question

Matab-0501 avatar image
0 Votes"
Matab-0501 asked ZollnerD commented

Is SCIM Provisioning not supported for OIDC based single sign on application?

Hi Team,

We are not able see option SCIM Provisioning for OIDC based single sign on application which has been created using app registration in AAD.
Please attachment screen shot for the same.

Please share app creation process for OIDC based single sign on application in AAD and also.
1. is it supported all kind applications like gallery, non gallery ?
2. How configure SCIM end point for OIDC based single sign on application in AAD?
3. What is process created gallery, non gallery app in AAD?
4. Is there any Licence required and what is process?


Thanks & Regards,
Matab



azure-ad-user-provisioningazure-ad-openid-connect
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

And also I am not able see sign up option for OIDC app?

0 Votes 0 ·

@Matab-0501
Thank you for your post!

Would you be able to share any documentation that you followed to set this up? Additionally any screenshots would be definitely appreciated, this way I can gain a better understanding of your issue.


I've reached out to our engineering team regarding this and will update as soon as possible.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Hi , Thanks for your reply. This is below document link i am using for creating OIDC based SSO application.
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso

But in my test Azure AD account and we are not able see SCIM provisioning option.


Thanks & Regards,
Matab

0 Votes 0 ·

1 Answer

ZollnerD avatar image
2 Votes"
ZollnerD answered ZollnerD commented

Hi @Matab-0501,

Currently we only support SCIM for gallery applications and for non-OIDC custom/non-gallery apps. I believe that also means "only for SAML non-gallery apps" but I'm not positive if there may be a third+ option there. You should be able to work around this by creating two non-gallery apps, one for OIDC SSO and one for SCIM provisioning.

To create a gallery application, you need to be a software vendor that has a SaaS application that is a multi-tenant/multi-customer app. This document describes how to go about getting your application added to our gallery: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing

To the best of my knowledge we don't have any license requirements around creating a gallery or non-gallery app or using provisioning. There are some extra features such as assigning groups to applications that require AAD Premium licensing, but that is not core functionality.

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi ZollnerD, Thanks for the information. Please correct me if my understanding is wrong,

  1. SCIM provisioning supports for SAML non -gallery app and gallery apps.

  2. SCIM provisioning doesn't support for OIDC non -gallery app but it supports for gallery app even if this is not supporting then we need create two non-gallery apps, one for OIDC SSO and one for SCIM provisioning?

  3. Please confirm, is this correct document for creating OIDC based application? https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso


Thanks & Regards,
Matab

0 Votes 0 ·

Items #1 and #3 look correct. #2 I'll clarify on - we support SCIM + OIDC in a single app for gallery applications, but for non-gallery apps you'll need two separate apps, one each for OIDC and SCIM.

1 Vote 1 ·

@ZollnerD I have a question on this setup. If there are two different applications - 1 non-gallery OIDC app and 1 SCIM app, how will SCIM get triggered if users and groups are assigned / unassigned to the non-gallery OIDC app?

0 Votes 0 ·
Show more comments

@ZollnerD Do SCIM + OIDC support multi-tenant gallery app? We are implementing SCIM + OIDC in a multiple tenant app. As you said, we have to create one non-gallery OIDC multi-tenant app and non-gallery SCIM app in our dev environment. Couldn't imagine how would it work as gallery app. Would we be able to configure SCIM gallery that support gallery OIDC app?
I guess we still need to register a verified multi-tenant app and then somehow link it with the SCIM gallery app so when a new Enterprise application is created using the SCIM gallery app, it would use the same application ID of the registered multi-tenant app?

0 Votes 0 ·
Show more comments

Based on the flowchart at Choosing a single sign-on method, Microsoft encourages people to use OpenID Connect/OAuth and the majority of the Microsoft Identity Platform documents give tutorials, examples, and explanations about OIDC/OAuth flows along with the use of MSAL. Additional, the "integration assistant" page for the App Registration in the portal also state "Use modern authentication solutions (OAuth 2.0, OpenID Connect) to securely sign in users."

Since SCIM for OIDC gallery apps is supported, this doesn't seem to be a technical limitation. Non-gallery apps are used for a lot of single-tenant applications (mainly intranet/internal apps) which would benefit a lot from SCIM. What is the reasoning behind only supporting SCIM for SAML non-gallery apps?

0 Votes 0 ·
ZollnerD avatar image ZollnerD rink-attendant-6 ·

There's some behind the scenes technical stuff that prevents custom non-gallery OIDC apps from using our generic SCIM connector - we hope to address it in the future, but I don't have an ETA I can share on that. The workaround, as stated above, is to create two non-gallery apps, one for OIDC SSO and one for SCIM provisioning. It is less convenient than having both in one app, but the two apps together should have the same set of capabilities as an OIDC gallery app with SCIM provisioning.

0 Votes 0 ·

One more limitation with non-gallery App is that I think it doesn't support client_credentials grant to get a token for calling SCIM APIs. It only supports a static token.

0 Votes 0 ·