Tutorial: Configure Elium for automatic user provisioning

Članak
11/07/2021
4 min. za čitanje

This tutorial shows how to configure Elium and Azure Active Directory (Azure AD) to automatically provision and de-provision users or groups to Elium.

Note

This tutorial describes a connector that's built on top of the Azure AD User Provisioning service. For important details about what this service does and how it works, and for frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory.

This connector is currently in preview. For the general terms of use for Azure features in preview, see Supplemental Terms of Use for Microsoft Azure Previews.

Prerequisites

This tutorial assumes that you already have the following prerequisites:

An Azure AD tenant
An Elium tenant
A user account in Elium, with admin permissions

Note

This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

Assigning users to Elium

Azure AD uses a concept called assignments to determine which users receive access to selected apps. In the context of automatic user provisioning, only the users and groups that have been assigned to an application in Azure AD are synchronized.

Before you configure and enable automatic user provisioning, decide which users and groups in Azure AD need access to Elium. Then, assign those users and groups to Elium by following the steps in Assign a user or group to an enterprise app.

Important tips for assigning users to Elium

We recommend that you assign a single Azure AD user to Elium to test the automatic user-provisioning configuration. More users and groups can be assigned later.

When assigning a user to Elium, you must select a valid, application-specific role (if any are available) in the assignment dialog box. Users who have the Default Access role are excluded from provisioning.

Set up Elium for provisioning

Before configuring Elium for automatic user provisioning with Azure AD, you must enable System for Cross-domain Identity Management (SCIM) provisioning on Elium. Follow these steps:

Sign in to Elium and go to My Profile > Settings.
In the lower-left corner, under ADVANCED, select Security.
Copy the Tenant URL and Secret token values. You'll use these values later, in corresponding fields in the Provisioning tab of your Elium application in the Azure portal.

Add Elium from the gallery

To configure Elium for automatic user provisioning with Azure AD, you must also add Elium from the Azure AD application gallery to your list of managed software-as-a-service (SaaS) applications. Follow these steps:

In the Azure portal, in the left navigation panel, select Azure Active Directory.
Go to Enterprise applications, and then select All applications.
To add a new application, select New application at the top of the pane.
In the search box, type Elium, select Elium in the results list, and then select Add to add the application.

Configure automatic user provisioning to Elium

This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Elium, based on user and group assignments in Azure AD.

Tip

You might also choose to enable single sign-on for Elium based on Security Assertion Markup Language (SAML) by following the instructions in the Elium single sign-on tutorial. You can configure single sign-on independently of automatic user provisioning, although the two features complement each other.

To configure automatic user provisioning for Elium in Azure AD, follow these steps:

Sign in to the Azure portal, select Enterprise applications, and then select All applications.
In the applications list, select Elium.
Select the Provisioning tab.
Set the Provisioning Mode to Automatic.
In the Admin Credentials section, type <tenantURL>/scim/v2 in the Tenant URL field. (The tenantURL is the value retrieved earlier from the Elium admin console.) Also type the Elium Secret token value in the Secret Token field. Finally, select Test Connection to verify that Azure AD can connect to Elium. If the connection fails, make sure that your Elium account has admin permissions and try again.
In the Notification Email field, enter the email address of a person or group who will receive the provisioning error notifications. Then, select the Send an email notification when a failure occurs check box.
Click Save.
In the Mappings section, select Synchronize Azure Active Directory Users to Elium.
Review the user attributes that are synchronized from Azure AD to Elium in the Attribute Mappings section. The attributes selected as Matching properties are used to match the user accounts in Elium for update operations. Select Save to commit any changes.
To configure scoping filters, follow the instructions in the Scoping filter tutorial.
To enable the Azure AD provisioning service for Elium, change the Provisioning Status to On in the Settings section.
Define the users and groups that you would like to provision to Elium by selecting the values you want in the Scope drop-down list box in the Settings section.
When you're ready to provision, select Save.

This operation starts the initial synchronization of all users and groups defined in Scope in the Settings section. This initial sync process takes longer than later syncs. For more information about the time required for provisioning, see How long will it take to provision users?.

Use the Current Status section to monitor progress and follow links to your provisioning activity report. The provisioning activity report describes all actions performed by the Azure AD provisioning service on Elium. For more information, see Check the status of user provisioning. To read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.

Additional resources

Next steps

Learn how to review logs and get reports on provisioning activity