Skip to content

Azure - SAML

This feature is only available on the Pro and Enterprise plans.

SCIM for Azure Active Directory supports the following SCIM resources:

  • Users (mapped directly to BSR Users)
  • Groups (not directly represented in the BSR, but can be added to BSR Organizations by name to manage Organization membership)

The steps below must be carried out by users with administrative privileges in your Azure AD account.

Prerequisites

  • Setup (Pro | Enterprise) needs to be complete.
  • You need to know your private BSR server domain (for example, example.buf.dev or buf.example.com) for the steps below.

Enable SCIM provisioning

  1. Complete the SCIM prerequisites if you haven't already.
  2. Sign in to your Azure portal.
  3. Navigate to your BSR application under Enterprise applications in your Azure Active Directory tenant.
  4. Click Provisioning on the side bar, click Configure Provisioning.
  5. Under Provisioning Mode, select Automatic.
  6. Under Admin Credentials, enter the following information:
    • Tenant URL: https://buf.example.com/scim/v2
    • Secret Token: enter the SCIM token you created earlier
  7. Click Save.

Configure SCIM mappings

  1. Navigate to your BSR application under Enterprise applications in your Azure Active Directory tenant.
  2. On the left sidebar, navigate to Provisioning, and then Provisioning again.
  3. Under Mappings, click Provision Azure Active Directory Users.
  4. Ensure that the following attribute mappings are set. Delete all other attribute mappings.

    Azure Active Directory attribute Application attribute
    userPrincipalName userName
    Switch([IsSoftDeleted], , "False", "True", "True", "False") active
    mail emails[type eq "work"].value
    givenName name.givenName
    surname name.familyName
  5. Click Save.

Provision users

In the Overview tab in the Provisioning app, click Start Provisioning. Azure will provision users on a fixed interval, but you can also navigate to Provision on demand if you would like to immediately provision users.

If you had previously assigned this Azure application to users before enabling SCIM, Azure will try to match the users to existing users within the BSR, and this should succeed without error. If this fails, consult the Provisioning Logs tab in the Provisioning app.

If you encounter any errors provisioning users, please see the relevant part of the FAQ. If you are unable to resolve those issues, contact Support or your Buf representative.