Salesforce

Configuring OneTrust with Azure AD for SCIM

Printable View
« Go Back
Information
Configuring OneTrust with Azure AD for SCIM
UUID-8f64ad59-b708-e6ca-8ecb-ec1cdc60be2d
Article Content

You can integrate OneTrust with Azure Active Directory (Azure AD) for System for Cross-Domain Identity Management (SCIM) User & Group Provisioning. OneTrust supports cross-domain identity management through the SCIM 2.0 specification. SCIM is an open specification to help facilitate the automated management of user identities and groups in cloud applications using RESTful APIs. This allows organizations to manage and update user information and group information across domains and applications.

Note

OneTrust offers technical documentation about SCIM User Provisioning APIs within the OneTrust Developer Portal. For more information, see User Provisioning.

Step 1: Create a Web Application in Azure AD

The first step to configuring OneTrust with Azure AD for SCIM User & Group Provisioning is to create a web application in Azure AD with SAML 2.0 as a sign on method. If your organization has already configured OneTrust with Azure AD for Single Sign-On (SSO) Authentication, you can use the same web application that you previously created. Simply locate your existing web application and enable user provisioning in that created application.

If your organization is not using SSO and you don't have a SAML application, you will need to create a new non-gallery application in Azure AD before you can proceed with User Provisioning.

Note

If you need to create a new web application in Azure AD, complete steps 1 through 8 of the To create a web application in Azure AD procedure in the Configuring OneTrust with Azure AD for Single Sign-On (SSO) Authentication article.

Azure_AD_-_SCIM_Overview.png

Step 2: Configure a Default Organization and Role in the OneTrust Application

Now that your web application is created in Azure AD, you will need to configure the default organization and role that you want users to be provisioned with in the OneTrust application. Users who are provisioned through SCIM will then be given this role and assigned to this organization by default.

Note

On the User Provisioning screen, you will also find the SCIM Base URL. You will need to copy this URL for use in Step 4: Set Up the SCIM Connection in Azure AD.

  1. Click the gear icon gear-icon_global-settings.png in the upper right-hand corner to access Global Settings.

  2. On the Global Settings menu, select User Management > User Provisioning. The User Provisioning screen appears.

    Enhanced_SCIM_Integration.png

  3. In the Organization field, select the default organizational group to which users should be assigned on creation through SCIM.

  4. In the Role field, select the default role to which users should be assigned on creation through SCIM.

    Note

    OneTrust recommends selecting a default role that has the minimum level of permissions that you want to grant users by default, such as Project Viewer or Project Owner. The Employee role should only be granted to users accessing the Employee Portal.

  5. Click the Save button.

Step 3: Generate an OAuth 2.0 API Key with the SCIM Scope

Next, you'll create an OAuth 2.0 API Key for Azure AD with the SCIM scope. This API Key is the Secret Token that needs to be used in Azure AD for SCIM integration with OneTrust.

  1. Click the gear icon gear-icon_global-settings.png in the upper right-hand corner to access Global Settings.

  2. On the Global Settings menu, select Access Management > Client Credentials. The Credentials screen appears.

  3. Navigate to the API Keys tab.

  4. Click the Add button and create an OAuth 2.0 API Key with the SCIM scope. For more information on creating an OAuth 2.0 API Key, see Managing OAuth 2.0 API Keys.

    Note

    The value that you select in the API Key Lifetime field will determine how long the API key will be active before another API key must be created to continue provisioning users through SCIM.

    Azure_AD_-_OAuth_API_Key.png
    Create_API_Key_-_SCIM_Scope.png

  5. Click the Create button. The API Key Created section appears.

    API_Key_Created.png

  6. In the Download API Key field, click the Download button. A .txt file containing the OAuth 2.0 API Key will download to your local system.

  7. Save the OAuth 2.0 API Key to a secure location.

Step 4: Set Up the SCIM Connection in Azure AD

Once you've gathered the SCIM Base URL and the OAuth 2.0 API Key, you can add these credentials in Azure AD. Once added and saved, you will then be able to configure the Attribute Mapping in Azure AD that will be used to provision users in the OneTrust application.

