SCIM Provisioning Implementaion

1
Hi All, I'm trying to implement SCIM provisioning to be able to consume the SCIM service provided by Azure AD. I'm aware that Mendix only allows JIT provisioning with the SAML and SSO module and OIDC with the OIDC module and that SCIM is not supported directly. Hence reaching out to the community, if anybody has implemented it. If yes, I'd be grateful if you can guide me in the correct direction to implement the same. Thank you!   Regards, Apoorva
asked
3 answers
1

At my current client, we implemented a SCIM interface for AzureAD. Microsoft provides documentation on which resources, operations and content your interface needs to accept. See this page, and this section specifically. Based on these specifications, you can build a REST API in Mendix that allows AzureAD to manage your users.

 

Note that you should not implement the entire interface as specified: it is not possible to create or update Groups (in Mendix, that would be System.UserRole objects) through the SCIM interface. System.UserRole objects in Mendix are managed through your security settings. For Groups, we only implemented two GET operations (get by ID and get by query) and a PATCH operation (to managed Users in Groups). Note that this PATCH operation can contain three distinct types of content: update the attributes of the Group, add User to Group, or remove User from Group. We simply throw an error when an update of the attributes of the Group is attempted.

 

We aligned the actual attributes we would use with the team that manages AzureAD.

answered
0

Hey Apoorva ,

Azure AD also supports SAML and OpenID[OIDC] . Are those not allowed[due to policy/license/tech issues]

answered
0

In current quarter we are aiming to bring LDAP module to product support.
The LDAP module will allow you to sync users from an LDAP server (such as on-premises Active Directory) to your app.
It’s not a solution when you use AzureAD however; that would require a SCIM module indeed.

answered