Azure - SAML#
SCIM for Azure Active Directory supports the following SCIM resources:
- Users (mapped directly to BSR Users)
- Groups (not directly represented in the BSR, but can be added to BSR Organizations by name to manage Organization membership)
The steps below must be carried out by users with administrative privileges in your Azure AD account.
Prerequisites#
- Setup needs to be complete.
- You need to know your private BSR instance's domain name (for example, example.buf.devorbuf.example.com) for the steps below.
Enable SCIM provisioning#
- Complete the SCIM prerequisites if you haven't already.
- Sign in to your Azure portal.
- Navigate to your BSR application under Enterprise applications in your Azure Active Directory tenant.
- Click Provisioning on the side bar, click Configure Provisioning.
- Under Provisioning Mode, select Automatic.
- Under Admin Credentials, enter the following information:- Tenant URL: https://buf.example.com/scim/v2
- Secret Token: enter the SCIM token you created earlier
 
- Tenant URL: 
- Click Save.
Configure SCIM mappings#
- Navigate to your BSR application under Enterprise applications in your Azure Active Directory tenant.
- On the left sidebar, navigate to Provisioning, and then Provisioning again.
- Under Mappings, click Provision Azure Active Directory Users.
- 
Ensure that the following attribute mappings are set. Delete all other attribute mappings. Azure Active Directory attribute Application attribute userPrincipalNameuserNameSwitch([IsSoftDeleted], , "False", "True", "True", "False")activemailemails[type eq "work"].valuegivenNamename.givenNamesurnamename.familyName
- 
Click Save. 
Provision users#
In the Overview tab in the Provisioning app, click Start Provisioning. Azure provisions users on a fixed interval, but you can also navigate to Provision on demand if you want to immediately provision users.
If you had previously assigned this Azure application to users before enabling SCIM, Azure tries to match the users to existing users within the BSR, and this should succeed without error. If this fails, consult the Provisioning Logs tab in the Provisioning app.
If you encounter any errors provisioning users, see the relevant part of the FAQ. If you are unable to resolve those issues, contact Support or your Buf representative.