The SCIM (System for Cross-domain Identity Management) protocol automates user management, reducing manual tasks and errors. It also facilitates real-time access synchronization, improving the security and efficiency of identity processes.
Discover the different steps involved in setting it up with Azure AD/ Entra ID.
1. Add Klaxoon to Microsoft Entra ID
Prerequisites
Private SSO required
Team Monoconsole
AzureAD or Okta or via an available API, full details HERE
A configuration session will be scheduled with Klaxoon technical teams
Configuration
1. Add Klaxoon to Microsoft Entra ID
Log in to the Microsoft Azure portal with an administrator account.
Go to Identity>Applications>Enterprise applications>New application
Click on “New application”.
In the search bar, enter “Klaxoon” and choose Klaxoon SAML
Rename the application to Klaxoon SCIM (or any other name of your choice), then click on Create to create the application.
2. Configure provisioning
A configuration session should be scheduled with Klaxoon's technical teams. Synchronization tests will then be carried out (in both pre-production and production phases). Once these tests have been completed, the SCIM protocol will be operational.
Go to Provisionning
Then click on “Get started”.
Then select “Automatic” mode
Enter the tenant URL and secret token supplied by Klaxoon
Perform a connection test and click on “Save” in the top left-hand corner.
Then access the “Mapping” menu
Click on “Provision Microsoft Entra ID Groups” to associate the license field.
Add a new Mapping.
Edit the attribute and select “Expression” in “Mapping type”.
Depending on the group's Object ID, I enter the value TRUE or FALSE in the license field:
if the value is FALSE, it's an account without a license
if the value is TRUE, it's a licensed account
Set up the groups:
a group for Free users (all users)
a specific group for users with a Pro license only
Retrieve the Object ID of these groups and build the expression on this model:
Switch([objectId], "false", "Object_ID_groupe_des_PROs", "true", "Object_ID_groupe_des_FREEs", "false")
Select the following Target attibute :
Finally, click on “Ok”.
Then save by clicking on “Save” in the top left-hand corner.
From the overview, go to “Users and groups”.
There, attach the groups.
Choose the Free and Pro user groups, then assign them.
Finally, start provisioning.
Account provisioning will take a variable amount of time, depending on the number and velocity of Entre IDs.
3. How it works
Synchronization cycle :
Microsoft Entra synchronizes every 40 minutes
When a license is downgraded, the user is automatically removed from the “Pro” group within 24 hours.
License management :
Licenses are allocated exclusively via Microsoft Entra
The console is now read-only, so administrators can continue to consult statistics and transfer ownership of an activity from one user to another.
Specific points :
Take into account delays linked to Microsoft Entra's synchronization velocity
Avoid synchronization of external or unauthorized domain names
If you'd like to find out more about the available integrations, check out the resources on this link.