Using SCIM 2.0 and SAML 2.0 to configure a connection to Microsoft Entra ID for user provisioning

You can use the System for Cross-domain Identity Management (SCIM) protocol to provision Application Security with user accounts from Microsoft Entra ID. The following table lists the tasks required to use this feature, in the order in which they must be performed.

Task For details
Enable SCIM from Application Security. Enabling SCIM for provisioning of externally managed users and groups
In Microsoft Entra, go to Microsoft Entra ID and create an enterprise application.

Microsoft Entra ID documentation

When Entra ID prompts you to indicate what you want to do with the new application, select the Integrate any other application you don't find in the gallery (Non-gallery) option.
From Entra ID, assign users and groups to the new application.

Microsoft Entra ID documentation

From Entra ID, provision the application.

Note the following:

  • Set Provisioning Mode to Automatic.

  • Use the Application Security URL for the Tenant URL value, and append to it the following string: /api/scim/v2?aadOptscim062020

    /api/scim/v2 is the URL for the Application Security SCIM endpoint. The aadOptscim062020 query parameter improves Entra ID compliance with SCIM v2.0.

  • For the Secret Token value, use the token you created in Application Security (SCIM Token - see Enabling SCIM for provisioning of externally managed users and groups.)

Microsoft Entra ID documentation

From Entra ID, change the attribute mappings for data flow between Entra ID and Application Security.

Delete all but the following attributes for your users (for groups, you change no attribute mappings):

  • userName

  • active

  • emails[type eg "work"].value

  • name.givenName

  • name.familyName

  • externalID

Ensure that you move the Provisioning Status toggle to On.

Microsoft Entra ID documentation

Entra ID SAML metadata is signed. For Application Security to successfully verify the signature, you must download the SAML signing certificate from Entra and import it into the keystore to be used in the SSO SAML configuration (SAML keystore location).

In Entra, go to the created enterprise application. On the SAML-based Sign-on page, download the signing certificate, and then import it into the keystore.

Microsoft Entra ID documentation

Configuring Application Security to work with SAML 2.0-compliant single sign-on

Set up SAML single sign-on from Application Security.

 Configuring Application Security to work with SAML 2.0-compliant single sign-on

Acquire the metadata XML file from Application Security and save it locally. This file can be accessed only if SAML SSO is enabled in Application Security and successfully initialized.

<hostname>:<port>/<app_context>/saml/<metadata>

In Entra, upload the saved metadata file, and then complete the SAML single sign-on setup using data from the uploaded metadata file.

Microsoft Entra ID documentation

From Application Security, assign roles and application versions to externally managed users and groups.

 Viewing externally managed users and groups