  1. Navigate back to the web application you created in Azure AD.

    Azure_AD_-_SCIM_Overview.png

  2. On the main navigation menu, select Provisioning. The Provisioning screen appears.

    Azure_AD_-_Get_Started_Provisioning.png

  3. Click the Get Started button. Then set the Provisioning Mode field as Automatic. The Admin Credentials, Mappings, and Settings sections appear.

    Azure_AD_-_Provisioning_Mode.png

  4. In the Admin Credentials section, you will use details generated in the OneTrust application to configure the Tenant URL and Secret Token fields in Azure AD. For more information, you can find a detailed description of the entries required for each field in the following table.

    Azure_AD_-_Admin_Credentials.png

    Field

    Description

    Tenant URL

    Within the OneTrust application, click the Copy URL button in the SCIM Base URL field on the User Provisioning screen. Navigate back to the Provisioning screen in Azure AD and paste the copied URL in the Tenant URL field.

    Secret Token

    Copy the OAuth 2.0 API Key that you created and saved in Step 3: Generate an OAuth 2.0 API Key with the SCIM Scope. Navigate back to the Provisioning screen in Azure AD and paste the OAuth 2.0 API Key in the Secret Token field.

    Test Connection

    Once the above credentials are entered, click the Test Connection button. If successful, a confirmation message will appear.

  5. Click the Save button.

Step 5: Configure SCIM Attributes in Azure AD

After your connection has been successfully established, you can begin configuring the SCIM attributes between Azure Active Directory and the web application you created.

Configure Provisioning of Azure AD Groups (Enhanced SCIM Integration)

Note

Group Provisioning is only supported for accounts using the enhanced SCIM User & Group Provisioning feature. If your account is using the enhanced SCIM User & Group Provisioning feature, continue with the following procedure. If your account is using the Legacy SCIM User Provisioning feature, skip the following procedure and proceed to Disable Provisioning of Azure AD Groups (Legacy SCIM Integration).

  1. In the Mappings section, click the Provision Azure Active Directory Groups link. The Attribute Mapping screen for groups appears.

    Azure_AD_-_Mappings_section.png

  2. On the Attribute Mapping screen for provisioning Azure AD groups, configure the fields as follows:

    Azure_AD_-_Group_Configuration.png

    Field

    Description

    Enabled

    Select Yes in this field.

    Source Object Scope

    This field defines which groups are in scope for provisioning and can be configured based on the needs of your organization.

    Target Object Actions

    Ensure that the Create, Update, and Delete check boxes are selected.

    Attribute Mappings

    Ensure that displayName and members are configured attributes.

  3. Click the Save button.

Disable Provisioning of Azure AD Groups (Legacy SCIM Integration)

Note

Group Provisioning is only supported for accounts using the enhanced SCIM User & Group Provisioning feature. If your account is using the enhanced SCIM User & Group Provisioning feature, skip the following procedure and proceed to the Configure Provisioning of Azure AD Users section. If your account is using the Legacy SCIM User Provisioning feature, Group Provisioning will need to be disabled within the IdP by completing the following procedure.

  1. In the Mappings section, click the Provision Azure Active Directory Groups link. The Attribute Mapping screen for groups appears.

    Azure_AD_-_Mappings_section.png

  2. On the Attribute Mapping screen for provisioning Azure AD groups, select No in the Enabled field.

    Azure_AD_-_Disable_Groups.png

  3. Click the Save button.

Configure Provisioning of Azure AD Users

Note

OneTrust requires the following attributes to be sent by Azure AD: FirstName, LastName, Email, and Active.

  1. Navigate back to the Mappings section on the Provisioning screen. Then click the Provision Azure Active Directory Users link. The Attribute Mapping screen for users appears.

  2. On the Attribute Mapping screen for provisioning Azure AD users, configure the fields as follows:

    Azure_AD_-_Attribute_Mapping_screen.png

    Field

    Description

    Enabled

    Select Yes in this field.

    Source Object Scope

    This field defines which users are in scope for provisioning and can be configured based on the needs of your organization.

    Target Object Actions

    Ensure that the Create and Update check boxes are selected. The Delete check box should be cleared.

