Hi Team, We are not able see option SCIM Provisioning for OIDC based single sign on application which has been created using app registration in AAD. Please attachment screen shot for the same. Please share app creation process for OIDC based single sign on application in AAD and also. is it supported all kind applications like gallery, non gallery ? How configure SCIM end point for OIDC based single sign on application in AAD? What is process created gallery, non gallery app in AAD? Is there any Licence required and what is process? Thanks & Regards, Matab

Hi @Matab , Currently we only support SCIM for gallery applications and for non-OIDC custom/non-gallery apps. I believe that also means "only for SAML non-gallery apps" but I'm not positive if there may be a third+ option there. You should be able to work around this by creating two non-gallery apps, one for OIDC SSO and one for SCIM provisioning. To create a gallery application, you need to be a software vendor that has a SaaS application that is a multi-tenant/multi-customer app. This document describes how to go about getting your application added to our gallery: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing To the best of my knowledge we don't have any license requirements around creating a gallery or non-gallery app or using provisioning. There are some extra features such as assigning groups to applications that require AAD Premium licensing, but that is not core functionality.

Hello @Anonymous Does Azure have some news regarding this? Is there some kind of documentation created that would show how to configure SCIM + OIDC correctly?

Is SCIM Provisioning not supported for OIDC based single sign on application?

Accepted answer

Danny Zollner 9,521 Reputation points Microsoft Employee

2021-02-18T03:03:53.743+00:00

Hi @Matab ,

Currently we only support SCIM for gallery applications and for non-OIDC custom/non-gallery apps. I believe that also means "only for SAML non-gallery apps" but I'm not positive if there may be a third+ option there. You should be able to work around this by creating two non-gallery apps, one for OIDC SSO and one for SCIM provisioning.

To create a gallery application, you need to be a software vendor that has a SaaS application that is a multi-tenant/multi-customer app. This document describes how to go about getting your application added to our gallery: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing

To the best of my knowledge we don't have any license requirements around creating a gallery or non-gallery app or using provisioning. There are some extra features such as assigning groups to applications that require AAD Premium licensing, but that is not core functionality.
Please sign in to rate this answer.

3 people found this answer helpful.
Matab 26 Reputation points

2021-02-18T07:02:09.223+00:00

Hi ZollnerD, Thanks for the information. Please correct me if my understanding is wrong,

SCIM provisioning supports for SAML non -gallery app and gallery apps.

SCIM provisioning doesn't support for OIDC non -gallery app but it supports for gallery app even if this is not supporting then we need create two non-gallery apps, one for OIDC SSO and one for SCIM provisioning?

Please confirm, is this correct document for creating OIDC based application? https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso

Thanks & Regards,
Matab

Danny Zollner 9,521 Reputation points Microsoft Employee

2021-02-18T18:48:32.687+00:00

Items #1 and #3 look correct. #2 I'll clarify on - we support SCIM + OIDC in a single app for gallery applications, but for non-gallery apps you'll need two separate apps, one each for OIDC and SCIM.

Karthik Nagarajan 1 Reputation point

2021-04-18T03:24:56.467+00:00

@Anonymous I have a question on this setup. If there are two different applications - 1 non-gallery OIDC app and 1 SCIM app, how will SCIM get triggered if users and groups are assigned / unassigned to the non-gallery OIDC app?

Danny Zollner 9,521 Reputation points Microsoft Employee

2021-04-18T04:18:06.087+00:00

They won't - you will need to manage user/group assignment on the provisioning app independently.

Vincent 6 Reputation points

2021-06-02T03:52:02.467+00:00

Based on the flowchart at Choosing a single sign-on method, Microsoft encourages people to use OpenID Connect/OAuth and the majority of the Microsoft Identity Platform documents give tutorials, examples, and explanations about OIDC/OAuth flows along with the use of MSAL. Additional, the "integration assistant" page for the App Registration in the portal also state "Use modern authentication solutions (OAuth 2.0, OpenID Connect) to securely sign in users."

Since SCIM for OIDC gallery apps is supported, this doesn't seem to be a technical limitation. Non-gallery apps are used for a lot of single-tenant applications (mainly intranet/internal apps) which would benefit a lot from SCIM. What is the reasoning behind only supporting SCIM for SAML non-gallery apps?

