Provision users from IDaaS

Before you begin, complete the following, as required:

1.      Create a provisioner for user provisioning.

2.      Map the IDaaS user attributes to the attributes that are expected by the third-party service. Consult your service documentation for help. If required, create custom user attributes in IDaaS. See Create and manage user attributes.

3.      Identify the IDaaS users that need to be provisioned. In IDaaS, you select the users for provisioning using the Group option. If necessary, create the required groups and add the users to those groups. By default, provisioning searches all IDaaS users if no groups are selected. See Create and manage groups and Import groups.

4.      Copy the information required to set up the OIDC relationship between IDaaS and the third-party service. To do this, open a text file with a text editor, copy and save the following information from the third-party service that you want to provision with IDaaS:

●       SCIM Server Endpoints (this is usually your domain, for example: mytenantID.mycompany.com

●       Client Secret of the third-party service

●       Issuer Client ID

●       Issuer URL

5.      Copy the Redirect URI from IDaaS. To do this:

a.      Open a Web browser.

b.      Log in to IDaaS.

c.      Click > Resources > Provisioners. The Provisioners List page appears.

d.      Click and select Generic from the drop-down list. The Add Provisioner page appears.

e.      Scroll to Redirect URI.

f.        Open the text file you created in step 4, copy and paste the Redirect URI, and then save the file.

g.      You can leave the Add Provisioner page open because you need to access it in Step 3: Add the Provisioner to IDaaS.

You need to enter the IDaaS Redirect URI you copied in Step 1: Prerequisites to set up provisioning between IDaaS and your third-service. How you do this depends on the third-party service. Consult the third-party service documentation for more information.

Note: If you want to provision more than one IDaaS tenant, you must add the Redirect URI for each tenant.

The Redirect URI should be entered in the following format:

Example: https://<tenantname<.<locale>.trustedauth.com/api/web/v1/oauth/scim/redirect
where <tenantname>.<locale> is your IDaaS tenant name and locale code, for example, mycompany.us.

1.      Return the IDaaS Add Provisioner page that opened in Step 1: Prerequisites.

2.      Enter a Name for the provisioner.

3.      Select Enable to automatically enable the provisioner when it is created. By default, this setting is deselected.

Attention: Entrust recommends keeping this setting at the default (deselected) when in draft mode.

4.      Select the Groups to provision all users from the selected groups. You can select more than one group.

5.      Enter the SCIM Server Endpoints that you saved in Step 1: Prerequisites.

Example:
https://<tenantId.mycompany.com>/services/scim/v2/

where <tenantId.mycompany.com> is your service domain.

Note: SCIM Server Endpoints cannot be edited after the provisioner has been added to IDaaS.

6.      Under User Attribute Mapping, do the following to map IDaaS user attributes to the attributes used by the third-party service:

a.      Click . The SCIM Attribute dialog box appears.

b.      Select the User Attribute Name from the drop-down list.

c.      In the User Attribute to map to field, enter the user attribute value.

d.      Click Save.

e.      Repeat these steps to add more SCIM attributes.

7.      Click Save. The provisioner appears on the Provisioner List page with an authorize () icon.

1.      Click next to the Provisioner you created in Step 3: Add the provisioner to IDaaS. The General Settings page appears.

2.      Select the Authorization Method.

3.      If you select OAuth as the Authorization Method, complete the following:

a.      Enter the Client ID that you copied and saved in Step 1: Prerequisites.

b.      Enter the Client Secret  that copied and saved in Step 1: Prerequisites.

c.      Enter the Issuer URL that you copied and saved in Step 1: Prerequisites.

d.      Click Fetch Configuration.

e.      Click Authorize to acquire OAuth access and refresh tokens.

f.        Follow the prompts that appear from your service to allow access. An Authorized message appears on the General Settings page to confirm successful authorization.

g.      Click Send Test SCIM to do a SCIM call to your service. A message appears to confirm a successful SCIM call to your third-party service.

4.      If you select API Key as the Authorization Method,do the following:

a.      Enter the API Key from your provisioner.

b.      Click Send SCIM Test to do a SCIM call to your service. A message appears to confirm a successful SCIM call to your third-party service.

5.      Click Save to return to the Provisioners List page.

Note: If the Save fails, you may need to reauthorize and send a test SCIM again to save new refresh and access tokens.

6.      On the  Provisioners List page, enable the provisioner as follows:

c.      Under Actions for the new provisioner, click . The Enable Provisioner prompt appears.

d.      Click Enable.

1.      In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.

2.      Ensure that the provisioner is enabled.

3.      Click and then select  . The Synchronize Provisioner dialog box appears.

4.      Click Synchronize.

Recommendation: Check the Audit logs for errors after synchronizing your users for provisioning.

Note: Once a refresh token expires, you must re-authorize and repeat this step.

1.      In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.

2.      Click the name of the provisioner. The Edit Provisioner page appears.

3.      Make your required changes and then click Save.

Attention: If you need to make edits to the provisioner, changing a group or attribute mapping triggers a large number of SCIM calls. Entrust recommends disabling the provisioner until you have completed all the required changes. When disabled, the only SCIM calls made are to are delete users or provisioners, as applicable. In addition, you may need to reauthorize the provisioner if an authentication configuration has changed.