SSO Configuration
      Back to home
      1. Knowledge Base Home
      2. SSO
      3. SSO Configuration

      SCIM Provisioning for Microsoft Entra

      Learn how to configure System for Cross-Domain Identity Management (SCIM) 2.0 for 6clicks

      6clicks supports integration with Microsoft Entra ID's automated identity provisioning functionality via the SCIM 2.0 API standard. This allows users to be automatically created, updated, deactivated, and assigned group membership within 6clicks, synchronizing with your Microsoft Entra directory.

      SCIM provisioning can be used in conjunction with Just-in-time (JIT) provisioning. JIT provisioning has the advantage of synchronizing identity, role and group information for an individual user as soon as they login, compared with SCIM provisioning which synchronizes on 40-minute intervals. On the other hand, SCIM provisioning allows for information to be synchronized without requiring the user to log in. We recommend using SCIM for larger organisations with complex user groups.

      Note that SCIM provisioning is currently only supported if single sign-on (SSO) is enabled. This guide assumes you have already configured SSO for your 6clicks account.

      Before proceeding, make sure you are familiar with the Microsoft Entra documentation regarding automated application provisioning. Note that 6clicks is considered a "non-gallery" application.

      NOTE: This guide is only intended as a brief overview of getting started with SCIM. Refer to the Microsoft Entra documentation for more detailed information.

      API Key creation

      The SCIM API endpoints are available as a subset of the 6clicks Developer API. The following steps will take you through creating an API Key and a long-lived token.

      1. In 6clicks, API Keys are tied with user accounts and inherit their permissions. We recommend creating a dedicated user account with the following permissions:
        1. Integrations
        2. Create new user
        3. Edit user
        4. Delete user
        5. Create, edit, and delete groups
        6. Manage group members
      1. Login as the new user
      2. Create a Developer API Key

      Generate a long-lived token

      1. In 6clicks, check the API Documentation and note down the API URL:
      2. Next, generate a long-lived access token. You can do this directly through the API documentation by clicking "Try it out" on the /auth-api/1.0/auth/token endpoint.

        Specify your API key and select true for the IsLongLivedToken parameter.

        Copy the value returned in the "accessToken" parameter (removing the double quotation marks):
      3. You can test your token by clicking the Authorize button near the top of the API Documentation and entering it as the Bearer value.

        Then try out the GET /scim/users endpoint:


        After executing the request, ensure a successful 200 response is returned:

      Connecting provisioning in Entra with 6clicks

      NOTE: This guide assumes you are using an existing Enterprise Application that has previously been configured for use with SSO. You may find that you are unable to connect your application automated provisioning to 6clicks and receive a message stating that "Out of the box automatic provisioning" is "not supported today". This can be due to known limitations in Microsoft Entra. In this case, you should create a new Enterprise Application specifically for managing the SCIM integration. You can continue to use your existing Enterprise Application for SSO.

      1. Sign in to the Microsoft Entra admin center as at least an Application Administrator.

      2. Browse to Identity > Applications > Enterprise applications.

      3. Select the 6clicks app associated with your account.

      4. Select Provisioning to manage user account provisioning settings for the selected app.

      5. Select "Connect your application"

        NOTE: See the warning above if you are unable to see the link to "Connect your application".
      6. Enter the URL of the Developer API's SCIM endpoint into the Tenant URL field. This should be the URL previously noted down, followed by the `scim/` path.

        Enter the token you generated above into the Secret token field:
      7. Test the connection and ensure you receive a successful notification.
      8. Click Create

      Configuring users, groups, and attributes

      6clicks supports synchronizing users and groups.

      1. Select the Users and groups tab in Entra
      2. Add users and groups as appropriate
      3. Go to Attribute mapping
      4. Select Provision Microsoft Entra ID Users
      5. Ensure the following mapping configuration:
        Application attribute Microsoft Entra ID attribute Precedence
        emails[type eq "work"].value mail 1
        userName userPrincipalName 2
        active Switch([IsSoftDeleted], , "False", "True", "True", "False")  
        name.givenName givenName  
        name.familyName surname  
        externalId objectId  
      6. Go back to Attribute mapping
      7. Select Provision Microsoft Entra ID Groups
      8. Ensure the following mapping configuration:
        Application attribute Microsoft Entra ID attribute Precedence
        displayName displayName 1
        externalId objectId  
        members members  
      9. The Provision on demand feature can be used to test provisioning:

      10. Once your configuration is complete, select Overview in the left panel.

      11. Select Properties.

      12. Select the pencil to edit the properties. Enable notification emails and provide an administrator email to receive quarantine emails.

      13. We recommend enabling accidental deletions prevention with an appropriate threshold for your organization. Click Appy to save the changes.

      14. Select Start provisioning to start the Microsoft Entra provisioning service.

      Supported synchronization

      The following table shows what types of data is currently supported for synchronization:

      OPERATION PROPERTIES
      Groups  
      Create Display name
      Update Display name
      Membership
      Delete  
      Roles  
      Create Display name

      Note that you will need to configure permissions for the role within 6clicks
      Update

      Display name
      Membership
      Delete

       
      Users  
      Create Username
      Email address (primary only)
      Given name
      Family name
      Active
      Update Given name
      Family name
      Active

      Note that email addresses and usernames are not currently supported for updates.
      Delete  

       

      Notes

      • It is important to schedule a time within the next year to regenerate the API token. 6clicks does not currently provide a notification when the token is due for expiry.
      • Deleting the API key or its associated user, or removing required permissions from the user, will disable the corresponding token.
      • There are a variety of ways in which user and group membership may fail to synchronize. It is important to monitor the Entra email notifications for such failures.