Articles
Articles
Articles
Start typing to search…

SCIM User Provisioning

Learn how to leverage the Starmind Entra Gallery app to setup Starmind automatic user management in minutes

Starmind supports System for Cross-domain Identity Management (SCIM 2.0) provisioning with Azure Entra ID (former Azure Active Directory). The SCIM protocol simplifies the process of creating and managing user accounts in Starmind. When you add, update, or remove users in Entra ID, SCIM automatically propagates these changes to the configured Starmind network.

Requirements

  1. Your Identity Provider is Azure Active Directory.
  2. Users in your Active Directory have the following properties:
    1. Email (the matching attribute)
    2. First Name
    3. Last Name

Configuration

Here is Microsoft tutorial: Configure Starmind for automatic user provisioning

To configure SCIM provisioning, you will need an API key, which you can receive from your Solution Architect.

  1. Sign in to the Azure Portal. In Entra ID, select Enterprise Application, then select All applications.
  1. Select New application.
  1. Search for Starmind
  1. Click Create.
  2. Select Provisioning.
  1. Select Get started.
  1. Select Provisioning Mode -> Automatic.
  1. Under the Admin Credentials section, input the SCIM Base URL for your network in Tenant URL and the API key provided by Starmind in secret token. Click Test Connection to ensure that Entra ID can connect to Starmind. If the connection fails, ensure that your provided credentials are correct or get in touch with your Solution Architect.

Tenant URL: https://<the-network-subdomain>.starmind.com/accounts/api/v1/scim
Secret Token: ApiKeyprovided by Starmind

  1. In the Settings -> Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and check the Send an email notification when a failure occurs box.
  1. Click Save.
  2. Under the Mappings section, select Provision Azure Active Directory Users.
  1. The attribute mapping can now be configured.

  • Set Enabled to Yes.

  • Disable/enable target object actions (actions on users.) based on your requirements. We commended the following configuration, which will create, update and deactivate users on Starmind but never delete / anonymize them. For information can be found in the user deprovisioning section.

  • In the Attribute Mapping table, search for the userPrincipalName attribute in the left column and click on it. A form will show the details of this attribute. SelectMatch objects using this attribute -> No and click OK.

  • In the Attribute Mapping table, search for the mail attribute in the left column and click on it. Select Match objects using this attribute -> Yes, enter Matching precedence -> 1 and click OK.

  • Configure the remaining Attribute Mapping. This image and table below, demonstrate the correct attribute mapping for Starmind.

Starmind Attribute (SCIM)Microsoft Entra ID Attribute
userNameuserPrincipalName
emails[type eq "work"].valuemail
activeNot([IsSoftDeleted])
titlejobTitle
name.givenNamegivenName
name.familyNamesurname
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organizationcompanyName
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:divisionemployeeOrgData.division
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:departmentdepartment
urn:starmind:params:scim:schemas:extension:entraIdWorkaround:2.0:User:managerIdmanager
addresses[type eq "work"].countryusageLocation
addresses[type eq "work"].regionstate
addresses[type eq "work"].localitycity
  • Save all changes.
  • To enable the Entra ID provisioning service for Starmind, change the Provisioning Status to On in the Settings section.
  • Define the users that you would like to provision to Starmind by choosing the desired values in Scope in the Settings section.
  • When you are ready to provision, click Save.

User initial provisioning

This operation starts the initial synchronization of assigned users defined in Scope in the Settings section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Entra ID provisioning service is running. You can use the Synchronization Details section to monitor progress and follow links to the provisioning activity report, which describes all actions performed by the Entra ID provisioning service on Starmind.

User deprovisioning

Users and groups can be deprovisioned by removing them from the Scope in the Settings section. This immediately deactivates the affected users in Starmind. Deactivated users can no longer sign in.

If a user is disabled in Entra ID, the user is automatically deactivated in Starmind, provided the Target Object Action Update is enabled. Note that a user is always disabled in Entra ID when the account is deleted.

If a user is deleted in Entra ID and the Target Object Action Delete is configured, the user is permanently removed from Starmind through anonymization. This action is irreversible.

Further resources

System for Cross-domain Identity Management (SCIM) explained by Microsoft

SCIM 2.0 standard

Addendum

Notes on Attribute mappings

  • addresses[type eq "work"].countryhas to be mapped to usageLocationand not country because according to the SCIM spec, it needs to be a ISO 3166-1 alpha-2 country code. By default, Entra ID'scountry attribute is the full country name.
  • urn:starmind:params:scim:schemas:extension:entraIdWorkaround:2.0:User:managerId is a custom Starmind schema attribute used as a workaround for urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value. This is necessary because Microsoft Entra ID does not support writing to complex or multiValued SCIM attributes such as manager. See: Microsoft Q&A.

Updated 22 days ago