This is a premium product add-on and must be purchased and configured through your Account Manager.
System for Cross-domain Identity Management (SCIM) is a protocol that enables automated user provisioning and de-provisioning between different identity systems. It allows Microsoft Azure to communicate with the MANTL Console to exchange user identity information and perform provisioning and de-provisioning actions automatically.
Considerations
MANTL has an enterprise application listed in the Azure Marketplace, however, it currently only supports single sign-on and not provisioning. We are working with Microsoft to add provisioning to our existing enterprise app, but they have not provided a timeline for us. In the meantime, our customers wanting provisioning are required to create custom enterprise applications to utilize our SCIM API.
Unfortunately, due to a Microsoft policy and a shortcoming in Azure, it is not possible for provisioning to ever be added to our UAT application. Thus most of our customers on Azure end up with a total of four MANTL apps in their list of Azure enterprise apps (SSO Prod, UAT & SCIM Prod, UAT).
When choosing to use SCIM provisioning, consider the following:
- MANTL's implementation of SCIM maps Azure AD security groups one-to-one with MANTL roles.
- The Mantl Console does not supported nested roles.
- When SCIM is enabled for your organization in MANTL, users and roles in the MANTL Console will become read-only.
- While you will be able to update a role's description and associated permissions, you will not be able to otherwise edit roles using the MANTL Console. e.g. a role's name or user associations.
- User profiles and roles will need to be updated in Azure.
- Permissions and their associations to roles will still be edited in the MANTL Console.
- Users can only be deactivated, not deleted.
- If a user is off-boarded or unassigned from a relevant security group, their status in MANTL updates accordingly.
- All other historical information associated with that user will remain in MANTL.
- Deactivated users can be reenabled without creating a new user in MANTL by reassigning them.
- For organizations with multiple clients (i.e. brands) they may manage client assignment either at the user or role level.
-
By default client assignments are made at the user level and managed within the Console. The system default is to assign all clients to a user. As a result, admins would update a user via the Console to limit client access as needed.
-
Managing client assignments via roles may be desirable for organizations that have many users with varying client access. In this case, a group system will need to be created in Azure to control client assignments, after which client/role assignment can be managed via the Console, similar to permission/role assignment.
-
Prerequisites
- Before getting started in Azure, your Customer Success Manager (CSM) will provide you with an access token for authenticating SCIM requests.
- Because the token is highly sensitive information, this will be sent to you using your preferred secured messaging platform and not emailed.
Supported Attributes
MANTL supports the following attributes when working with SCIM provisioning in Azure:
- First / Last Name: Users in the MANTL Console are required to have first and last name attributes only. Middle names, honorifics, prefixes and postfixes, display names, or nicknames do not get mapped to the MANTL Console. This may cause synchronization issues for some users if the first and last names are missing.
- Contact Info: MANTL only supports a single email address (required) and a phone number (optional) per user.
Address: MANTL does not support physical address, locale, or time zone attributes for users.
Configuration Steps
- Acquire your access token from your Implementation or Customer Success manager.
- In Microsoft Azure go to Enterprise Applications > New Application > Create your own application.
- Give it a name e.g. "MANTL UAT SCIM".
- This app will not be made visible to your users in their My Apps dashboard.
- Select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create. Ignore the found application that is presented, that is our SSO app.
- On the Overview page for the app select 3. Provision User Accounts, or on the left select provisioning.
- Click Get started, then set Provisioning Mode to Automatic.
- Under Admin Credentials
-
Tenant URL:
- Production: https://console.mantl.com/scim/v2?aadOptscim062020
- UAT: https://console.uat.mantl.com/scim/v2?aadOptscim062020
- The query param is required to make Azure SCIM compliant.
- When entering/copying the URL path ensure no whitespace is at the beginning or end of the string.
- Secret Token will be provided by your MANTL Customer Success Manager or Implementation Engineer.
-
Tenant URL:
- Click Test Connection, wait for a success notification, then click Save the in upper left.
- A new section labeled Mappings will display, click to open it.
- Nothing needs to change for Groups.
- Click Provision Entra ID Users.
- Under Target Object Actions, uncheck Delete.
- From Attribute Mappings, delete the following mappings:
- displayName
- preferredLanguage
- Formatted name: Join(" ", [givenName], [surname])
- The six physical address fields. physicalDeliveryOfficeName, streetAddress, city, state, postalCode, and country.
- mobile
- facsimileTelephoneNumber
- employeeId
- department
- manager
- Click into the mailNickname mapping
- Change Source Attribute to be objectId
- Change Match objects using this attribute to Yes
- Fill in Matching precedence with 2
- If, and only if, you have existing users in your MANTL account, you'll need to set up matching on email address too.
- Click into the mail mapping
- Change Match objects using this attribute to Yes
- Fill in Matching precedence with 3
- Click Save in the upper left.
- Navigate up the breadcrumb one segment to Provisioning, set the Provisioning Status at the bottom to On, then click Save again in the upper left.
- Assign groups to the application(s) (documentation).
- Because MANTL only assigns permissions to groups/roles, only security groups should be assigned to this application, never individual users.
- The assignments to this application need to stay in sync with the SSO app for the same MANTL environment.
- Users and groups only get synced every forty minutes in Azure. To verify things are working, use the Provision on demand tab to manually sync an entity.
- After a new security group is provisioned to MANTL, you or your CSM will need to assign it permissions from inside the MANTL Console interface.
- Log into MANTL Console.
- In the lower left, hover over your initials then click Settings.
- Under Roles & Permissions, find and click the new Role. It will have the same name as the AD security group it is synced to.
- Click Edit on the right, then assign permissions as appropriate.