  3. On the Attribute Mapping screen, scroll down to the Attribute Mappings section. Several Azure Active Directory Attributes will appear in this section by default.

    Azure_AD_-_Attribute_Mapping_default.png

  4. Click the Delete button corresponding to every Azure AD Attribute except for the following attributes:

    Azure_AD_-_Attribute_Mapping_deleted.png

    • userPrincipalName

    • Switch([IsSoftDeleted], , "False", "True", "True", "False")

    • givenName

    • surname

  5. Map the emails[type eq “work”].value customappsso attribute to the userPrincipalName Azure Active Directory attribute. To do this, click the userPrincipalName Azure Active Directory attribute. The Edit Attribute pane appears, where you will complete the required fields. For more information, you can find a detailed description of the entries required for each field in the following table. Then click the Ok button.

    Note

    By default, the emails[type eq “work”].value customappsso attribute is mapped to the mail Azure Active Directory attribute. However, the emails[type eq “work”].value customappsso attribute can be mapped to either the userPrincipalName or the mail Azure Active Directory Attribute. The same configuration described below can be applied if you are mapping to the mail Azure Active Directory Attribute.

    Azure_AD_-_userPrincipalName_map.png

    Field

    Description

    Mapping type

    Direct is selected by default.

    Source attribute

    The name of the Azure Active Directory Attribute is selected by default. In this example, userPrincipalName is selected by default.

    Target attribute

    Select emails[type eq “work”].value.

    Match objects using this attribute

    Yes is selected by default.

    Matching precedence

    For userPrincipalName, 1 is entered by default.

    Apply this mapping

    Select Only during object creation.

    Note

    The emails[type eq m“work”].value cannot be modified as this is the primary identifier of the user in the OneTrust application.

  6. Click the Save button.

Configure Optional Attributes

You can map additional optional attributes based on the needs of your organization by completing the following procedure.

  1. On the Attribute Mapping screen, scroll down to the Attribute Mappings section. Several Azure Active Directory Attributes will appear in this section by default.

  2. Click the Add New Mapping link in the Attribute Mappings section. The Edit Attribute pane appears. For more information, you can find a detailed description of the entries required for each field in the following table.

    Azure_AD_-_userType_map.png

    Field

    Description

    Mapping type

    Direct is selected by default.

    Source attribute

    Select the necessary source attribute that you want to configure. You may need to map the source attribute in the Identity Provider based on your business needs.

    The following table details supported optional attributes along with the relevant mapping between the source and target attributes:

    Source attribute

    Target attribute

    city

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:officeLocation

    companyName

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:businessUnit

    [Customer defined]

    urn:ietf:params:scim:schemass:extension:enterprise:2.0:User:organization

    department

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

    employeeID

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

    extensionAttribute1

    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division

    extensionAttribute2

    userType

    jobTitle

    title

    manager

    This requires a reference attribute. For more information, see Add a Manager Attribute below.

    Default value if null (optional)

    Enter the value that will be applied if a specific value is not provided.

    Target attribute

    Select the necessary target attribute that you want to configure. For more information, see the mapping provided in the table above.

    Match objects using this attribute

    No is selected by default.

    Apply this mapping

    Always is selected by default.

  3. Click the OK button. The Attribute Mappings section is updated with the attribute.

    Azure_AD_-_Final_Mapping.png

  4. Repeat steps 2 and 3 for each optional attribute you want to add.

  5. Click the Save button.

Add a Manager Attribute

  1. On the Attribute Mapping screen, scroll down to the Attribute Mappings section.

  2. Select the Show Advanced Options check box and then select Edit attribute list for your application. The Edit Attribute List screen appears.

  3. Create a new entry and complete the following fields as detailed below.

    Field

    Value

    Name

    Select manager.

    Type

    Select Reference.

    Primary Key, Required, Multi-Value, Exact case check boxes

    Leave all check boxes unselected.

    API Expression

    Leave this field blank.

    Referenced Object Attribute

    Select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.id.

