Set Up SCIM for Microsoft Entra ID

Use Microsoft Entra ID to synchronize the creation, deletion, and updating of users and user groups in Visier.

Note: Limited Availability This feature is in limited availability. If you are interested, please contact your Customer Success Manager.

Overview

SCIM, the System for Cross-Domain Identity Management, automates how identity information is exchanged between two entities, such as your identity provider (IdP) and Visier. SCIM replaces manual user management and user group management in Visier. By setting up SCIM with Visier, you can reduce the effort it takes to create, modify, and synchronize employee accounts between your IdP and users and user groups in Visier.

This topic describes how to set up SCIM if your identity provider is Microsoft Entra ID. For more information about setting up SCIM with Microsoft Entra ID, see SCIM synchronization with Microsoft Entra ID.

Microsoft Entra ID SCIM in Visier synchronizes users from Microsoft Entra ID to Visier. If you delete a user in Microsoft Entra ID, SCIM deletes that user in Visier. If you delete a user in Visier, nothing happens to the user in your Microsoft Entra ID.

Tip: For more information about general SCIM issues, see Troubleshooting.

Step One: Configure SCIM in Visier

Prerequisites: Create a service account user in Visier and assign the Visier Analytics User and Visier Cloud Administrator profiles to the user. This user executes all SCIM requests in Visier.

  1. On the global navigation bar, click Settings > SCIM Configuration.
  2. In the Public RSA Key box, paste the public key associated with your IdP JSON Web Token (JWT). The public key must be an RSA public key in PEM encoding as specified in RFC 7468 and supports the formats X.509 certificate, PKCS#1 RSAPublicKey, and X.509 SubjectPublicKeyInfo.

    Example:  

    Copy
    -----BEGIN PUBLIC KEY-----
    MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoAF1T6ZubDUlCK1EJ1XX

    -----END PUBLIC KEY-----
  3. In the Issuer box, type the entity ID of the IdP. The issuer uniquely identifies the identity provider within the solution and must match the iss claim in the OAuth 2.0 bearer token provided by the IdP.
  4. In the Subject box, type the subject ID of the JWT. The subject is a unique identifier that must match the sub claim in the OAuth 2.0 bearer token provided by the IdP.
  5. In SCIM service account, select the user you created as part of the SCIM prerequisites.
  6. Optional: To set the network subnets that are allowed to make SCIM requests to Visier, in Network subnets, type the IP addresses using the Classless Inter-Domain Routing (CIDR) format: xxx.xxx.xxx.xxx/xx.
  7. When finished, click Save.

    Result: The Visier side of SCIM is ready. You can now set up SCIM with Visier in your identity provider.

Step Two: Configure SCIM in Microsoft Entra ID

To set up SCIM in Microsoft Entra ID, create a new configuration in the enterprise application.

  1. Sign in to Microsoft Entra admin center.
  2. Navigate to Identity > Applications > Enterprise applications.
  3. In the list of applications, select the application in which you want to set up SCIM with Visier.
  4. In the application's Overview, click New configuration, as shown in the following screenshot.

  5. In Tenant URL, type https://{vanity_name}.visier.com/hr/scim/v2, where {vanity-name} is your Visier vanity name.

    Tip:  

    To find your vanity name:

    1. In Visier, in the global workspace, click Settings > Single Sign-On.
    2. Under Single Sign-On, find your service provider endpoint; for example, https://jupiter.visier.com/VServer/auth. In this example, jupiter is the vanity name.
  6. In Secret token, paste the private key associated with your IdP JSON Web Token (JWT).
  7. Click Test Connection. This checks that Microsoft Entra ID can connect to Visier.
  8. When successful, click Create.

After creating the communication configuration between Microsoft Entra ID and Visier, set your attribute mappings.

  1. On the navigation bar, click Attribute mapping, as shown in the following screenshot.

  2. In the list of mappings, click Provision Microsoft Entra ID Users
  3. In Target Object Actions, select the actions to execute in Visier from the list of Create, Update, and Delete. For example, if you don't want to delete users in Visier when a user is deleted in Microsoft Entra ID, do not select Delete.

  4. In Attribute Mappings, delete every custommapsso Attribute mapping except the following:

    • userName
    • active
    • displayName
    • emails[type eq "work"].value
    • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

    When finished, your attribute mappings list should only contain the above mappings, as shown in the following screenshot.

  5. When finished, click Save.
  6. Return to the list of mappings and click Provision Microsoft Entra ID Groups.
  7. In Target Object Actions, select Create, Update, and Delete.

  8. In Attribute Mappings, delete every custommapsso Attribute mapping except the following:

    • displayName
    • members

    When finished, your attribute mappings list should only contain the above mappings, as shown in the following screenshot.

  9. When finished, click Save.

After mapping Users and Groups for SCIM, you can start provisioning users and user groups in Visier.

  1. On the navigation bar, click Overview.
  2. In the application's Overview, click Start provisioning, as shown in the following screenshot. This creates and deletes users and users groups in Visier based on the users and groups in Microsoft Entra ID.

  3. After the provisioning cycle is stable, you can click Overview to see a summary, as shown in the following screenshot.

Now that you're set up in Visier and Microsoft Entra ID, you can make SCIM requests to Visier. For more information, see Step Three: Make SCIM requests.