Skip to main content

Configure SCIM provisioning in Entra

This procedure explains how to configure System for Cross-domain Identity Management (SCIM) provisioning between Entra and DigiCert​​®​​ account.

SCIM provisioning allows Entra to automatically create, update, and deactivate users and groups in DigiCert​​®​​ account. User access is managed through Entra groups and synchronized using the SCIM protocol.

SCIM provisioning and single sign-on (SSO) are configured using separate Entra applications. If you are also using SSO, you must configure the SSO and SCIM applications independently.

Before you begin

To finish this setup, you need administrative access in both DigiCert and Microsoft Entra:

  • Account admin user group required in DigiCert account.

    How do I check my user group?

  • Application Administrator or equivalent role required in Entra.

Step 1: Enable SCIM provisioning in DigiCert® account

Before configuring Entra, you must enable SCIM provisioning in DigiCert® account and generate the connection details required by Entra.

  1. In DigiCert​​®​​ account, select Accounts () > Identity and access.

  2. In the User lifecycle section, select Automated user provisioning with SCIM.

  3. In the Enable users and group sync section, switch to enable SCIM provisioning.

  4. Under SCIM base URL, select Copy.

  5. Select Generate token.

    1. Select how long the token should remain valid.

    2. Select Generate token.

    3. Under Token, select Copy.

    4. Select Done.

Tip

Keep the SCIM base URL and token available. You will use them when configuring SCIM in Entra.

Step 2: Create and configure a SCIM application in Entra

Your SSO application in Entra cannot be used to configure SCIM, you must create a separate application for SCIM:

  1. Sign in to the Microsoft Entra admin center.

  2. In the left pane, select Microsoft Entra ID.

  3. In the left pane of Microsoft Entra ID, select Manage > Enterprise apps.

  4. Select + New application.

  5. Select Create your own application.

  6. In the What's the name of your app? field, enter an app name that specifies SCIM. Example: Example, Inc (SCIM)

  7. Select Create.

  8. Select the Provisioning tab.

  9. Select + New configuration.

  10. In the Select authentication method field, select Bearer authentication.

  11. Complete the following fields:

    1. Tenant URL

      Paste the SCIM base URL copied from DigiCert® account in Step 1.4.

    2. Secret token

      Paste the token generated in DigiCert® account in Step 1.5.c.

  12. Select Test connection.

    Expected message: Connection test for 'app name' was successful.

  13. Select Create.

Step 3: Enable provisioning actions

Once the SCIM application for DigiCert​​®​​ account is saved, enable the following provisioning actions to allow Entra to manage the full user lifecycle in DigiCert​​®​​ account.

  1. In the left pane of the SCIM app you just created, select the Provisioning tab.

  2. Select + New configuration.

  3. In the Select authentication method field, select Bearer authentication.

  4. Complete the following fields:

    1. Tenant URL

      Paste the SCIM base URL copied from DigiCert® account in Step 1.4.

    2. Secret token

      Paste the token generated in DigiCert® account in Step 1.5.c.

  5. Select Test connection.

    Expected message: Connection test for 'app name' was successful.

  6. Select Create.

Step 4 : Assign groups to the SCIM application

User access in DigiCert® account is managed using Entra groups.

  1. In the left pane of the SCIM app you just created, select the Users and groups tab.

  2. Select +Add user/group.

  3. Select the Users and groups tab.

  4. Select checkbox next to the groups you want to provision.

  5. Select Select.

  6. Verify that you have selected the correct groups.

  7. Select Assign.

Tip

If SSO is enabled for DigiCert® account, assign the same user groups to both the SSO application and the SCIM application in Entra to keep access consistent.

Step 5: Start provisioning

To start provisioning:

  1. In the left pane of the SCIM app you just created, select Overview (Preview).

  2. Select Start provisioning.

  3. In the confirmation pop-up, select Yes.

Step 6: Verify provisioning in DigiCert® account

The people and groups you have identified in step 4 should also show in your DigiCert account, provided that the SCIM application in Entra is active.

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Users to view a consolidated list of all your users, this includes manually created users and users provisioned through SCIM.

  3. Select Groups to view a consolidated list of groups:

    1. The Source column displays Platform for default DigiCert groups.

    2. The Source column displays SCIM for groups provided by your IdP.

Step 7: Assign roles to groups in DigiCert® account

Users in the IdP group will be assigned the roles that you define in DigiCert account.

Let op

If the user was previously assigned user roles manually, these roles will still be present in addition to the roles assigned to the group, unless you manually remove them to prevent breaking existing workflows. See Update user role manually.

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Groups to assign user roles:

  3. Select the name of a SCIM group.

    The Source column displays SCIM for groups provided by your IdP.

  4. Select Group access.

  5. Select Update group access.

  6. In the Services field, select the checkbox next to all the DigiCert Service this user group should have access to.

  7. In the User roles section of each service, select the check box of the user roles that this user group should have.

  8. Select Assign access.

Review Entra logs

In the left pane of the SCIM app, select Provisioning logs to see activities that Entra did, and information was requested and sent to your DigiCert account:

In deze sectie: