# Configure SCIM in Azure Active Directory (AD)
Workato supports the System for Cross-domain Identity Management (SCIM 2.0) protocol with the Azure Active Directory (AD) identity provider.
NEW NAME FOR AZURE AD
Microsoft is renaming Azure Active Directory to Microsoft Entra ID (opens new window). You may see either name in the Azure Portal during the transition period.
Configuring SCIM for Azure AD involves the following steps:
- Prerequisites
- Step 1: Configure custom extension attributes
- Step 2: Configure automatic provisioning on Azure AD
- Step 3: Configure attribute mappings between Azure AD and Workato
- Step 4: Provision users
# Prerequisites
In Workato:
- You must be a workspace admin.
- Your organization must have the Data Monitoring/Advanced Security & Compliance add-on.
- You must have SAML SSO successfully set up with your identity provider.
- You must have already configured SCIM in Workato.
In Microsoft Azure:
- You must be able to access the Microsoft Graph (opens new window) API.
- You must have access to Azure AD with sufficient permissions.
# Step 1: Configure custom extension attributes
Before you can provision a user account from Azure AD to Workato, you must extend the Azure AD user schema to include a custom attribute specifying the user's Workato role.
To create an extension attribute (opens new window), complete the following steps.
Navigate to Microsoft Graph Explorer (opens new window).
Run a Microsoft Graph query to list your Azure tenant's applications:
- Select GET from the HTTP verb drop-down menu.
- Enter
https://graph.microsoft.com/v1.0/applications
in the query box. - Select Run query.
Example request to list applications using Microsoft Graph Explorer
Find your application's id
field in the output.
Find the id
field
ID FIELD
The id
field is distinct from the appId
field. Do not use appId
.
Create an extension attribute called workato_role
. In a later step, you will use this attribute to assign each user's role in your workspace. Note that in workspaces with the Environments feature enabled, workato_role
is used to assign a role for the default DEV environment.
Select POST from the HTTP verb drop-down menu.
Enter the following URL in the query box and replace
{id}
with your application's ID:https://graph.microsoft.com/v1.0/applications/{id}/extensionProperties
Paste the following JSON in the Request body field:
{ "name": "workato_role", "dataType": "string", "targetObjects": [ "User" ] }
Select Run query.
Example request to create an extension attribute in Microsoft Graph Explorer
Locate the name
field in the output and copy its value. It will look something like this:
extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role
Find the name
field in the output
If your organization has the Environments feature in Workato: Repeat the preceding two steps using the example request bodies below. Send one request to create an extension attribute for the PROD environment, and another request for the TEST environment:
{
"name": "workato_role_prod",
"dataType": "string",
"targetObjects": [
"User"
]
}
{
"name": "workato_role_test",
"dataType": "string",
"targetObjects": [
"User"
]
}
Ensure that you copy the value of the name
field in each response.
Find the ID of the user you want to provision to Workato:
- Select GET from the HTTP verb drop-down menu.
- Enter
https://graph.microsoft.com/v1.0/users
in the query box. - Select Run query.
- Look for the user in the output and copy the value of their
id
attribute.
Assign the extension attribute(s) and the desired role to the user:
Select PATCH from the HTTP verb drop-down menu.
Enter the following URL in the query box and replace
{id}
with the user's ID:https://graph.microsoft.com/v1.0/users/{id}
Create a request body based on the following JSON, substituting the appropriate values, and paste it in the Request body field:
{ "{extension attribute name}": "{system role or custom role to assign the user}" }
EXAMPLE REQUEST BODY WITHOUT ENVIRONMENTS
The following example assigns the user an Admin role in a workspace without the Environments feature enabled:
{ "extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role": "Admin" }
EXAMPLE REQUEST BODY WITH ENVIRONMENTS
The following example assigns the user a different system role for each environment:
{ "extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role": "Admin", "extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role_prod": "Operator", "extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role_test": "Analyst" }
Select Run query.
If the request is successful, the response is simply {}
.
Successful role assignment
Confirm that the extension has been assigned to the user:
Select GET from the HTTP verb drop-down menu.
Enter the following URL into the search box, replacing
{id}
with the user's ID and{extension attribute name}
with the extension name you want to confirm:https://graph.microsoft.com/v1.0/users/{id}?$select={extension attribute name}
For example:
https://graph.microsoft.com/v1.0/users/4a5b1db8-415b-4207-ab8d-1a2b3c4d5e6f?$select=extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role
Select Run query.
Check the response to confirm that the user has an extension attribute with the desired role. You should see output like this:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role)/$entity", "extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role": "Admin" }
# Step 2: Configure automatic provisioning on Azure AD
After you extend the Azure AD user schema, you must configure automatic provisioning on Azure AD.
Navigate to the Workato SAML application you created in Azure AD.
CONFIGURE SAML SSO
If you have not yet configured SAML SSO for your Workato application, set up a non-gallery SAML application in Azure AD to access your Workato workspace.
Navigate to Manage > Provisioning.
Select Automatic from the Provisioning Mode drop-down menu.
In the Admin Credentials section, enter the Tenant URL and Secret Token fields using the base URL and SCIM token you generated when you configured SCIM in Workato.
Configure automatic provisioning
Select Test Connection. If the test is successful, Azure will display the message "The supplied credentials are authorized to enable provisioning":
Successful test connection
Select Save.
# Step 3: Configure attribute mappings between Azure AD and Workato
The next step is to update the Azure AD attribute mapping with the extension attributes you created previously.
Navigate to your Workato SAML application in Azure AD.
Expand the Mappings section and select Provision Azure Active Directory Users.
Provision Azure Active Directory Users setting
Ensure Enabled is set to Yes.
