisioning to Cerby
To configure automatic user provisioning to Cerby, you must complete the following steps:
Log in to your Microsoft Azure account.
Select your Cerby enterprise application by performing the following actions:
Click the Menu button located in the top right of the page. A drop-down menu is displayed.
Select the Azure Active Directory option from the drop-down menu. The Overview page is displayed.
Click the Enterprise applications button located in the left navigation drawer. The All applications page is displayed.
Select the Cerby option from the list of enterprise applications. The Overview page of your Cerby application is displayed.
Click the Provisioning button located in the Manage section of the left side navigation drawer, as shown in Figure 1. The Provisioning page is displayed.
Figure 1. Overview Page of the Cerby Application in Microsoft Azure
Click the Get started button. A page to configure the provisioning mode is displayed.
NOTE: If the provisioning is already configured, the Provisioning page displays a horizontal menu at the top. Click the Edit provisioning button from the horizontal menu to display the page to edit the provisioning mode configuration.
Click the drop-down button of the Provisioning Mode field. A list of options is displayed.
Select the Automatic option from the drop-down list, as shown in Figure 2. The Admin Credentials section is displayed.
Figure 2. Provisioning Mode Drop-Down List
Enter the following information in the corresponding fields of the Admin Credentials section, as shown in Figure 3:
Enter
https://api.cerby.com/v1/scim/v2in the Tenant URL field.Paste the token in the Secret Token field. You copied this token previously by following the instructions from the How to Retrieve the SCIM API Authentication Token from Cerby article.
Figure 3. Admin Credentials Section
Click the Test Connection button to validate the credentials by connecting to the SCIM endpoint. A success message box is displayed.
NOTE: If the connection fails, ensure your Cerby account has Admin permissions and try again.
Click the Save button. The Mappings and Settings sections are enabled.
Review the user attributes that are synchronized from Azure AD to Cerby in the Mappings section by performing the following actions:
Activate the Mappings section.
Click the Provision Azure Active Directory Users button. The Attribute Mapping page is displayed.
Verify that the attributes and information from Table 1 are configured correctly in the Attribute Mappings section:
NOTE: The attributes selected as Matching properties are used to match the user accounts in Cerby for update operations. If you change the matching target attribute, you must ensure that the Cerby API supports filtering users based on that attribute. For more information, see the Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory article.
Click the Save button. The page closes and a success message box is displayed on the page to configure the provisioning mode.
Configure the email address for notifications and the scope in the Settings section by performing the following actions:
Activate the Settings section.
Enter the email address of the person or group who should receive the provisioning error notifications in the Notification Email field.
Select the Send an email notification when a failure occurs option.
Select the option from the Scope drop-down list that corresponds to the scoping that you defined in step 4. Define who will be in scope for provisioning.
NOTE: For more information to configure scoping filters, see the Attribute-based application provisioning with scoping filters article.
Activate the Provisioning Status switch, as shown in Figure 4 to enable the Azure AD provisioning service for Cerby.
Figure 4. Provisioning Status Switch
Click the Save button. A success message box is displayed.
NOTE: This configuration starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to complete than the next cycles, which occur approximately every 40 minutes, as long as the Azure AD provisioning service is running.
The next step is 6. Monitor your deployment.
6. Monitor Your Deployment
Use the following resources to monitor your deployment:
Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully. For more information, see the Provisioning logs in Azure Active Directory article.
Verify the progress bar of the provisioning cycle synchronization to see how close it is to completion. For more information, see the Check the status of user provisioning article.
Verify the provisioning configuration health. If it has an unhealthy state, the application goes into quarantine. For more information about quarantine states, see the Application provisioning in quarantine status article.
Now you are done.
Regenerating the SCIM API Authentication Token
To regenerate the SCIM API authentication token, complete the following steps:
Send an email with your request to support@cerby.com. The Cerby team regenerates the SCIM API authentication token.
Receive the response email from Cerby to confirm that the token was successfully regenerated.
Complete the instructions from the How to Retrieve the SCIM API Authentication Token from Cerby article to retrieve the new token.
NOTE: The Cerby team is currently developing a self-service solution for regenerating the SCIM API authentication token. To regenerate the token, the Cerby team members must validate their identity.
Table 1. Attribute Mappings
Azure Active Directory | Cerby Attribute | Matching Precedence |
|
| 1 |
|
| 2 |
|
|
|
|
|
|
|
|
|
|
|
|