Synchronizing users using Azure AD

<< Click to Display Table of Contents >>

Navigation:  How to's > How to synchronize users >

Synchronizing users using Azure AD

Overview

Integration between cloud-based applications demands a robust administration of identities for their authentication. Apart from the authentication protocols you may use, it is important to centralize the information of users to ease identity management and reduce the redundancy of information.

 

Active Directories have been a common approach to centralize information of users within organizations. However, a variety of cloud-based applications has exposed a challenge at managing identities when applications are run in different domains.

 

Bizagi now offers an integration with Azure AD using the System for Cross-domain Identity Management protocol (SCIM). This protocol provides a REST API that lets Azure AD Administrators managing user identities in Bizagi and be able to Create, Read, or Delete users in the WFUser table through this service. This integration permits centralization of user administration without third-party applications, reducing failure points, and increasing the governance of multiple cloud-based applications used in organizations. The protocol relies on commercial authentication, authorization, and privacy models, which makes this integration flexible for our Bizagi cloud-offer customers.

 

Configuration

SCIM relies on the OAuth 2.0 protocol to authenticate Bizagi as a trustworthy application in Azure AD. Therefore you need to create a Bearer Token from the Bizagi Work Portal. Bear in mind that you need to generate this token for each environment where user synchronization between Azure AD and Bizagi is needed.

 

Bearer Token Generation

Open the Work Portal as a user with permissions to manage OAuth 2.0 Applications. Click the Admin menu and then open OAuth 2.0 Applications:

 

SCIM1

Add a new Application clicking the add button, then create an application with the following properties

Grant type: Bearer token

Allowed scope: API and USER SYNC

 

SCIM2

 

You can copy the Client Secret as your token.

 

SCIM3

 

Azure AD Configuration

 

Prerequisites

Your Azure AD account must be a Premium edition account.

You need a global administrator account.

 

Provisioning

1. Open the Azure Portal as the global administrator, and access your Azure Active Directory.

2. Add a New Application.

 

SCIM4

 

Then select  Add your own app, and select Non-gallery application.

 

SCIM5

 

 

 

3. Give your application a name. We recommend using meaningful names to your administrators, for example, [your_bizagi_project]-provisioning.

4. Access the Manage menu and click Provisioning.

5. Select Automatic Provisioning Mode.

6. Register the following Admin Credentials

 

Tenant URL: Enter the Bizagi SCIM endpoint with this structure:

 [Your_Bizagi_Project]/scim/v2/

 Example: https://my-company.bizagi.com/scim/v2/ 

Secret token: The Client Secret, as the Bearer Token,  generated in OAuth 2.0 Applications in the Bizagi Work Portal.

 

SCIM6

 

7. Click Test Connection and wait for a confirmation message.

8. Save.

 

Attribute Mapping

You need to configure the mapping of user attributes between Azure AD and the WFUser table. To do that Open the Mapping options in the Provisioning module:

 

SCIM7

 

Click the Synchronize Azure Active Directory Users to customappsso. Then delete all the default attributes, and leave the following attributes:

 

Azure AD Attribute

CustomAppsSO Attribute

Observations

userPrincipalName

userName

User domain cannot exceed 25 characters, otherwise the user is not synchronized.

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active

A non active user is considered as a non existent user. Therefore is not synchronized.

userPrincipalName

emails[type eq "work"].value

This is a mandatory field.

givenName

name.givenName

This is a mandatory field.

surname

name.familyName


Join(" ", [givenName], [surname])

name.formatted


mobile

phoneNumbers[type eq "work"].value


 

The configuration looks as follows:

 

SCIM8

 

 

Considerations

SCIM only works with Azure AD.

Groups and roles synchronization is not supported

To delete users, you need to UPDATE the user information and set the Active attribute as false.

The first time you synchronize users using the SCIM protocol, you have to restart your Bizagi BPM server.