Create a SCIM provisioning app in Microsoft Entra ID

  • Updated
Optimizely officially supports SCIM provisioning with Entra ID, Okta, and PingOne. Other IdPs are not officially supported for SCIM provisioning, and Optimizely does not assist with custom configuration or troubleshooting.

You can set up a Microsoft Entra ID enterprise app integration that uses System for Cross-domain Identity Management (SCIM) for provisioning. This securely automates and manages user identity information, such as user and group creation, updates, and deactivation, from Entra ID to Opti ID.

Prerequisites

  • Configure the SAML or OIDC SSO connection in your identity provider (IdP). If you intend to use your IdP for provisioning and SSO, the best practice is to use two separate apps in your IdP: one to manage the SCIM integration and one to manage the SSO integration.
  • Decide to use just-in-time (JIT) or SCIM for user and group provisioning. You cannot use JIT and SCIM at the same time. Default SSO in Opti ID uses JIT provisioning. Choosing SCIM automatically opts you out of JIT provisioning. Contact Optimizely Support to configure your SCIM organization.
  • You must be in the Admin Center Administrators group in the Opti ID Admin Center.
  • You must have administrator rights in your IdP account.
If you create multiple SSO connections, you can only use SCIM for one of those SSO connections.

Add a SCIM app in Entra ID

  1. Go to Manage > Enterprise Applications in the Entra ID portal and click + New application to create an enterprise application.
  2. Click + Create your own application.
  3. Enter a descriptive name for your app, and then select Integrate any other application you don’t find in the gallery (non-gallery) to create your own app instead of using a published gallery app.

Configure provisioning options

Next, configure SCIM options so the application knows how to handle the provisioning of the users and groups from Entra ID into Opti ID.

  1. Generate a SCIM token in Opti ID. This token is required for step 3. It is your responsibility to keep this key secure.
  2. Click Get Started in the Provisioning section.
  3. Complete the following provisioning properties to use the HTTP header authentication method:
    • Provisioning Mode – Set to Automatic.
    • Tenant URL – Enter https://identity-api.optimizely.com/api/scim/v2.
    • Secret Token – Paste the SCIM token you generated from Generate a SCIM token in Opti ID.
  4. Click Test Connection to test whether the app can connect to your SCIM API. If there are errors, make sure your tenant URL and secret token are correct and try again.
  5. Click Save.

Customize user provisioning attribute mappings

  1. Click Provisioning under Manage in the Entra ID app. 
    SCIM - Provisioning 1.png
  2. Click Provisioning again and expand the Mappings section.
    SCIM - Provisioning 2.png

  3. Delete all attributes for each user mapping, except the following:

    • userName (You should have this mapped with an email address)
    • active
    • name.givenName

    • name.familyName

    If you delete the active, name.givenName, or name.familyName attributes, you must recreate them as new mappings.

  4. Delete all attributes for the group mappings, except the following:
    • displayName

    • members

  5. Set Provisioning Status to On.

After you complete the provisioning, there may be a delay in the user information syncing from Entra ID to Opti ID because of Entra ID's sync schedule. Entra ID syncs every 40 minutes.

To force a sync for an individual user, go to Provisioning > Provision on Demand, then search for and select the user.

Recreate deleted mappings

You only need to complete the settings in this section if you accidentally deleted the active, name.givenName, or name.familyName attributes. If you deleted any of those attributes, you must recreate them as new mappings with the following settings shown for each attribute.

active

  • Mapping type – Expression
  • ExpressionSwitch([IsSoftDeleted], , "False", "True", "True", "False")
  • Target attribute – active
  • Match objects using this attribute – No
  • Apply this mapping – Always

name.givenName

  • Mapping type – Direct
  • Source attribute – givenName
  • Target attribute – name.givenName
  • Match objects using this attribute – No
  • Apply this mapping – Always

name.familyName

  • Mapping type – Direct
  • Source attribute – surname
  • Target attribute – name.familyName
  • Match objects using this attribute – No
  • Apply this mapping – Always

Limitations and usage tips

There are a few limitations and usage tips for how Entra ID integrates through SCIM 2.0. 

User management in Entra ID

If you delete or deactivate a user in Entra ID:

  • The user is unassigned from all groups in Opti ID.
  • The user is deleted in Opti ID.

If you restore that same user in Entra ID:

  • The user is created in Opti ID.
  • The user is assigned to the Opti ID groups that are assigned to them in Entra ID.

User management in Opti ID

SCIM syncs only groups and users from your SSO. Instances, roles, and permissions are managed within the Opti ID Admin Center. When using SCIM provisioning, performing a group push creates internal groups in Opti ID.

In addition to managing users and groups through your IdP, you have the flexibility to continue managing non-IdP users and groups directly through the Opti ID Admin Center:

  • Manually add collaborators or partners and groups.
    • You should manage your SSO users with an upstream IdP.
  • Assign a product instance to a group.
  • Assign roles to product instances.

Only make the following changes in your upstream IdP and let it flow downstream to Opti ID. Do not make these changes in the Opti ID Admin Center:

  • Edit users' first and last names. This causes a discrepancy between the IdP and Opti ID.
  • Edit group names and user memberships of groups provisioned from SCIM to Opti ID. This causes out-of-sync user assignments for your SSO users. Instead, create separate groups for collaborators or partners in Opti ID because those are not managed by SCIM provisioning.
  • Delete users and groups. This makes that resource unavailable for updates from the IdP.

The following groups are reserved only for internal Opti ID use. Do not link them to your Opti ID SCIM application:

  • Everyone
  • Admin Center Administrators

Troubleshoot

You can troubleshoot using Microsoft Entra ID provisioning logs to find:

  • Which groups were successfully created and removed
  • Which users were successfully created and removed
  • Which users were assigned to or removed from the Opti ID SCIM provisioning app

If there are any issues with provisioning:

  1. Unassign all the users and user groups from the Opti ID SCIM app.
  2. Wait about 40 minutes for the sync to complete.
  3. Reassign users and user groups to the Opti ID SCIM app.

Frequently Asked Questions (FAQ)

If your organization is already onboarded to Opti ID using SSO and JIT, what happens to existing users when your organization switches to using SCIM?

There will not be any issues with users created in the Opti ID Admin Center, as these users are mapped to newly assigned groups from the upstream IdP during SCIM provisioning.

If your organization is already onboarded to Opti ID using SSO and JIT, what happens to existing groups when your organization switches to using SCIM?

Opti ID has three group types. See Manage groups for the list of group types and their descriptions.

If your organization wants to manage users with groups that have the same name as previously created Custom groups in Opti ID, then you must delete those groups in Opti ID before enabling SCIM provisioning.

You cannot delete Product user groups in Opti ID. When you enable SCIM, any group you create on your side cannot have the same name as a Product group in Opti ID. You must pick a different name (like, Opti_SCIM_<existing-Product-user-group-name>) and assign that SCIM group the same access that the corresponding group has in Opti ID. After you enable SCIM, do not use previously defined Product groups.