What is SCIM?

The System for Cross-domain Identity Management (SCIM) is a specification designed to make managing user identities in cloud-based applications and services easier.


You can leverage SCIM to automatically sync user profiles from your identity provider (i.e Microsoft Azure AD / Entra ID) to streamboxy.

This saves you a lot of time for manual user maintenance whe users are joining or leaving our organization.


Prerequisites

The following preconditions must be met in order to be able to use SCIM:

  1. You need a SCIM capable identity provider (i.e Entra Id, Okta etc.)
  2. You need a custom SSO Provider to be configured for your Tenant or your Azure AD Domain to be Whitelisted for SCIM.
    Please contact your Customer Sucess Manager or Streamboxy Sales.


How to Enable The Scim Sync?

To enable SCIM for a tenant and generating its SCIM Integration token, go to the 'Settings'. 

You will find the settings in the upper left corner of the STREAMBOXY Backstage.

In the navigation bar that opens click on 'Integrations' and then on 'Configure'.

Streamboxy Integration


Enable SCIM

Scim enabled




How to Use it with the Example of Azure AD / Entra ID?

The Azure AD (renamed to Microsoft Entra ID) needs to be configured in order to sync users using SCIM. To configure auto provisioning using SCIM in Microsoft Entra Id go to the Azure Portal -> 'Microsoft Entra ID'. 



Step 1: Create Enterprise Application


An Enterpise application needs to be created on "Mcrosoft Entra ID" in order to configure the SCIM sync of a certain Authentication type. 

to create an Enterprise Applicaiton click on 'Enterprise applications' on 'Microsoft Entra ID' page and then on 'New application'

Azure Portal EntraID Page

EntraID Enterprise Application page


Click on 'Create your own application'. Enter the name of the application and choose 'Integrate any other application you don't find in the gallery (Non-gallery)'. Click on Create.

Create Enterprise Application - Step 1

Create Enterprise Application - Step 2




Step 2: Create App Roles

This article describes App Roles as a way do map Streamboxy Roles to Entra ID in a flexible way.
You can also accomplish the same thing using a fixed value for role or user profile attributes.


To map the Entra ID roles to Streamboxy Roles, one needs to first create 'App Roles' on the  Enterprise Application created in the previous step.

Details on Streamboxy Roles can be found here. The steps below creates App Roles for an Enterprise application.

Click on 'App registrations' on 'Microsoft Entra ID' page on Azure portal.

Create App Roles - Step 1


On the 'App registrations' page if the previously created Entreprise App is not present then click on 'All applications'.

Choose the earlier created Entreprise App. Click on 'App roles' and then 'Create app role'.

Create App Roles - Step 2

Create App Roles - Step 3


Create App Roles - Step 4


Create an app role by filling in the mandatory fields. The Value of the App role needs to be of the format 'Sbxy_<Streamboxy Role>'.

The details about Streamboxy roles can be be found here.

The Streamboxy Role values allowed are below:

Streamboxy Role Value Description
Sbxy_Admin administrator
Sbxy_TenantReadOnly Read only access
Sbxy_TenantEventAdmin Event administrator
Sbxy_TenantEventAttendeeManager Event user administrator
Sbxy_NoAccess No Access

Create App Roles - Step 5




Step 3: Create Groups

This article describes how to create groups.

Click on "Groups" on the "Microsoft Entra ID" page in the Azure portal.


Then click on "New group", enter the desired name and description.


You can add users to the group under "Members". 



Step 4: Assign Users/Groups to the Enterprise Application


This Step allows you to define Users or Groups of Users that are supposed to be synced.


Click on "User and groups" and then 'Add user/group'

Assign User to Enterprise APP - Step 1

Assign User to Enterprise APP - Step 2


Select users or group to be assigned by clicking on "None Selected" and choose the users to be assigned for SCIM sync.

Click on 'Select'.  (If a Group is selected then the members of the Group would be synced) 

Assign User to Enterprise APP - Step 3


Choose the Role to be assinged to the selected users or groups which were created in Step 2. 

Click on Assign to assign User, groups and roles to Enterprise Application.

Assign User to Enterprise APP - Step 4



Step 4: Configure automatic provisioning


On the previously created 'Enterprise Application' page click on 'Provisioning'.

Click on 'Provisioning' on Provisioning page.

Enable auto provisioning -Step 1


Enable auto provisioning -Step 2

Choose "Automatic" Provisioning mode.

Enter the credentials created in Streamboxy Integration and click on 'Test Connection'. 

Once the credentials is validated, click on 'Save'.

Enable auto provisioning -Step 3


Disable Group provisioning if not supported.


Enable auto provisioning -Step 4

Enable auto provisioning -Step 5


To configure the mapping of the User properties click on 'Provision Azure Active Directory Users'.

Enable auto provisioning -Step 6

The Streamboxy specific attributes needs to enabled before the mapping. To enable Sbxy attributes click on 'Show advanced options' and then on 'Edit attribute list for customappsso'. Add the below mentioned Streamboxy specific attributes and click on Save.

Attribute Value Required?
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider True
Auth Provider type for the user being created. The allowed values are 'Microsoft' and 'CustomSSO'. For Auth Provider type Microsoft, the email domains must be whielisted. Please contact [email protected] to whitelist email domain.
urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId False

The CustomSSO Provider Id to which the user is associated with. This is a must have if the authProvider type is CustomSSO.

 

SCIM attribute mapping - Step 1


Delete the attributes except the ones below in the snapshot and 'roles'. 

Change the attribute mapping with custommapsso attribute 'externalId' to Azure AD attrubute 'objectId'.

Update the 'userName' customappsso to Expression type with values as below:

  • Microsot Type: Append("Microsoft", Append("_", [userPrincipalName]))
  • CustomSSOAppend("CustomSSO", Append("_", [userPrincipalName]))


Click on Add New Mapping to map the newly created Streamboxy specific attributed.


Add/Update the below 3 attrubutes mapping.


1. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:authProvider

SCIM attribute mapping - Step 2


2. [Update] roles

Expression Value = AssertiveAppRoleAssignmentsComplex([appRoleAssignments])



3. urn:ietf:params:scim:schemas:extension:customSbxyAttribute:2.0:User:customSSOProviderId

Constant Value = Custom SSO Provider Id from Streamboxy Settings => Login page.

SCIM attribute mapping - Step 4


After all the needed the attributes mapping is done, the overall User attribute mapping would look like the one below. 

Save the attribute mapping by clicking on Save.


After the attrubutes mapping configuration, the automatic SCIM provisioning needs to be started.

Go to the 'Overview' tab in 'Provisioning' page of the Enterprise App and click on 'Start provisioning'.

With this the SCIM sync of users is configured on Azure AD (Microsoft Entra ID).

The logs and errors of the automatic provisioning can be viewed by clicking on 'View provisioning logs'.

Start Auto Provisioning


Current Limitations

  • Currently we don't support Streamboxy USer Custom Properties for SCIM sync (lifted in a future release)