Skip to main content
All CollectionsAdmin FunctionsIntegration Options
Asite SCIM Provisioning Connector
Asite SCIM Provisioning Connector
Updated over a week ago

The Asite Provisioning Connector leverages the System for Cross-Domain Identity Management (SCIM) protocol to automatically provision, update and de-provision users on the Asite Platform. The Microsoft service connects to the SCIM endpoint for the Asite Platform. It uses the SCIM user object schema and REST APIs to automate the provisioning and de-provisioning of users and groups in the Asite Platform.

Asite's integration with Microsoft Entra ID's SCIM enables Microsoft Entra ID to serve as a single identity manager, to add and deactivate users, and to provision user groups. This is especially efficient for managing users at scale.

System for Cross-Domain Identity Management (SCIM) is an open standard protocol for automated user provisioning. In Asite, automated provisioning involves creating users and user groups, assigning users to groups, and managing some user attributes (such as names and email addresses).

This topic describes using a Microsoft Entra ID SCIM integration for provisioning in Asite. You must take steps in both Microsoft Entra ID and Asite to configure this integration.

Prerequisites

  • You must be an Application Administrator in your Microsoft Entra ID account.

  • An active Asite CDE subscription + Asite API permission + Workspace Admin access.

Setting Up the Integration

Asite supports the SCIM profile as explained above and can currently be connected to Microsoft Entra ID using the 'non-gallery application' feature in the Microsoft Entra application gallery. Once connected, Microsoft Entra ID runs a synchronization process every 40 minutes. It queries the Asite application's SCIM endpoint for assigned users and groups and creates or modifies them according to the assignment details.

To connect the Asite application that supports SCIM:

  1. Sign in to the Microsoft Entra admin center as at least an Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications.

  3. A list of all configured apps is shown including apps added from the gallery.

  4. Select + 'New application' > + 'Create your own application'.

  5. Enter a name for your application such as 'SCIM Demo App'. Next, choose the 'integrate any other application you don't find in the gallery' option and select Add to create an app object. The new app is added to the list of enterprise applications and opens to its app management screen.

    The following screenshot shows the Microsoft Entra application gallery:

  6. In the app management screen, select Provisioning in the left panel.

  7. Select + New configuration.

  8. In the Tenant URL field, enter the URL (of the application's SCIM endpoint).
    Example: https://scimqa.asite.com/scim/tenants/{tenant name}
    https://scimqa.asite.com/scim
    You must enter your company name matching your registered organization name on Asite while creating users or user groups in Microsoft Entra. Secondly, you can directly use the name of your tenant organization in the 'Tenant URL' field by creating an encoded URL (You can also use a URL encoder service such as https://www.urlencoder.org/ if required) containing the organization name.
    Note: If you use both options in your Microsoft Entra, your organization name will be taken from the 'Tenant URL' and not the organization name you pass while creating users or user groups.

  9. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Microsoft Entra ID, then copy the OAuth bearer token into the optional Secret Token field as applicable. Please speak with your Asite point of contact for the OAuth token as required. We'll need your login credentials to help us generate an OAuth token for you. Once the Asite app is published in Microsoft Entra's gallery, it will no longer be required.

  10. Select Test Connection to have Microsoft Entra ID attempt to connect to the SCIM endpoint. If your attempt fails, an error message is displayed.
    Note:: Test Connection queries the SCIM endpoint for a user that doesn't exist, using a random GUID as the matching property selected in the Microsoft Entra configuration. The expected correct response is HTTP 200 OK with an empty SCIM ListResponse message.

  11. If the attempt to connect to the application succeeds, select Save to apply the changes.

  12. Select the 'Sync all users and groups' tab and assign the users or groups you want to sync.

  13. In the 'Attribute mapping' section, you can review the user attributes synchronized from Microsoft Entra ID to Asite.
    Attribute | Type
    userName | String
    active | Boolean
    title | String
    preferredLanguage | String
    name.givenName | String
    name.familyName | String
    phoneNumbers[type eq "work"].value | String
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization | String
    The attributes selected as Matching properties can be used to match the user accounts in Asite for update operations. Select the Save button to commit any changes.

  14. Under the Mappings section, select Synchronize Microsoft Entra ID Groups to Asite.

  15. In the 'Attribute mapping' section, you can review the group attributes synchronized from Microsoft Entra ID to Asite.

    Attribute | Type
    displayName | String
    externalId | String
    members | Reference
    The attributes selected as Matching properties can be used to match the user groups in Asite for update operations. Select the Save button to commit any changes.

  16. To use the 'Provision on-demand' option, you must first add that user or group in the Microsoft Entra app under the 'Users and groups' of the required SCIM app under your created application.
    Once you have added the required users or user groups, you can select 'Provision on-demand' in the left panel. You can search for a user in the scope for provisioning and provision them on-demand. Repeat with other users that you would like to test provisioning with.

  17. Once your configuration is complete, select Overview in the left panel.

  18. Select Properties.

  19. Select the pencil to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletion prevention. Click Apply to save the changes.

  20. Select Start provisioning to start the Microsoft Entra provisioning service.

Once the initial cycle has started, you can select Provisioning logs in the left panel to monitor progress, which shows all actions done by the provisioning service on your app. For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning.

Note: The initial cycle takes longer to process than the later synchronizations, which occur approximately every 40 minutes as long as the service runs.

Next Collection: Record Retention

Did this answer your question?