Danny Zollner 9,521 Reputation points Microsoft Employee

2021-06-08T16:59:48.987+00:00

There's some behind the scenes technical stuff that prevents custom non-gallery OIDC apps from using our generic SCIM connector - we hope to address it in the future, but I don't have an ETA I can share on that. The workaround, as stated above, is to create two non-gallery apps, one for OIDC SSO and one for SCIM provisioning. It is less convenient than having both in one app, but the two apps together should have the same set of capabilities as an OIDC gallery app with SCIM provisioning.

Nick Huynh 21 Reputation points

2021-09-08T06:19:45.41+00:00

@Anonymous Do SCIM + OIDC support multi-tenant gallery app? We are implementing SCIM + OIDC in a multiple tenant app. As you said, we have to create one non-gallery OIDC multi-tenant app and non-gallery SCIM app in our dev environment. Couldn't imagine how would it work as gallery app. Would we be able to configure SCIM gallery that support gallery OIDC app?
I guess we still need to register a verified multi-tenant app and then somehow link it with the SCIM gallery app so when a new Enterprise application is created using the SCIM gallery app, it would use the same application ID of the registered multi-tenant app?

Danny Zollner 9,521 Reputation points Microsoft Employee

2021-09-08T14:37:23.977+00:00

SCIM + OIDC in gallery is possible. Requires you to create the OIDC app and then submit via the Microsoft Application Network - https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing - to have the OIDC app listed in the Enterprise App Gallery, and then a second submission to enable SCIM provisioning on that app. This can only be achieved via this submission method as it requires Microsoft Azure AD engineering teams to do some work to connect the pieces.

Karthik Nagarajan 1 Reputation point

2021-09-08T14:44:51.757+00:00

One more limitation with non-gallery App is that I think it doesn't support client_credentials grant to get a token for calling SCIM APIs. It only supports a static token.

Nick Huynh 21 Reputation points

2021-09-14T00:31:18.247+00:00

Thanks @Anonymous for very useful information. Can you elaborate on the "some work to connect the pieces"? If I understand it correctly, we can start with 2 non-gallery apps: one multi-tenant app for OIDC and one single-tenant app for SCIM. Then submit them via Microsoft Application Network to be listed in the Enterprise App Gallery. Once, it's done and connected, our clients that want to integrate with us only need to create a single Enterprise application (from our gallery app) to configure SCIM and OIDC? This enterprise application will be linked with our multi-tenant app (registered in our Azure AD)?

Danny Zollner 9,521 Reputation points Microsoft Employee

2021-09-14T16:22:54.223+00:00

That work is entirely by Microsoft. You only need to create the OIDC app, and then submit two requests via the process I've shared above - one to add your OIDC app to the Azure AD Enterprise App Gallery for SSO, and one to add SCIM provisioning to that app. The provisioning integration is created and managed by an Azure AD engineering team, not by you. You'll need to answer questions on what attributes are in the SCIM app's schema, what the default mappings from AAD -> SCIM app should be, etc - but there is no dependency on any service principal or application object in your tenant like there is with SSO for OIDC apps.

Kevin Frey 6 Reputation points

2022-02-07T11:45:06.907+00:00

Your comment makes no sense at all. In your previous reply you say that you need. 2 non-gallery apps one for OIDC and one for SCIM, and then say the SCIM provisioning won’t work anyway?

Kevin Frey 6 Reputation points

2022-02-07T12:08:24.133+00:00

I apologise. You mean you need to assign users separately to the SCIM app. So a literal double-up of work. In addition, any attempt to use App Roles would be stymied because you just don’t want to be defining this in two places? Very disappointed with this limitation, now essentially forcing me to consider using SAML.

Anuj Sirohi 0 Reputation points

2023-09-07T04:37:34.4133333+00:00

@Anonymous May I know if this is now supported? Non-gallery OIDC app with SCIM? What is the workaround if we don't want to publish the OIDC application to gallery?

Danny Zollner 9,521 Reputation points Microsoft Employee

2023-09-08T22:49:43.0166667+00:00

This can only be done with two applications - a non-gallery OIDC app, and a non-gallery "SAML" app that doesn't have SSO/SAML configured but has SCIM enabled.
Sign in to comment

Is SCIM Provisioning not supported for OIDC based single sign on application?

1 additional answer