  4. Click the Save button and click Yes on the confirmation modal that appears. The Attribute Mapping screen reappears.

  5. Click the Add New Mapping link in the Attribute Mappings section. The Edit Attribute pane appears.

  6. Complete the following fields as detailed below. All other fields can remain as the default values.

    Field

    Value

    Mapping type

    Select Direct.

    Source attribute

    Select manager.

    Target attribute

    Select manager.

  7. Click the Ok button. If needed, you can force a refresh of the employee data.

Step 6: Start Automatic Provisioning

You can set up automatic provisioning to ensure that the OneTrust application is always in sync with the SCIM web application in Azure AD. To start automatic provisioning, simply click the Start provisioning button on the Provisioning screen in Azure AD.

Azure_AD_-_Start_Provisioning.png

Step 7: Test the Configuration

After completing the SCIM integration with Azure AD in step 6, you can then begin testing the configuration to verify that users and groups are correctly provisioned within the OneTrust application.

User Provisioning

To verify that users are correctly provisioned or deprovisioned in the OneTrust application, you'll assign users within Azure AD, provision a user, deprovision a user, and confirm the changes are reflected in the OneTrust application.

Note

All new users added to the OneTrust application through SCIM will be sent a Welcome email with a link to access the application.

To disable sending the Welcome email to new users that will use Single Sign-On (SSO) to log in to the application, disable the Welcome Email (Directory User) template.

For more information on disabling email templates, see the To disable an email template procedure in Emails: Branding & Templates.

Assign users

  1. In Azure AD, navigate to the web application you created, and select Manage > Users and groups on the main navigation menu. The Users and groups screen appears.

    Azure_AD_-_Users_and_Groups.png

  2. Click the Add user/group button. The Add Assignment screen appears. Click the link below the Users and groups heading. The Users and groups pane appears.

    Azure_AD_-_Add_Assignment.png

  3. On the Users and groups pane, search for and select the users you want to add. Users that you click will appear within the Selected items section on the pane. Once you've added the necessary users, click the Select button. The link below the Users and groups heading will update to include the number of users you selected and the Assign button will become available.

  4. Click the Assign button. The user(s) will then appear on the Users and groups screen.

    Azure_AD_-_Assigned_User.png
Provision Users

Note

Depending on whether the userPrincipalName or mail Azure AD attribute is mapped to emails [type eq 'work].value attribute, the user will be created with either the UPN or the email as their email address in the OneTrust application.

  1. In Azure AD, navigate to the web application you created, and select Manage > Provisioning on the main navigation menu. The Provisioning screen appears.

    Azure_AD_-_Provisioning_screen.png

  2. Click the Provision on demand button. The Provision on demand screen appears.

    Azure_AD_-_Provision_on_demand_screen.png

  3. In the Search field, enter either the name, userPrincipalName, or mail attribute for the user that you want to provision. Then press Enter. Suggested results appear on screen based on your entry.

  4. Click the user record(s) to provision. The user record appears in the Selected user section.

    Azure_AD_-_Provision_user_search.png

  5. Click the Provision button. The Provision on demand screen populates with confirmation messages and the Export details pane appears.

    Azure_AD_-_Successful_Provision.png
Confirm User Provisioning

Now that you've provisioned a user, you can navigate to the Users screen in the OneTrust application to confirm that the user was successfully provisioned.

  1. Click the gear icon gear-icon_global-settings.png in the upper right-hand corner to access Global Settings.

  2. On the Global Settings menu, select User Management > Users. The Users screen appears, where you should be able to locate the user you provisioned.

  3. Click the link in the Name column for the user you provisioned. The User Information tab on the Users screen appears.

    Note

    Note that since we mapped the emails [type eq 'work].value attribute to the userPrincipalName Azure AD attribute in our example, the value for the userPrincipalName was then used as the user's email address in the OneTrust application.

    Azure_AD_-_Confirm_User_Info_in_OT.png

  4. Navigate to the Roles tab, where you can see that the user was provisioned with the role and organization that you defined in Step 2: Configure a Default Organization and Role in the OneTrust Application.

