SCIM Configuration

• Overview
  • Benefits
  • Operational summary
• Setting up SCIM
  • Pre-requisites
  • Initial SCIM Setup in SafeZone
  • Checking Single Sign On Settings
  • Configuring the SCIM Settings
  • Generating the SCIM URL and Token

• Initial Entra Setup for SCIM

• Configuring the Entra Application for User Provisioning
• Creating User Groups from Entra in SafeZone through SCIM

Overview

SCIM allows the integration of user and group data from Microsoft Entra (formerly Azure) into SafeZone. This allows seamless pre-registration of records into SafeZone Command when they are added to your organization's database. SCIM can import Names, Emails and Mobile Phone numbers making a great tool for populating the Emergency Communications database.

Benefits:

• Automatic onboarding and offboarding of users
• Automatic creation of User Groups in SafeZone (e.g. Staff groups / Student Groups. This will help create:
  • • Groups for targeting with emergency communications
    • Groups for providing custom Wellbeing setups (e.g. Employee Assistance Programmes for Staff and Student Support for Students)

Operational summary

General

• Data provisioning automatically refreshes every 45 minutes
• Individual records can be manually provisioned on demand for testing purposes
• No data is written into Entra by SafeZone (e.g. SafeZone will not cause Entra records - groups or users - to be updated or deleted)

User Onboarding

• Depending on your configuration choice users are either pre-registered or directly registered into SafeZone when they meet Entra's provisioning criteria.
• For users to be fully registered in SafeZone a first name, last name, email and phone numbers must be populated in Entra.
• No pre-registration emails are automatically sent. These can be sent later through the Bulk User Actions in the SafeZone user list.

User Updates

• No updates go from SafeZone to Entra
• SafeZone can be configured to either accept or ignore updates to first name, last name, email
• Emails can be updated if the primary email is updated in Entra

User Offboarding (including enabling and disabling)

• Users hard deleted in Entra will be deleted in SafeZone
• Fully registered users who are disabled / soft deleted in Entra are disabled in SafeZone
• Pre-registered users who are disabled  / soft deleted in Entra are not changed in SafeZone (Pre-registration does not have a disabled state)
• Disabled users in SafeZone can be re-enabled through Entra

User Group Management

• User groups in Entra can be shared with SafeZone
• Groups are managed by their Entra ID and so User Group name changes pass through from Entra to SafeZone
• Groups provisioned by Entra are Closed Groups in SafeZone and cannot be self-joined by end users in SafeZone
• Group membership is updated through the SCIM protocol so users are added and deleted according to their membership in Entra.

Setting up SCIM

Pre-requisites

• You organization has implemented Enterprise Application for EntraID
• SafeZone has been added as an application with Single Sign On configured for access control
• You have a stated Entity ID attribute which is either persistent or transient and declared (should be added to the Single Sign On Settings in SafeZone).

Initial SCIM Setup in SafeZone

Checking Single Sign On Settings

1. Go to Admin - Zone Configuration - Global Settings and expand the "Single Sign On Settings"
2. Click the provider you would like to link through SCIM
3. On the pop-up window that appears, enter
   • Entity ID Attribute
   • Email Attribute
4. Click Save to confirm

Configuring the SCIM Settings

1. Go to Admin - Zone Configuration - Global Settings and expand the "SCIM Settings" menu
2. Click "Edit" and then check the "Enabled" box to expand the configuration options.
3. Set whether you want imported users to be either "Pre-registered" or "registered" in SafeZone on import from SCIM. For most organizations using the protocol for Mass Comms, or Wellbeing Group management, the most common setup is with
   • the radial button selected on "Select User Registration Type (all SCIM users will be registered using this setting)"
   • Pre-registered on the drop list (so they have to complete registration before using the SafeZone application)
     Note: "Enter User Registration Type Property (the user registration type can be set on a per-user basis)" option allows you to set whether a user is pre-registered or registered based on some variable in the Entra database, for example some sort of user status tag.
4. It is Recommended to select the "Select IDP" radial button and then select your Single Sign On Provider from the selection box and then the IDP User Identifier (however this could be done manually). Note: Most commonly the IDP User Identifiers would be "userName"
   
