Configure SCIM Connector for the Cloud Identity Engine
As part of the Cloud Identity Engine, Directory
Sync connects to your directory to obtain user and group information
for user identification and enforcement for group-based and user-based
security policy.
Configuring the System for Cross-Domain
Identity Management (SCIM) protocol for Directory
Sync in the Cloud Identity Engine allows you to customize what attributes
Directory Sync collects from your Azure Active Directory (Azure
AD). You can customize which attributes you want to share with the
Cloud Identity Engine for user and group identification by adding or
removing the attributes in the Azure Portal.
You must also
complete the required steps in the Azure AD Portal. For more information,
refer to the documentation for the Azure AD SCIM Connector.
Add a new application in the Azure Portal then obtain
the necessary information to configure SCIM for Directory Sync.
Azure AD SCIM provisioning requires that the group attribute
displayName
is
unique. If more than one group uses the
displayName
attribute,
the initial sync is not successful and the data for the duplicate
group names may only be partially retrievable. If the duplicate
groups are not used in security policy, then you can proceed. If
you use the duplicate group names in security policy, you must resolve
the issue by modifying the
displayName
attribute
in your Azure AD to ensure that it is unique.
Set up SCIM in the Cloud Identity Engine app and obtain
the necessary information to configure your Azure AD to use SCIM
with Directory Sync.
In the Cloud Identity Engine app, select
Directory Sync
Directories
Cloud Directories
Set Up
Azure SCIM
.
Enter the following information from the previous
step in the Cloud Identity Engine app fields as indicated in the
following table:
Copy From Azure Portal
Enter In Cloud Identity Engine
Tenant ID
Directory ID
Primary domain
Directory Name
Copy the
Base URL
and save
it in a secure location.
Click
Generate Token
, then
copy the token that the Cloud Identity Engine generates for your
Authorization
Method
and save it in a secure location.
Before continuing to the next step and submitting the changes,
make sure to save the token in location where you can easily retrieve
it to enter it in the Azure Portal. If you submit the changes in
the Cloud Identity Engine app before you generate and save the token,
you must generate a new token in the Cloud Identity Engine app and
enter the new token in Azure Portal.
Click
Submit
to commit your changes.
You must complete the setup in the Cloud Identity Engine
before you can successfully
Test Connection
in
the Azure Portal.
Configure your Azure AD to use SCIM Connector to connect to
the Cloud Identity Engine.
Log in to the Azure AD Portal.
Select
Enterprise Applications
then
select the
Palo Alto Networks SCIM Connector
application.
Select
Provisioning
and click
Get
Started
.
Select
Automatic
as the
Provisioning
Mode
.
Paste the following information from the previous
step in the fields as indicated in the following table:
Copy From Cloud Identity Engine
Enter In Azure Portal
Base URL
Tenant URL
Authorization Method token
Secret Token
Save
your changes.
(Optional but recommended) Click
Test Connection
to
confirm that the Azure AD can successfully communicate with the
Cloud Identity Engine app.
Manage the users, groups, and attributes that the Azure
AD provisions to the Cloud Identity Engine app.
In the Azure Portal, select
Provisioning
Edit Provisioning
.
Select
Mappings
then select whether
you want to edit the attributes when you
Provision Active
Directory Groups
or
Provision Active Directory
Users
.
Delete
any attributes that
you don’t want to provide to the Cloud Identity Engine app.
(Optional) Click
Add new mapping
to
add a new mapping that you want the Azure AD to use to identify
users for the Cloud Identity Engine.
(Optional) By default, the Cloud Identity Engine only synchronizes
users and groups you assign to this app in the Azure Portal. You can
optionally synchronize all users and groups (
Settings
Sync all users and groups
).
Save
your changes when they
are complete.
Allow Azure AD to provide the information to the Cloud Identity
Engine and verify that the Cloud Identity Engine uses SCIM to obtain
the Azure AD information.
In the Azure Portal, verify you have completed
all the provisioning steps in the documentation for the Azure AD SCIM Connector.
Select the name of the app that you configured in
the first step then select
Manage
Provisioning
Start Provisioning
to
begin providing attributes to the Cloud Identity Engine.
Wait until the sync is complete (
Initial
cycle completed
) then
View provisioning details
.
Verify that the synchronization was successful by confirming
the timestamps (