    Azure_AD_-_Confirm_User_Role_in_OT.png

  5. Navigate to the User Activity tab, where you can find the record indicating that the user was created through SCIM.

    Azure_AD_-_Confirm_User_in_OT.png
Deprovision Users

Users that are deactivated or deleted in Azure AD would be deactivated in the OneTrust application. Users who are unassigned from the Azure SCIM web application will also be deactivated in the OneTrust application.

  1. In Azure AD, navigate to the web application you created, and select Manage > Users and groups on the main navigation menu. The Users and groups screen appears.

    Azure_AD_-_Remove_User.png

  2. Select the check box corresponding to the user that you want to remove from the application.

  3. Click the Remove button. A confirmation prompt appears.

    Azure_AD_-_Remove_assignments.png

  4. Click the Yes button. A confirmation message appears when the application assignment is successfully removed. The changes will then take effect when the next provisioning cycle is completed.

    Note

    The provisioning interval can be viewed in the Statistics to date section on the Provisioning screen.

    Azure_AD_-_Confirm_Deprovision_OT.png

Group Provisioning

To verify that user groups are correctly provisioned or deprovisioned in the OneTrust application, you'll assign groups within Azure AD, provision a group, deprovision a group, and confirm that the changes are reflected in the OneTrust application.

Assign Groups

  1. In Azure AD, navigate to the web application you created, and select Manage > Users and groups on the main navigation menu. The Users and groups screen appears.

    Azure_AD_-_Assign_Groups_start.png

  2. Click the Add user/group button. The Add Assignment screen appears. Click the link below the Users and groups heading. The Users and groups pane appears.

    Azure_AD_-_Add_Assignment_Group.png

  3. On the Users and groups pane, search for and select the groups you want to add. Groups that you click will appear within the Selected items section on the pane. Once you've added the necessary groups, click the Select button. The link below the Users and groups heading will update to include the number of groups you selected and the Assign button will become available.

  4. Click the Assign button. The group(s) will then appear on the Users and groups screen.

    Note

    The assigned groups may or may not have members. If members do exist in the group, they will be provisioned within the application.

    In addition, provision on demand is not supported for Group Provisioning. The group will be provisioned after the next provisioning interval.

    Azure_AD_-_Assigned_Group.png
Confirm Group Provisioning

Now that you've provisioned a group, you can navigate to the User Groups screen in the OneTrust application to confirm that the user group was successfully provisioned.

Note

The group will be provisioned after the next provisioning interval.

  1. Click the gear icon gear-icon_global-settings.png in the upper right-hand corner to access Global Settings.

  2. On the Global Settings menu, select User Management > User Groups. The User Groups screen appears, where you should be able to locate the user group you provisioned. Since the group we provisioned had one member, that user will be listed as a member of this user group.

    SCIM_-_User_Groups_list_Azure.png

  3. Click the link in the Group Name column for the user group you provisioned. The Users tab on the User Group Details screen appears, where you can see the list of users provisioned as part of that user group.

    SCIM_-_User_Group_Details_Azure.png

  4. You can also view the user groups in which a user is a member within the user record. On the Global Settings menu, select User Management > Users. On the Users screen, click the link in the Name column for one of the users provisioned as part of the user group. The User Information tab on the Users screen appears.

  5. Navigate to the User Groups tab, where you can see a list of user groups in which the user is a member.

    SCIM_-_Azure_User_Groups_tab.png
Deprovision Groups

Groups that are deleted in Azure AD will be deleted in the OneTrust application.

Note

If you deprovision a group, all the members of that group will be deactivated if those users are not part of any other group.

  1. In Azure AD, navigate to the web application you created, and select Manage > Users and groups on the main navigation menu. The Users and groups screen appears.

    Azure_AD_-_Remove_Group.png

  2. Select the check box corresponding to the group that you want to remove from the application.

  3. Click the Remove button. A confirmation prompt appears.

    Azure_AD_-_Remove_assignments.png

  4. Click the Yes button. A confirmation message appears when the application assignment is successfully removed. The changes will then take effect when the next provisioning cycle is completed.

    Note

    The provisioning interval can be viewed in the Statistics to date section on the Provisioning screen.
 
Article Visibility
12,554
Translation
English
Checked
Powered by