SCIM User Provisioning with Azure AD

Wordpress SCIM plugin gives you ability to automate user creation, updation and deletion process from existing Identity Provider to your WordPress site. The System for Cross-domain Identity Management (SCIM) is an open standard for securely synchronizing user information between multiple applications. Here we will go through a step-by-step guide to enable SCIM user sync between WordPress site and Azure AD / Office 365 by considering Azure AD / Office 365 as Identity Provider.

Features

 The following provisioning features are supported:

• Push New Users : New users created through Azure AD will also be created in the third party application.
• Push Profile Updates (Premium Feature): Updates made to the user's profile through Azure AD will be pushed to the third party application
• Push User Deactivation (Premium Feature): Deactivating the user or disabling the user's access to the application through Azure AD will deactivate/delete the user in the third party application.

Note: For this application, deactivating/delete a user will depend on the miniOrange SCIM user provisioning add-on.

• Reactivate Users (Premium Feature): User accounts can be reactivated in the application.

Note: For the Reactivating the user it is required to select the Deactivation mode in the SCIM user provisioning add-on.

 Future Enhancements in the Plugin:

• Enhanced group push
• Import Groups
• Sync password

Pre-requisites : Download And Installation

To configure Azure AD as SAML IdP with WordPress, you will need to install the miniOrange WP SAML SP SSO plugin:

SCIM user provisioning

By miniOrange

(1)

SCIM User Provisioning plugin, Create, Update, delete users from Azure AD, Okta, OneLogin, G-suite, Centrify, JumpCloud, Idaptive, Gluu, WS02 and all SCIM …

 Tested upto 6.2

Get this plugin

To get the premium plugin, please contact us at samlsupport@xecurify.com

Follow the steps below for configuring Azure AD SCIM user provisioning in WordPress (WP)

Step 1: Configure WP SCIM user provisioning plugin

• Install the premium plugin and login using your miniOrange credentials.
• You would require a license key to activate the plugin. (Note :- In case you already have the paid version of the miniOrange SAML 2.0 SSO plugin you won’t require a to login or license key).
• Select the Identity Provider as Azure AD from the dropdown.
• You can find the SCIM Base URL and Bearer token in the SCIM configuration tab of the plugin.

Step 2: Configure Azure AD for SCIM provisioning

• Log in to your Azure AD portal and select the Microsoft Entra ID.

• Click on Enterprise applications.

• Click on New Application and select non-gallery application. If you already have an enterprise application and want to enable provisioning in it then jump to step 5.

• Give suitable name to your user provisioning application.

• Click on Provisioning in left menu.

• Click on Get started.

• Select Automatic in Provisioning Mode and Enter SCIM Base URL, SCIM Bearer Token (which you will find in Step 1above) .
• Click on Test Connection to verify the credentials. After testing connection click Save button.

Step 3: De-provisioning of Users [This is a premium feature]

• You can select the deprovisioning mode in the SCIM configuration tab of the SCIM User Provisioning plugin.
• By default, De-provisioning will delete the users from the WordPress site.

Step 4: Attribute Mapping for SCIM Users

  Attribute Mapping for SCIM Users in Azure AD

• Click on Mappings dropdown then click on the Provision Azure Active Directory Groups and disable it.

• Click on Save button.

• Assign users to your application by clicking Users and groups >> Add user/group .

• Clcik on None Selected, choose users and click on Select button.

• Click on Assign button.

• Assigned users will be created in your WordPress site if they are not already present.
• Once done with configuration, Go back to Provisioning and click on Start provisioning .

  Configure the AzureAD to send custom Attribute Mapping [This is a premium feature]

• The steps in Attribute Mapping for SCIM Users in Azure AD must be followed in order to create custom attribute mapping.
• Navigate to the Provisioning >> Overview >> Edit attribute mapping section of your Enterprise Application of the AzureAD.

• Navigate to the Provision Azure Active Directory Users section under the Mappings dropdown.

• Go to Edit attribute list for customappsso section. (Make sure you have checked Show advanced options).

• Scroll down to the bottom of this page and add this namespace urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:{custom attribute name of the WordPress } eg :- urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:Brand

• In case the custom attribute needs to be stored as xprofile field or BuddyPress/BuddyBoss field. You should add bb_{xprofile field} eg :- urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:bb_City
• Once the attribute will be populated with the value received in the urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:bb_City variable
• After adding all the attributes, click Save button. Next, choose which Azure AD attribute whose values should be sent as urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:{attribute _name}
• Click on the Add New Mapping.

• Select Source attribute, this value will be sent from AzureAD to WordPress. In the Target attribute select the extended attribute for respective attribute for the WordPress. Click Ok button.

  Configure Attribute Mapping of SCIM User Provisioning Plugin [ This is a premium feature ]

• Navigate to Attribute-Mapping subtab and enable Show User Attribute when a user is created.

• Once this option is selected you can navigate to the Attribute Mapping tab of the plugin and Provision a test user (This user must not exist in the WordPress) to check the attributes sent by AzureAD.
• Once a new user is created you can select the User’s attributes to be mapped from the dropdown beside the attribute field.

Step 5: SCIM Audit [This is a premium feature]

• SCIM Audit allows you to keep the track of all the provisioning activity taking place. It shows you the detailed information about each user being provisioned. This information includes the User Action, Status, Created Date etc.
• In the miniOrange SCIM User Provisoner plugin, naviagate to the SCIM Audit tab.
• Here you can see all the User provision information.

• Click on the Show Advanced Search button, to search the provisoned user details by using the search filters like Wordpress Username, IP Address etc.

• On clicking the Clear Reports button, you can clear all the user provisioned details.


SCIM User Provisioning plugin also supports provisioning for other IDP's like Okta ,Cognito,OneLogin,Salesforce, Ping Identity, WSO2, GSuite, GitHub and many more.

Additional Resource

• What is SCIM User Provisioning?
• User Data Synchronization

Other Supported IDPs

Okta

Centrify

Google Apps

One Login

PingOne

Custom IDP

If you are looking for anything which you cannot find, please drop us an email on samlsupport@xecurify.com