Setting up SCIM with Azure Active Directory

Updated 5 hours ago by Abhiram

User provisioning through SCIM 2.0 is only available through the hosted AD version called Azure Active Directory (AD). Kissflow Account Owners, Super Admins, and User Admins can set up SCIM-based user sync for Azure AD. 

To turn on SCIM, sign in to Kissflow and make these changes:

  1. Navigate to Admin > User Management and click Configure SCIM.
    Configuring SCIM in Kissflow
  2. Generate a SCIM token, copy the Base URL and SCIM token to the clipboard. You will need to paste these into Azure AD.
    You must keep the SCIM token secure as the token once generated will not be available again for copy or download.

Creating a new application in Azure AD

  1. Sign into your Azure Active Directory as an Administrator, go to Enterprise applications.
    Creating enterprise application in Azure AD
  2. Select New application and choose Non-gallery application.
  3. You will be asked for a name, enter a meaningful name for your app.
    Creating non-gallery application
  4. Click Add.

Provisioning your app

  1. Go to the Provisioning tab in your new application.
  2. From the Provisioning Mode dropdown, select Automatic provisioning.
    User provisioning in Azure AD
  3. Paste your copied SCIM Base URL in the Tenant URL field and the SCIM token in the Secret Token field.
  4. Click Test Connection; a success toast message should appear.
  5. Click Save at the top of your screen.

Mapping attributes

  1. Under Provisioning tab > Mappings, click "Synchronize Azure Active Directory Groups to customappsso".
  2. Adjust your group Attribute mappings so that the result matches the following screenshot. Then, Save your changes.
    User attribute mapping
  3. Similarly, click "Synchronize Azure Active Directory Users to customappsso".
  4. Adjust your user Attribute mappings so it fits your sync requirements. Please make sure that matching is based on userName and that the corresponding Active Directory value is the email address of the user.
    Group mapping in Azure AD
  5. Change the Azure AD value for emails attribute to userPrincipalName and active attribute to Not([IsSoftDeleted]). Based on your syncing requirements, delete any other unwanted attributes.
  6. Kissflow does not support the SCIM 2.0 Enterprise User schema extension. Hence, the default mapping for manager attribute that Azure suggests will not work. You will need to specifically add custom attribute to sync the manager data from AD.

    To add these custom attributes, enable the Show advanced options checkbox; under Supported Attributes, click Edit attribute list for customappsso. Here, you can enter your Kissflow account specific schema extension provided below.

    Azure Active Directory Attribute

    Attribute type

    customsso Attributes

    manager

    Reference

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Manager.value

    department

    String

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Department

    User type

    String

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:UserType

    Number

    Number

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Number_1

    Currency

    String

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Currency_1

    Date

    String

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Date_1

    Date time

    String

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Datetime_1

    Yes/No

    Boolean

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:yesno

    Dropdown

    String

    urn:kissflow:scim:schemas:extension:Kissflow Account ID:2:User:Dropdown

    You must replace the highlighted text with your actual Kissflow Account ID.
  7. Save your changes.

Assigning users and groups

  1. Go to the Users and groups tab.
  2. Add all users/groups that should be present on Kissflow.
  3. AD users and AD group members will be created as users on Kissflow.

Provisioning status

  • Under Provisioning tab > Settings section, switch Provisioning Status to On.
  • Pick the Scope as Sync only assigned users and groups.
Provisioning settings in Azure AD
  • Save your changes.


How did we do?