   
5. Select your source of truth for record updates through the "Preserved User Fields" section. Leaving the box unchecked will mean the person's details will be managed by wholly by Microsoft SCIM. Checking the box will mean updates to the person's name which are applied in SafeZone (e.g. by the User on their profile screen in the app) will be preferred in SafeZone. You can independently set different settings for
   • Given Name
   • Family Name
   • Mobile Phone
     
     
6. User Template
   To assign a default User Template to all users imported through SCIM, select the first radial button "Select User Template (all SCIM users will be assigned this)", then use the drop-down list to select the template (and permissions) to be applied. If unsure, use the "Default" option here.
   Alternatively you can map a User Template Property from the SCIM settings, which allows you to assign a particular template to users with that property.
7. Click "Save" to confirm.

Generating the SCIM URL and Token

Once the configuration above is complete, you can generate the SCIM URL and token which will need to be applied to your Entra SCIM setup. These variables will be automatically generated at the top of the SCIM Menu.

The SCIM URL will be unique to your environment and cannot be changed. Use the icon on the right of the text box to copy the data to be pasted into Entra.
The SCIM Token will be generated automatically for your environment. Use the icon on the right of the text box to copy the data to be pasted into Entra. If you need to create a different token, you can use the "Regenerate" button to get a new one.

Clicking the "Regenerate" button will prompt you that doing so invalidates the existing one and you will need to confirm by clicking "Regnerate"

Initial Entra Setup for SCIM

Note: all the guidance below related to SCIM setup on Entra is provided as-is and is correct at the time of writing. It is a summary of Microsoft's own documentation and is therefore subject to change. Please inform support@criticalarc.com if you notice any discrepancies.

1. In your Azure portal, login as a user that can create an Enterprise Application and go to Enterprise Applications.
2. Click + New Application above the application list, then Create your own application.
3. Enter a Name for the application and click Add and ensure "Integrate any other application you don't find in the gallery (Non-gallery)" is selected as a radial button
4. Under the Manage menu, click Provisioning.
5. Set Provisioning Mode to Automatic.

6. Set the SCIM API endpoint URL to the SCIM URL that you created above (Generating the SCIM URL and Token).

7. Set the SCIM API Token to the SCIM Token that you created above (Generating the SCIM URL and Token).
8. Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.
9. Click Create to confirm.

Configuring the Entra Application for User Provisioning

Once the connection has been successfully tested (previous step) you can select whether to provision all users or a subset.

It is recommended to begin with a subset only for testing purposes.

1. In the SafeZone SCIM Application, select "Provisioning"
2. Select "Provision Microsoft Entra ID Users"
3. Set the users to provision based on deployment stage and your requirements.
4. Set the provisioning state to "On"

Note: the provisioning runs on a schedule and so may not immediately begin. There is the option within the SCIM provisioning menu to provision a particular user as part of your testing.

Creating User Groups from Entra in SafeZone through SCIM

User Groups can be automatically populated in SafeZone from an existing group in Entra. This could be a way of grouping staff versus students in SafeZone, or adding people to a particular department, site or campus. In short, any group in Microsoft Entra can be mirrored in SafeZone.
Note: the guidance below is provided as-is and is correct at the time of writing, however is a summary of Microsoft's own documentation and is therefore subject to change. Please inform support@criticalarc.com if you notice any discrepancies.

1. In Entra's SafeZone Application, select "Provisioning"
2. Select "Provision Microsoft Entra ID Groups"
3. Set the groups to provision based on deployment stage and your requirements.
4. Set the provisioning state to "On"

Note: the provisioning runs on a schedule and so may not immediately begin. There is the option within the SCIM provisioning menu to provision a particular group as part of your testing.