Provisioning users and groups in Azure AD¶
The user/group provisioning service enables the synchronization of users and groups between Azure AD and Lime CRM. This service implements the SCIM standard (System for Cross-domain Identity Management), which uses a RESTful API to automatically provision/de-provision users and groups that exist in Azure AD.
Warning
To be able to use the provisioning service, Azure AD login for Lime CRM must be enabled and configured!
Please refer to this guide on how to set up Azure AD login.
Note that it is not possible to us both Ladi and SCIM for synchronizing user data.
How it works¶
SCIM provisioning is a one-directional synchronization of users and/or groups from Azure AD to Lime CRM. It employs a three-way attribute mapping: Azure AD attributes -> SCIM attributes -> Lime CRM attributes.
At the bottom of the page, you will find the default SCIM-to-CRM mapping that is currently in use. Attribute mappings can be edited manually by selecting Provisioning -> edit attribute mappings on the Azure portal:
Users are provisioned by their user principal name attribute, which must contain the user's email address (please change it manually if that is not the case).
Groups are provisioned by their group name. If a group with the same name exists in both Azure AD and Lime CRM, group memberships will be synchronized after provisioning.
Configuration - Lime side¶
Set the application configuration as shown below (refer to application config docs if you have no experience with it).
-
In the config part, we specify if the SCIM feature that enables user provisiong is set for the application.
-
In the secrets part, we have to specify a pre-shared key (token) which we also need to provide in the Azure SCIM configuration, as will be explained later. One way to generate this token is this:
python -c "import secrets; print(secrets.token_hex(64))"
Configuration - Azure side¶
To configure user provisioning:
- Go to "Enterprise Applications" and select your Lime CRM application.
- Make sure that the application contains some users and/or groups by clicking on "Users and groups" in the side bar. If there are none, assign some user(s) to your application.
- Select "Provisioning" in the side bar.
-
If this is the first time, set up provisioning as follows:
- Click on the "Get started" button and choose Automatic provisioning mode.
- In the Admin Credentials section, enter a URL of the following format
in the Tenant URL field:
https://{root_url}/{application_name}/api/v1/scim/. Replace the rootURL and application_name parts with the ones exctracted from your application URL, as shown below.
- In the Secret Token field, provide the token that you generated for the application configuration part in Lime CRM (token should be 128 length char string).
- Test the connection and if successful, save the provisioning.
-
Now you can start the provisioning process, which by default synchronizes the data every 40 minutes. You can also use "Provision on demand" to test the synchronization, but be aware that it only syncs users and not groups.
Limitations¶
Be aware of the following limitations:
- Removing a user or group from your application in Azure does not delete your user from the Lime CRM database after the synchronization. Instead, the user/group will be deactivated (aka "soft delete").
- Created groups can not be nested in Lisa, SCIM provisioning only support a flat group stucture.
- Our current implementation supports a basic set of attribute mappings (included below for reference). Note that the attributes are mapped to field labels in Lime CRM.
| SCIM Attribute | Lime CRM column on [user] table |
|---|---|
| userName | username |
| displayName | fullname |
| externalId | sid |
| SCIM Attribute | Lime CRM field label on [coworker] table |
|---|---|
| userName | username |
| displayName | fullname |
| name.familyName | lastname |
| name.givenName | firstname |
| emails[type eq \"work\"].value | primaryemailaddress |
| emails[type eq \"home\"].value | secondaryemailaddre |
| active | active |
| phoneNumbers[type eq \"work\"].value | businesstelephonenumber |
| phoneNumbers[type eq \"mobile\"].value | mobiletelephonenumber |
| phoneNumbers[type eq \"home\"].value | hometelephonenumber |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager | responsiblecoworker |
Azure Provisioning FAQ¶
How is the user mapped to the AD logon if they change to SSO will they still have the same account and not get a new account in lime?¶
The sync process only synchronizes the users from AD to the lime database. So no new user is created but the user information transfers to the database and provisioning process is responsible for keeping them updated.
How are the groups matched/created in lime? Will it be the same, so the groups won't lose their member in lime?¶
The groups are synced based on the group’s name. Each group can have different members in the AD side. By the time of provisioning the deleted members are removed from lime database and the assigned members would be added.
If we change a user’s group, will it be moved in the lime system also or do, we need to do a manual move in lime?¶
Every changes in the azure side will be reflected in the lime database. Thus, any manual changes after activing the provisioning should be avoided.
The test connection in the provisioning does not work¶
- Check the scim config in the lime application config is enabled
- The token from application config should be the same as what is entered in the provisioning test connection
- Double check the url in the provisioning test connection
- The length of the token should be 128 chars long
Warning
Only one Azure application can be mapped to one Lime application for provisioning. Using One application on the Azure side to provision users and groups into two Lime applications leads to overwriting data in the Lime users and groups. This happen as each Azure application keep a history of Lime users and groups data so that it can use them in future syncs.