All Collections
Administration
Federated Identity
Microsoft Entra (Azure AD) Federated Identity and Single Sign on with SCIM Configuration
Microsoft Entra (Azure AD) Federated Identity and Single Sign on with SCIM Configuration
Updated over a week ago

Ease the Xakia sign-in process for users by linking to your federated identity service with Microsoft Entra (formerly known as Azure Active Directory)

Xakia currently supports Federated Identity (also known as single sign on) via Microsoft Entra (formerly known as Azure Active Directory) via the OpenId Connect (OIDC) protocol. This is available at all subscription levels.

In this article:


Setting up your Microsoft Entra in Xakia

Xakia's federated identity is configured at the Location Level, but will require the assistance of an Entra Directory Global Administrator for your organization. This is possibly someone from your internal IT team who may need to be added as a user in Xakia to manage this process.

In order to configure Federated Identity in Microsoft Entra, follow the steps below.

Configure Xakia

In Xakia:

  • Click on 'Admin' in the top navigation menu

  • Click on 'Security' in the left hand side menu

  • Select the 'Federated Identity' tab

  • In the 'Identity Provider' field, select ‘Azure Active Directory – SCIM’

  • Click ‘Save’ to confirm Azure Active Directory as your provider

  • Click 'Get the App' and this will take you to Microsoft Azure Active Directory

  • Please follow the prompts to accept the permissions for the terms of the application (see below).

image__3_.png

Once these steps have been completed, the following fields will be automatically populated in Xakia:

  • Tenant ID

  • Consent Granted by (person who provided consent)

  • Consent granted on (date of acceptance in UTC)

  • SCIM Base URI

  • SCIM API Key

Take note of the ‘SCIM Base URI’ and ‘SCIM API Key’ for use later.

Note: We do not store the API Key, so make sure you copy this before navigating away. It can be regenerated later, but will have to be updated everywhere it has been used.

Configure Microsoft Entra (formerly known as Azure Active Directory):

  • Create a new Enterprise Application by going to Microsoft Entra (Azure Active Directory) -> Enterprise Applications and selecting new application. Then select ‘Create your own application’

  • Provide a name (Xakia SCIM) and select ‘Integrate any other application you don't find in the gallery’

  • Click ‘Create’

  • Once the application is created, select ‘Provisioning’ then click ‘Get started’

  • Select ‘Automatic’ as the provisioning mode

  • Enter the ‘SCIM Base URI’ value from Xakia into the ‘Tenant URL’ field

  • Enter the ‘SCIM API Key’ value from Xakia into the ‘Secret Token’ field

  • Click ‘Test Connection’ to ensure everything is configured correctly

  • Click ‘Save’

  • Once saved, under the ‘Mappings’ header, select ‘Provision Azure Active Directory Groups'

  • Toggle 'Enabled' to 'No' and then save

  • Navigate back to the provisioning settings. Then under the ‘Mappings’ header, select ‘Provision Azure Active Directory Users’

  • Under 'Target Object Actions', ensure that Create, Update & Delete are all checked

  • Ensure that the userName, email, active, name.givenName, and name.familyName, externalId fields are mapped correctly. The username and primary email fields must be the email the user will use to login. All other fields can be removed. For example:

Screenshot_2023-04-06_111034.jpg

Note: In some instances the externalId field is not immediately available. If need be, return to configure this field at a later time as it is a mandatory field and the integration will not work without it.

  • Click ‘Save’

  • Under 'Provisioning', ensure that the Provisioning is toggled to 'On'

  • When users are added to the application, they will be automatically provisioned into Xakia

  • For users that are new to Xakia, they will need to be invited from the Xakia Admin to complete the registration process

  • New Xakia users will be added with an access level of 'My Matters'. This can be adjusted by a Xakia Admin

User provisioning in Xakia

  • Syncing users to Xakia via SCIM is the recommended approach. However, if user provisioning is required from Xakia directly, go to Admin | Security | Federated Identity - select the 'Enable User Provisioning from Xakia' box and click 'Save'

  • This will allow a Xakia Admin to provision a new user in Xakia directly as a SSO user, by going to Security | Users | Add user

  • Complete all new user details as prompted and the Identity Provider field will default to 'Azure Active Directory - SCIM'

  • The new Xakia user will immediately have access to Xakia via SSO

  • Best practice is for the new user to also be added to the Xakia SCIM app in AAD to ensure they stay in sync

Did this answer your question?