Skip to main content

How can I configure SCIM in SIGNL4 to connect to an IDM system?

Frank
Updated

This document contains a detailed description of how to automatically provision users and groups in an existing identity management system (IDM) via SCIM in SIGNL4.

Configuration in SIGNL4

  1. Open the Settings menu item and scroll to the “SCIM User Provisioning” tile.
  2. Enable the “Enable user/team provisioning via SCIM” option.
  3. Then press Save. An API key will now be generated, which you must note down together with the SCIM endpoint URL and configure later in your IDM system.

Configuration settings

 

SIGNL4 user attribute Description

Enable user/team provisioning via SCIM

 

 Enables automatic user/team provisioning in SIGNL4 via SCIM. An existing SCIM-enabled IDM system can then automatically create, modify, and remove users/teams in SIGNL4.
 

Do not create groups as individual SIGNL4 teams

 

When groups in the identity management system (IDM) are included in SCIM provisioning for SIGNL4, they are automatically created as teams in SIGNL4, the members of these groups also become members of the corresponding teams in SIGNL4.

If this behavior is not desired, for example, because the existing groups in the IDM system cannot be meaningfully mapped as teams in SIGNL4, this option can be enabled.

In this case, all users, regardless of their group memberships, are provisioned into a single team in SIGNL4 (name: “SCIM Synchronized”). From there, they can be manually distributed to teams that are managed exclusively in SIGNL4.   
 

Allow editing of synchronized phone numbers

 

 If this option is enabled, user phone numbers can also be entered manually in SIGNL4. This is useful if phone numbers are available in the IDM system but are not up to date, or if users change devices at very short notice but new phone numbers can only be stored in the IDM system after a lengthy process.
SCIM-Endpoint-URL This field displays the URL of the SIGNL4 SCIM endpoint. Enter this URL in the SCIM configuration of the SIGNL4 application in your identity management system.
 

SCIM endpoint authentication key*

 

 The authentication key is generated after saving the configuration. It must be configured together with the endpoint URL in the SCIM settings of the SIGNL4 application in your identity management system.
 

* SIGNL4 currently only supports bearer token authentication. The token is effectively valid indefinitely and must be manually renewed by the administrator on a regular basis in accordance with internal company procedures.

 

Configuration for synchronizing users/groups in the IDM system using Microsoft EntraID as an example

The following configuration instructions are to be carried out by EntraID administrators. They explain how EntraID users can be synchronized with SIGNL4 on a group basis. The synchronization target in SIGNL4 is regular users and, optionally, teams.

Create an enterprise application

  1. Open EntraID and navigate to “Enterprise application.”
  1. Click on “New application” to create SIGNL4 as a new application in EntraID to which users/groups are to be transferred.
  1. On the following page, click on “Create your own application.”
  2. Enter a name for the application, e.g., “SIGNL4 PROD,” and ensure that "
  3. Integrate any other application you don't find in the gallery (Non-gallery)" is selected.
  4. Now press “Create” to create the application.


Configuring the Enterprise application

  1. Once the enterprise application has been created, its details will be displayed. Now click on "Provisioning" in the menu.
  1. Now click on “Connect your application” on the “Get started” page that appears.
  1. On the page that appears, enter the SCIM endpoint URL and the SCIM authentication key from SIGNL4. Make the following settings:
    • Select authentication method: Bearer Authentication
    • Tenant URL: SCIM-Endpoint URL
    • Secret token: the SCIM authentication key
  1. By clicking on the “Test connection” button, you can test whether EntraID can access the SCIM endpoint of SIGNL4. If a success message is displayed, the configuration can be saved in the last step.

 

Configure entities and attribute mappings to be transferred

Next, the mapping can be set in the “Provisioning” menu of the enterprise application. It is possible to transfer only Microsoft EntraID users or also Microsoft Entra ID groups to SIGNL4.

If only users are transferred, a central team is created in SIGNL4, to which all users received from EntraID are added. The SIGNL4 application owner can then move these users to specially created SIGNL4 teams.

When users and groups are transferred, each group transferred from Entra ID to SIGNL4 is created as a team in SIGNL4 by default, and the group members are also transferred as team members.