In the Target Object Actions section, check the boxes for Create and Update.
At the bottom of the page, select the Show advanced options checkbox.
Select Edit attribute list for customappsso.
At the bottom of the customappsso User Attributes list, add the following attribute name in the Name field and set Type to String:
urn:ietf:params:scim:schemas:workato:1.0:WorkatoRole:workato_role
If your organization has the Environments feature in Workato: Repeat the previous step to add the extension attributes for the TEST and PROD environments, using each of the following attribute names with Type set to String:
urn:ietf:params:scim:schemas:workato:1.0:WorkatoRole:workato_role_test
urn:ietf:params:scim:schemas:workato:1.0:WorkatoRole:workato_role_prod
Extension attributes for an organization with the Environments feature enabled
Select Save and then Yes to confirm that you want to make the changes. You are returned to the Attribute Mapping page.
Select Add New Mapping.
In the Mapping type field, select Direct.
In the Source attribute field, select the workato_role
extension attribute you configured previously, as shown in the following example:
workato_role (extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role)
In the Target attribute field, select the corresponding attribute you configured, as shown in the following example:
urn:ietf:params:scim:schemas:workato:1.0:WorkatoRole:workato_role
Select Always from the Apply this mapping drop-down menu if it is not already selected.
Edit attribute mapping for workato_role
Select OK.
If your organization has the Environments feature in Workato: Select Add New Mapping and repeat the previous steps to map the extension attributes for the TEST and PROD environments:
MAP EXTENSION ATTRIBUTES FOR TEST ENVIRONMENT
Example source attribute:
workato_role (extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role_test)
Example target attribute:
urn:ietf:params:scim:schemas:workato:1.0:WorkatoRole:workato_role_test
MAP EXTENSION ATTRIBUTES FOR PROD ENVIRONMENT
Example source attribute:
workato_role (extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role_prod)
Example target attribute:
urn:ietf:params:scim:schemas:workato:1.0:WorkatoRole:workato_role_prod
The Attribute Mapping page should then look like the following image:
Mapped extension attributes for a workspace with the Environments feature enabled
Select Save and then Yes to confirm you want to save your changes.
# Step 4: Provision users
After you configure automatic provisioning, you can assign Azure AD users and groups to your Workato application and then provision them.
Navigate to your Workato SAML application's overview in Azure AD.
Select Users and groups.
Select Add user/group.
Select None selected and search for the user or group you want to provision to Workato.
Select the user or group and click Select.
Select Assign.
In the sidebar, select Provisioning.
Choose whether to provision users automatically or on demand:
PROVISIONING USERS AUTOMATICALLY
To run a cycle that automatically provisions users once every 40 minutes, select Start provisioning.
Between cycles, you can trigger a provisioning request immediately by selecting Stop provisioning and then Start provisioning.
PROVISIONING USERS ON DEMAND
To provision users on demand:
Select Provision on demand.
Search for the user you want to provision and select their name.
Select Provision.
If provisioning is successful, you'll see the following confirmation:
Successful user provisioning
Workato sends an email invitation to the selected users. Ask the user to verify their email address by clicking on the link in the email:
Email invitation to join a workspace
The collaborator can then sign in to the assigned workspace with the role(s) you configured.
TROUBLESHOOTING
If clicking on the invitation email redirects you to the Workato login page instead of your organization’s workspace, it is likely that you already have a Workato account associated with the same email. If you have forgotten your login credentials, reset your password.
You may optionally verify that the user has been added from the Workato activity audit log:
Activity audit log showing that a user has accepted an invitation
# Update users
To update a user's Workato role(s) from Azure AD, you must update their custom attributes.
Navigate to Microsoft Graph Explorer (opens new window).
Run a Microsoft Graph query to update the desired user's custom attributes:
Select PATCH from the HTTP verb drop-down menu.
Enter the following URL in the query box and replace
{id}
with the user's ID:https://graph.microsoft.com/v1.0/users/{id}
Paste the following JSON in the Request body field, substituting the appropriate values:
{ "{extension attribute name}": "{system role or custom role to assign the user}" }
For example, the following request body updates a user's role to
NoAccess
in the PROD environment of a workspace with the Environments feature enabled:{ "extension_ae58e98b4abd4da58d00abcd1234abcd_workato_role_prod": "NoAccess" }
Select Run query.
If the request is successful, the response is simply {}
.
Updating a user's attributes using Microsoft Graph Explorer
Run a provisioning cycle on demand in Azure AD or wait for the next scheduled cycle.
# Deprovision users
There are two ways to deprovision a user:
Either way, the deprovisioned user is no longer able to access the Workato workspace. However, their recipes and connections remain available to the rest of the team.
DEPROVISIONING DURING AN ACTIVE SESSION
If users are deprovisioned during an active session, their next action locks them out from the workspace. Their data, such as recipes and connections, remain accessible to other users in the workspace.
# App assignment removal
In Azure AD, navigate to Users.
Select the user you want to deactivate.
Select the Workato SAML application from the Applications section.
Select Remove.
Removing the app assignment for a user
# User deletion (soft)
Soft deletions allow you to recover user accounts if needed.
In Azure AD, navigate to Users.
Select the user you want to deactivate.
Select Delete.
Select Delete again.
# Disable SCIM
To disable SCIM from within Azure AD:
In Azure AD, navigate to the Workato application.
In the Provisioning interface, change the provisioning method from Automatic to Manual.
This action breaks your SCIM connection. User data cannot be synced between Azure AD and Workato.
You can also disable SCIM from within Workato. See Disabling SCIM.
Last updated: 1/2/2024, 7:18:05 PM