Configure SCIM Connector for the Cloud Identity Engine

As part of the Cloud Identity Engine, Directory Sync connects to your directory to obtain user and group information for user identification and enforcement for group-based and user-based security policy.
Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the Cloud Identity Engine allows you to customize what attributes Directory Sync collects from your Azure Active Directory (Azure AD). You can customize which attributes you want to share with the Cloud Identity Engine for user and group identification by adding or removing the attributes in the Azure Portal.
You must also complete the required steps in the Azure AD Portal. For more information, refer to the documentation for the Azure AD SCIM Connector.
If you encounter any issues with the SCIM Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.
  1. Add a new application in the Azure Portal then obtain the necessary information to configure SCIM for Directory Sync.
    Azure AD SCIM provisioning requires that the group attribute
    displayName
    is unique. If more than one group uses the
    displayName
    attribute, the initial sync is not successful and the data for the duplicate group names may only be partially retrievable. If the duplicate groups are not used in security policy, then you can proceed. If you use the duplicate group names in security policy, you must resolve the issue by modifying the
    displayName
    attribute in your Azure AD to ensure that it is unique.
    1. Log in to the Azure Portal.
    2. Select
      Overview
      (if it is not already selected), copy the
      Tenant ID
      , and save it in a secure location.
    3. Copy the
      Primary domain
      and save it in a secure location.
    4. Select
      Enterprise applications
      All applications
      New application
      .
    5. To
      Search application
      (s), enter
      Palo Alto Networks SCIM Connector
      .
    6. Select
      Palo Alto Networks SCIM Connector
      and
      Create
      the application.
      If you encounter an error when creating the application, refer to Troubleshoot Cloud Identity Engine Issues.
  2. Set up SCIM in the Cloud Identity Engine app and obtain the necessary information to configure your Azure AD to use SCIM with Directory Sync.
    1. In the Cloud Identity Engine app, select
      Directory Sync
      Directories
      Cloud Directories
      Set Up
      Azure SCIM
      .
    2. Enter the following information from the previous step in the Cloud Identity Engine app fields as indicated in the following table:
      Copy From Azure Portal
      Enter In Cloud Identity Engine
      Tenant ID
      Directory ID
      Primary domain
      Directory Name
    3. Copy the
      Base URL
      and save it in a secure location.
    4. Click
      Generate Token
      , then copy the token that the Cloud Identity Engine generates for your
      Authorization Method
      and save it in a secure location.
      Before continuing to the next step and submitting the changes, make sure to save the token in location where you can easily retrieve it to enter it in the Azure Portal. If you submit the changes in the Cloud Identity Engine app before you generate and save the token, you must generate a new token in the Cloud Identity Engine app and enter the new token in Azure Portal.
    5. Click
      Submit
      to commit your changes.
      You must complete the setup in the Cloud Identity Engine before you can successfully
      Test Connection
      in the Azure Portal.
  3. Configure your Azure AD to use SCIM Connector to connect to the Cloud Identity Engine.
    1. Log in to the Azure AD Portal.
    2. Select
      Enterprise Applications
      then select the
      Palo Alto Networks SCIM Connector
      application.
    3. Select
      Provisioning
      and click
      Get Started
      .
    4. Select
      Automatic
      as the
      Provisioning Mode
      .
    5. Paste the following information from the previous step in the fields as indicated in the following table:
      Copy From Cloud Identity Engine
      Enter In Azure Portal
      Base URL
      Tenant URL
      Authorization Method token
      Secret Token
    6. Save
      your changes.
    7. (Optional but recommended) Click
      Test Connection
      to confirm that the Azure AD can successfully communicate with the Cloud Identity Engine app.
  4. Manage the users, groups, and attributes that the Azure AD provisions to the Cloud Identity Engine app.
    1. In the Azure Portal, select
      Provisioning
      Edit Provisioning
      .
    2. Select
      Mappings
      then select whether you want to edit the attributes when you
      Provision Active Directory Groups
      or
      Provision Active Directory Users
      .
    3. Delete
      any attributes that you don’t want to provide to the Cloud Identity Engine app.
    4. (Optional) Click
      Add new mapping
      to add a new mapping that you want the Azure AD to use to identify users for the Cloud Identity Engine.
    5. (Optional) By default, the Cloud Identity Engine only synchronizes users and groups you assign to this app in the Azure Portal. You can optionally synchronize all users and groups (
      Settings
      Sync all users and groups
      ).
    6. Save
      your changes when they are complete.
  5. Allow Azure AD to provide the information to the Cloud Identity Engine and verify that the Cloud Identity Engine uses SCIM to obtain the Azure AD information.
    1. In the Azure Portal, verify you have completed all the provisioning steps in the documentation for the Azure AD SCIM Connector.
    2. Select the name of the app that you configured in the first step then select
      Manage
      Provisioning
      Start Provisioning
      to begin providing attributes to the Cloud Identity Engine.
    3. Wait until the sync is complete (
      Initial cycle completed
      ) then
      View provisioning details
      .
    4. Verify that the synchronization was successful by confirming the timestamps (
      Completed
      and
      Steady state achieved
      ).
      If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
    5. In the Cloud Identity Engine app, verify that the
      SCIM Change Timestamp
      for your Azure SCIM directory populates on the
      Directories
      page.
    6. Select
      Actions
      Full Sync
      to complete a full synchronization of your Azure Active Directory with Directory Sync for the Cloud Identity Engine.
      You must successfully complete a full sync in the Cloud Identity Engine app to complete the SCIM Connector setup.

Recommended For You