How to Setup BluSKY's SCIM with Azure Active Directory
Overview
This document describes how to setup BluSKY's SCIM with Azure Active Directory (Azure AD).
To use BluSKY’s SCIM API with an external application, a user will need to be created in BluSKY. This user’s credentials will be used to acquire a security token that will be needed by the external application. This user will need to have a Role assigned to it that grants them permission for Personnel Administration and Occupant Administration.
SCIM Groups are Occupancies in BluSKY and SCIM Users are People in BluSKY. Since the information required to create an Occupancy in BluSKY is not available in Azure AD, BluSKY’s SCIM provisioning cannot create an Occupancy. Therefore, the Occupancies are created using the BluSKY’s web site and, in the Occupancy Edit page, the Azure AD Group’s “ObjectId” is put into the “SCIM Identifier” field. Once provisioning is enabled, Azure AD will “Create” the Group (Occupancy) in BluSKY. This will not actually create the Occupancy, but the provisioning application will receive information from BluSKY’s SCIM that it needs to communicate AD changes to BluSKY.
The person performing this task needs to have Global Administrator permission in Azure Active Directory.
Also, to provision SCIM by Group, the license for Azure AD must be Azure AD Premium P1 or higher,
Instructions
- In the Azure Portal search for and open the Azure Active Directory.
- Choose Enterprise Applications from the left menu.
- Click "New application"
- Click "Create your own application"
- Enter a name the SCIM application like BluSKY_SCIM
- Choose, "Integrate any other application you don't find in the gallery (Non-gallery)"
- Click Create
- When the application is created, choose Provisioning from the left-hand menu.
- Set the Provisioning Mode to Automatic.
- In the Admin Credentials section enter https://blusky.blub0x.com/scim for the Tenant Url.
- Use a tool such as PostMan or curl to Post a request to https://blusky.blub0x.com/scim/token with a json payload of:
-
{
"username": "a user in the occupancy where SCIM users will initially be created.",
"password": "the BluSKY password for this user"
}
-
For example:
{
“username”: “user@yourDomain.com”,
“password”: “S0m3th1ngS3cr3t”
}
- If the username and password are valid, this API will return a Json Web Token (JWT) that expires in 1 year.
- If the username and password are valid, this API will return a Json Web Token (JWT) that expires in 1 year.
- Copy and Paste the JWT into the "Secret Token" field and click Test Connection. This should succeed.
- Prior to this anniversary date one year henceforth, repeat this process and update the secret token in this application before it expires.
- In the Mappings section click Groups.
- Ensure “Create” and “Update” are checked and uncheck “Delete”.
- Ensure the Active Directory Attribute, objectId is mapped to the Customappsso Attribute, externalId and the matching precedence is set to 1. If it does not exist, click the Add Mapping link.
- No other matching precedencies are needed.
- Set any other the Settings to your requirements and click Save.
- Go back to the Mappings section and click on Users.
- Click on the mapping for Active Directory Attribute, mail NickName and change the source attribute to objectid. Also set the matching precedence to 1.
- No other matching precedencies are needed.
- Set any other the Settings to your requirements and click Save.
- Go back to the Enterprise Applications page and click on the link for your new application.
- On the left-hand menu choose Users and Groups
- Assign the users and groups to be provisioned.
- On the left-hand menu choose Overview
- And click Start provisioning
Please note that Azure AD performs synchronization every 40 minutes so changes to Users and Group membership will not be applied to BluSKY immediately. Once Azure AD synchronizes the changes, the Users should be updated/created in BluSKY and they should be in their assigned Occupancy.