User mapping

  1. Under Mappings, click “Provision Microsoft Entra ID Users.”
  1. Ensure that “Enabled” is activated and, if necessary, adjust the Source Object Scope if only certain users of EntraID are to be included.
  2. Also ensure that the target object actions “Create,” “Update,” and “Delete” are enabled.
  3. The user attributes supported or required by SIGNL4 are listed in the table below. It also describes how SIGNL4 uses the corresponding value, so you can better assess which Microsoft Entra object attributes to map to these user attributes supported by SIGNL4
     
SIGNL4 user attribute Description Typical Entra ID attribute
userName Can be used to identify the user.
Not currently in use and intended for future use.
 
userPrincipalName
active Determines whether the user is disabled in SIGNL4 Switch([IsSoftDeleted], , "False", "True", "True", "False")
 
displayName User display name in SIGNL4
 		 displayName
emails[type eq "work"].value

User's email address

- is used to send emails to the user

- depending on the login procedure used in SIGNL4, also the username that must be used when logging into SIGNL4
 

 mail
preferredLanguage Display language of the SIGNL4 web portal for this user
 		 preferredLanguage
phoneNumbers[type eq "mobile"].value The user's phone number used for alerts via SMS/RCS and voice calls.
 		 mobile
externalId The unique object ID in the IDM system is used during SSO login to identify this user.
 		 objectId
timezone The user's time zone. If this field is not mapped, it is determined based on the device the user is using to log in. The data format must be an IANA time zone.
 		 europe/berlin

 

 

Group mapping

  1. Under Mappings, click on “Provision Microsoft Entra ID Groups.”
  2. Ensure that “Enabled” is selected and, if necessary, adjust the Source Object Scope if only certain EntraID users are to be included.
  3. Also ensure that the Target Object Actions “Create,” “Update,” and “Delete” are selected.
  4. The user attributes supported or required by SIGNL4 are listed in the table below. It also describes how SIGNL4 uses the corresponding value so that you can better assess which Microsoft Entra object attributes to map to these user attributes supported by SIGNL4.
SIGNL4 group attribute Description Typical Entra ID attribute
displayName Display name of the team in SIGNL4
 		 displayName
externalId Used to uniquely identify the group in SIGNL4
 		 objectId
members Team members in SIGNL4
 		 members
description Description (e.g., responsibility) of the team in SIGNL4
 		 description
  1. Save your mapping to complete this configuration.
    • If an attribute is not yet defined in the attribute schema, meaning it cannot be selected as a mapping target, simply click on “Show advanced options” in the attribute mapping and then on “Edit attribute list for customappsso.” You can then add new attributes in the editor, to which EntraID schema attributes can then be mapped.

 

Select groups to transfer

Finally, you must select which groups should be transferred to SIGNL4.

Individual users cannot be transferred to SIGNL4; all users to be synchronized must be members of groups and these groups must be assigned for provisioning. Details can be found in FAQ point 4.

In the “Provisioning” menu item of the Enterprise Application, we recommend selecting “Sync only assigned users and groups” as the scope under Settings and, in any case, not transferring the entire directory immediately.

Next, click on “Users and Groups” in the Enterprise Application menu and add the groups to be transferred. In the example below, two groups are transferred, with one user being a member of both groups.

 

Start SCIM Provisioning

The SCIM provisioning can then be started. To do this, click on “Start provisioning” in the Overview area of the Enterprise Application.

On the same page, in the Provisioning Details area, you can see whether the provisioning has already been completed and what the results were.

In SIGNL4, as soon as Entra ID has performed a transfer, information about the transfer process and the results can also be found in the Audits section in SIGNL4.

 

4.Configuration for Synchronizing Stakeholders in the IDM System: The Case of Microsoft EntraID

The following configuration instructions are to be carried out by EntraID administrators. They explain how EntraID users can be synchronized with SIGNL4 on a group basis. The synchronization target in SIGNL4 is the stakeholders.

1. App registration

Create the S4Stakeholder App role:
 (https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/AppRoles/appId/cedfd648-f378-40f8-a579-88b9da529966/isMSAApp~/false)

2. User Mapping

(https://entra.microsoft.com/#view/Microsoft_AAD_Connect_Provisioning/UserProvisioningObjectMappingBlade/objectMappingQuery~/%7B%22applicationId%22%3A%22cedfd648-f378-40f8-a579-88b9da529966%22%2C%22servicePrincipalObjectId%22%3A%223c459a51-d98e-4982-bf2e-5b7fdb425dd4%22%2C%22taskId%22%3A%22scim.ff2a095d01ff4edb99e638b97f49467c.cedfd648-f378-40f8-a579-88b9da529966%22%2C%22templateId%22%3A%22scim%22%2C%22temporaryId%22%3A%228a255cbe-223f-45b3-91c7-52fe39af10a7%22%2C%22sourceObjectName%22%3A%22User%22%2C%22targetObjectName%22%3A%22urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%22%7D):

  1. Advanced options – create “roles” attribute
  2. Add Mapping for AssertiveAppRoleAssignmentsComplex([appRoleAssignments]) to roles

3. Group Assignment

(https://entra.microsoft.com/#view/Microsoft_AAD_Connect_Provisioning/ProvisioningMenuBlade/~/UsersAndGroups/objectId/3c459a51-d98e-4982-bf2e-5b7fdb425dd4/appId/cedfd648-f378-40f8-a579-88b9da529966)

Assign a Group with s4Stakeholder role

 

