Azure AD User Provisioning

About this document

This document includes the step-by-step procedure to enable user provisioning in Azure AD for SAFE People.
Once provisioned, SAFE can regularly sync the users' list with Azure AD as users join or leave the organization or their attributes like Department and Location change.

Prerequisites

• The organization should be onboarded to SAFE Me. Contact the SAFE Support team to onboard your organization to SAFE Me.
• All the users' domains should be mapped to the organization.
• Get the Bearer Token from the SAFE support team. For authenticating provisioning API calls to SAFE Me, the organization's Active Directory needs a Bearer Token specific to a particular organization. Currently, the SAFE Support team manually generates this token. Contact the SAFE Support team to get the Bearer Token for your organization.

Configure Azure AD User Provisioning

To configure the user provisioning, perform the following steps on the Azure portal:

1. Navigate to https://portal.azure.com
2. Click the Azure AD Active Directory from the Azure Services List.
   
3. Click the Enterprise Application from the left-navigation
   
4. Click the New Application button to create a new Enterprise Application.
   
5. Click the Create your Own application button.
   
6. Enter a name for the application as SAFE Me.
7. Select the option "Integrate any other application you don't find in the gallery (Non-gallery)".
8. Click the Create button.
   
9. Once the application is successfully created, the system redirects you to the Applications Home Page.
10. Click the Users and Groups from the left navigation to start assigning Users to the Application. You can assign any number of users to the application enabling them to use SAFE Me.
    
11. Click the Add User/Groups
    
12. Select Users from the list
    
13. Click the Assign button
    
14. The system displays the list of assigned users/groups. These users are now eligible to use SSO and also be synced to SAFE Me along with their details via user provisioning.
    
15. Click the Provisioning from left navigation.
16. Click the Get Started button
    
17. Select the Provisioning Mode as Automatic
18. Under Admin Credentials, enter the Tenant URL as https://scim.safeme.ai/v1 and Bearer Token provided by the SAFE Support team.
    
19. Click the Test Connection button.
20. Once the connection is verified, click the Save button.
    
21. If the system displays an error, then either the URL or the token is wrong. Please recheck the URL and validate the token with the SAFE Support team.
22. Once the credentials are saved, Go to the Mapping section.
23. The system displays two types of mappings, Provision Azure Active Directory Groups and Provision Azure Active Directory Users; both are enabled by default.
    
24. Click the Provision Azure Active Directory Groups and disable it by setting the toggle switch to No.
25. Click the Save button.
    
26. Go to Provision Azure Active Directory Users and enable it by setting the toggle switch to Yes.
27. Mark all the Target Object Actions (Create, Update and Delete) checkboxes.
    
28. Go to the Attribute Mapping section and make sure the supported attributes in SAFE Me are selected with the exact mapping.
29. You can add new mappings by clicking Add new mapping and remove any mapping from defaults that are not in the list by clicking the Delete button corresponding to the mapping.
    
30. For attributes where Mapping Type is Direct, you need to select the source attribute from the list, and for other attributes where Mapping Type is Expression you need to put the value from the table as an expression.
    
    

    Mapping Type	Source Attribute Value / Expression	Target Attribute
    Direct	userPrincipalName	userName
    Expression	Switch([IsSoftDeleted], , "False", "True", "True", "False")	active
    Expression	Join(" ", [givenName], [surname])	name.formatted
    Direct	mail	emails[type eq "work"].value
    Direct	mailNickname	externalId
    Direct	country	addresses[type eq "work"].country
    Direct	jobTitle	title
    Direct	department	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

31. We only use 2 attributes with Expression mapping type - name.formatted and active and they are present in the list by default.
32. For Match object using this attribute, select No for all except the userName.
    
33. Among the above attributes - ‘userName’, ‘emails[type eq "work"].value’, ‘externalId’ and ‘active’ are Required. Rest are optional. Any additional attributes that are kept/added there will be ignored. Ideally, this is how it should look like.
    
34. Click the Save and then Yes. The system displays a success message at the top right corner.
    
35. Now on the Provisioning screen, turn the toggle for Provisioning Status to On and click Save and confirm. You will see a success toast message on the top right.
    
36. Now the setup is done, the provision cycle should start in some time. Initially, on the provisioning screen, you will see a message Initial cycle is not run, and clicking the View Provisioning Logs displays empty logs.
    
37. Once the provisioning cycle is completed, you will see a new message on provisioning screen "Initial Cycle Completed" and by clicking the View Provisioning Logs you can see the users that got created (and later on updated) and also check if there are any failures.
    
    
38. Provisioning is now all set up, and the user's data will automatically be synced with SAFE Me. Now, if any supported attribute for a provisioned User changes in Azure AD, it will reflect in SAFE Me in some time automatically.