question

AkashChopra-8179 avatar image
0 Votes"
AkashChopra-8179 asked sikumars commented

Does AAD SCIM Provisioning works if my app is running on localhost, just for testing ?

I am trying to build a non gallery app that exposes a SCIM endpoint in java. Currently I have deployed it on localhost.
But When in the provisioning section, I provide the localhost path in the tenant URL , AAD SCIM interface is not able to connect to my app with the following error -

You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.

Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application:

Message: An error occurred while sending the request.

Please check the service and try again.
Request-id: 013b6236-0049-4de2-a9d3-287112b47ec7

Please assist.

azure-active-directoryazure-ad-user-provisioning
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking in to see if the below answer (by @ZollnerD ) helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·
sikumars avatar image
0 Votes"
sikumars answered AkashChopra-8179 commented

Hello @AkashChopra-8179,

Thanks for reaching out and apologize for delayed response.

You can use http endpoints for testing locally, but the Azure AD provisioning service requires that your endpoint supports HTTPS and make sure your SCIM solution is compliance with TLS Protocol standard per this guidance.

Here is sample SCIM endpoint in Azure Active Directory which you can use for testing.

To learn more about, refer these articles:
https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#building-a-custom-scim-endpoint

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @sikumars-msft Does it also requires my app to be available over public DNS ? As we have developed a custom app that will be used only with in our organization and won't be available over public DNS. But we want to utilize azure AD for users and groups provisioning and de-provisioning. Is it possible for Azure AD provisioning service to connect with an app that is not available over public DNS ?

0 Votes 0 ·
ZollnerD avatar image
1 Vote"
ZollnerD answered sikumars commented

Our SCIM provisioning service does require public DNS availability. We have a new feature that is in a limited public preview that may be a better fit for this situation though - please check out this documentation and request access to the preview if it sounds like it meets your needs: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/on-premises-scim-provisioning

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZollnerD The custom app will be deployed in Azure VMSS behind a load balancer. The app will be accessed using private DNS Zone created for the app.

So I don't think the link that you have shared meets our needs as it expects us to download an agent onto the VM where SCIM endpoint is running, which makes sense in case of static infrastructure or on-prem type workloads but not for cloud workloads where VMs are transient and can be replaced anytime. As per our company policy we replace VMs every 14 days.


What I am looking for is a solution that can enable Azure AD provisioning service to connect to private SCIM endpoints.

0 Votes 0 ·

Your scenario isn't something that is supported. The AAD Provisioning service communicates over the internet using public DNS records. You'll need to have things configured in a manner that your SCIM endpoints are publicly routable, or have a middle layer of one or more hosts using the above mentioned preview/agents and have the host servers then leverage the private DNS.

0 Votes 0 ·

Just checking if you have any follow-up question? If above answer helped your query, please don’t forget to click Accept the answer and Up-Vote . Thanks.

0 Votes 0 ·