Frequently Asked Questions

  1. Will existing users who were created manually in SIGNL4 and do not exist in the IDM system be deleted during the transfer?
    • No, these users will remain in the system. SIGNL4 allows teams and users who are not SCIM-enabled to remain in the system. Only users/groups set up by the IDM system via SCIM are automatically managed.
    • SIGNL4 can recognize and assign existing users. This recognition is based solely on the user's email address.
      This means that if, for example, there is already a user in SIGNL4 with the email address “john.doe@company.com” and you map a SCIM user who also has “john.doe@company.com” as their email (the value of “emails[type eq ”work"]. value“) also contains ”john.doe@company.com", then the existing user is simply transferred to the SCIM synchronization.
    • This means that the user's property values are updated with the values obtained via SCIM. Which properties these are depends on the configured mapping. Typically, this affects the name, possibly the language, or the phone number.
      It may be necessary for the user to revalidate their phone number afterwards.
      All other user data, such as scheduled shifts, etc., will not be changed. Likewise, the user's login method will not be changed as part of the SCIM synchronization.
       
  2. What happens if there are not enough user licenses available in SIGNL4?
    • If more users are to be provisioned in SIGNL4 than there are licenses available, only the number of users licensed in SIGNL4 will be synchronized. The remaining users will be skipped and not processed in SIGNL4. Detailed information on this will be displayed in the SIGNL4 audit logs after each synchronization.
       
  3. Why do users have to validate their phone number even though it was imported via SCIM?
    • This is necessary to ensure that the user can be alerted. Often, data in the IDM system is not kept up to date, or the user has a configuration on their device that blocks SMS messages, etc. SIGNL4 also ensures support for the user's respective carrier.
       

  4. Why can only groups and not individual users be provisioned with SIGNL4?

    • The reason for this is that, in the case of individual users, it is not possible to clearly distinguish when a user
      1. has been marked for deletion from the directory (left the organization), “soft-delete”
      2. is temporarily deactivated (e.g., parental leave)
      3. or has changed roles within the organization and therefore needs to be completely removed from the application
    • Entra ID, for example, initially sends the same notification to SIGNL4 in case a) as in case c). However, in order to be able to reliably and immediately remove the user from SIGNL4 in case c), group memberships are used. If a user is no longer present in any synchronized group, they are removed from SIGNL4, i.e., the application is reliably revoked.
    • In case c), EntraID will never send a “final delete,” so the application could never be automatically revoked from the user.
    • In the following EntraID example, the user “René Bormann” is only provisioned in SIGNL4 if he is in at least one of the groups “SCIM Office Management” and “SCIM Billing.” Otherwise, the direct user assignment from SIGNL4 is rejected.
       

     

  5. When is a user removed from SIGNL4 because the application is to be withdrawn (e.g., change of role in the organization)?
    • To revoke the user's access to the application, they must be removed from all groups provisioned in SIGNL4. If they are no longer present in any of the groups assigned to the application, they will be removed from SIGNL4.
       
  6. When is a user removed from SIGNL4 because they have left the organization and been deleted from the IDM system?
    • In this case, the user will be deleted from SIGNL4 when the IDM system transmits this deletion to SIGNL4.
    • In the case of EntraID, this only happens after a certain waiting period to prevent accidental data loss and to be able to restore the user if necessary. At the point in time when the user is moved to the trash in EntraID or marked for deletion, they are initially only deactivated in SIGNL4.
    • In this state, the user can already be deleted in SIGNL4 by the application owner (administrators), but cannot be edited. This can be helpful if their user license is to be reactivated. Alternatively, the user can also be permanently deleted more quickly in the IDM system if necessary
       
  7. Do users newly transferred from the IDM system automatically receive information from SIGNL4, and if so, what kind?
    • Yes. Users who are created in SIGNL4 via SCIM from the IDM system receive an invitation email to this new application, which has been provided to them by their organization.
    • The user must also click on an activation link in the email to complete the provisioning process. This mechanism is important for two reasons:
    • The user knows that a new business application has been made available to them and can then start using it. This is particularly useful when previous application processes take a long time.
    • The user must click on an activation link in the email to complete the provisioning process. This mechanism serves to ensure that the email address is accessible and that no unauthorized person can activate other users' accounts in SIGNL4.
       
  8. Is it possible to rename the central team into which SCIM users are imported?
    • Yes. The default name “SCIM Synchronized” can be renamed as desired without damaging the SCIM integration.
  1. Are groups that do not contain any users created as empty teams in SIGNL4?
    • No. Empty groups are not created as teams. Only groups that contain users are created as teams. 
       
  2. Why are groups not created as feeds, but only as teams?
    • Due to technical limitations, it is not possible to clearly distinguish which entity a group in the IDM system should be mapped to in the application. Therefore, only stakeholders are imported and no feeds are created automatically.

Related to

Related articles

Comments

0 comments

Please sign in to leave a comment.