Configuring SCIM for SugarIdentity With Azure

Overview

For instances that use SugarIdentity, the administrator can configure SCIM (System for Cross-domain Identity Management) for Microsoft Azure, which will allow user identity information (e.g., phone number, address) to automatically sync from Azure to SugarIdentity. This article covers how to configure SCIM for Azure.

Supported Provisioning Features

The following provisioning features in Azure are supported for SugarIdentity:

• Create Users: New users created in Azure will be automatically created in SugarIdentity.
• Update User Attributes: Changes made to the user's attributes in Azure will be pushed to SugarIdentity to update the corresponding user record. Custom attributes are not supported.
• Deactivate Users: Deactivating a user in Azure will automatically update the user's status to "Inactive" in SugarIdentity.
• Delete User: Deleting a user in Azure will delete the user's record in SugarIdentity.

Note: Group push and password sync are not supported.

Prerequisites

• Your Sugar instance must be enabled for SugarIdentity.

Step­s to Complete

Use the following steps to configure SCIM for Azure:

1. First, log in to Sugar and navigate to Admin > SugarIdentity, then click "SCIM Settings" from the home page. On the SCIM Settings page, click the Create Client button to generate and obtain the "Server url" and "Bearer token" values, which are required to complete step 7 below.
   Note: For Sugar versions 13.0 and lower, navigate to Admin > SugarCloud Settings instead.
   
2. Next, navigate to https://portal.azure.com/ in your web browser and log in with your Azure admin credentials.
3. Select "Enterprise applications" under Azure services on the home page, then click the "+ New application" button on top of the following page.
   
4. On the app gallery page, click "+ Create your own application", then enter an application name (e.g., SCIM SugarCRM Connector) of your choice. Click the Create button.
   
5. On your new application page, click the Manage option on the left tree menu and select "Provisioning".
   
6. On the provisioning page, click the "Connect your application" link.
7. On the new provisioning configuration page, enter the "Server URL" and "Bearer Token" values obtained from SugarIdentity in step 1 above to populate the "Tenant URL" and "Secret token" in Azure, then click "Test connection". Once the test connection is successful, click "Create" at the bottom of the page.
   • Tenant URL: Enter the Server URL value from SugarIdentity.
   • Secret Token: Enter the Bearer Token value from SugarIdentity.
   
8. Next, click the Attribute mapping (Preview) option on the left tree menu, then select "Provision Microsoft Entra ID Groups".
   
9. Toggle the Enabled option to "No" to disable the Provision Microsoft Entra ID Groups, then click "Save".
   
10. Next, select the Provision Microsoft Entra ID Users option on the Attribute Mapping page (step 8), and delete the "physicalDeliveryOfficeName" attribute mapping. Click "Save".
    
11. Assign the new SCIM application to your Azure users to have changes in the users' records sync to SugarIdentity. For information on assigning applications to users in Azure, refer to this article on the Microsoft website.
12. Finally, on your new application page, click the Overview (Preview) option on the left tree menu. Click "Start provisioning" at the top of the page, then click "Yes" to confirm. Please note that it may take some time for the users to appear in SugarIdentity.
    
    

Application

Once the new SCIM application has been provisioned and assigned to your Azure users, the users' identity information (e.g., name, address, email) will be automatically synced to SugarIdentity and new user records will be created (if it does not already exist). Going forward, changes made to the users' record in Azure will sync to SugarIdentity for the assigned users.