Articles in this section

Configuring SCIM with Azure AD

Avatar
Courtney Yazzie
  • Updated

If you are configuring SCIM with Azure AD, this article is for you. The below guide provides the steps required to configure provisioning for 15Five, and includes the following sections:

  • Features
  • Prerequisites
  • Configuration Steps
  • Troubleshooting Tips

Features

Automatic User Provisioning is supported for the 15Five application.

This enables Azure AD to:

  • Add new users to 15Five
  • Update select fields in users’ profile information in 15Five
  • Deactivate users in 15Five
  • Push groups and membership to 15Five

The following provisioning features are supported:

  • Push New Users - Creating a new user in Azure AD and assigning them to the 15Five application will create a new user in 15Five.
  • Push Profile Updates - Updates to a user in Azure AD will be pushed to 15Five.
  • Push User Deactivation - Deactivating the user or disabling the user's access to 15Five within Azure AD will deactivate the user in 15Five.
  • Push Groups - Groups created in Azure AD can be pushed to 15Five. Attributes pushed include name and group members.
  • Delete Groups - Groups deleted or removed from the 15Five application within Azure AD will be deleted within 15Five.

Currently, a non-gallery app within Azure AD is required for use of 15Five's SCIM provisioning features. The application found here is deprecated. 15Five is in communication with Microsoft regarding a new marketplace application however Microsoft has projected a 6-month wait period before such an application could be considered due to their backlogged work. 

Prerequisites

Before you configure provisioning, navigate to 15Five and:

  1. Navigate to the integrations page: https://my.15five.com/integrations/
  2. Click on SCIM 2.0 and enable SCIM in your 15Five account.
  3. Generate an Access Token.

Screen_Shot_2019-06-05_at_4.06.56_PM.png

Configuration Steps

  • Navigate to this URL and start with the "Getting Started" section. Follow the 15 steps in that section and then return to this document.
    • Please note that you will need to use a tenant URL of the form below:
      • https://<subdomain>.15five.com/scim/v2/
    • Important Notes
      • The SCIM key is 30 characters long and should be placed in the "Secret Token" field. Make sure to use a SCIM key rather than a 15Five Public API key. A 15Five Public API key is 32 characters long.
      • It may take 40 minutes before the first users are pushed from Azure AD to 15Five after the Admin Credentials (tenant URL and secret token) have been tested and the non-gallery app has been saved. After that, pushes occur about every 20 minutes.

  • Navigate to the Mappings section of the Provisioning section.

Screen_Shot_2019-06-06_at_4.11.16_PM.png

  • Update the User Attribute Mappings to reflect the table below.
  • You will need to create the location and potentially the manager.value attribute. Do so with the following steps.
    • Click "Edit attribute list for customappsso" at the bottom of the Attribute Mapping page for Users.
    • Enter "urn:15Five:params:scim:schemas:extension:15Five:2.0:User:location" for the attribute name and "String" for the type. Click "Add Attribute".
    • If "manager" is not avialable as an AD attribute, enter "manager.value" for the attribute name, "Reference"  for the type, and "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" for the  referenced object attribute. Click "Add Attribute".
    • Navigate back to the User Attribute Mapping page.
    • Click "Add New Mapping" at the bottom of the Attribute Mappings table to add each mapping for location and manager.
AZURE ACTIVE DIRECTORY ATTRIBUTE CUSTOMAPPSSO ATTRIBUTE
userPrincipalName userName

Not([IsSoftDeleted])

 active
jobTitle

title
mail

emails[type eq "work"].value
 givenName

 name.givenName
 surname

name.familyName
objectId

 externalId
 employeeId

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
manager (or manager.value)

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

( or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value)
physicalDeliveryOfficeName

 urn:15Five:params:scim:schemas:extension:15Five:2.0:User:location 

 

No changes need to be made to the Group attributes.

 

Syncing Passwords

Azure AD can be configured to sync passwords with 15Five. This sync direction is from Azure AD to 15Five. That is, passwords are only ever sent from Azure AD to 15Five for a user; never from 15Five to Azure AD.

If your company uses SSO with 15Five, do not send the "passwordProfile.password" as an attribute via SCIM. User authentication will be determined from the SAML setup associated with 15Five.

 

SSO 

If SCIM and SAML SSO are being used together, only an email address needs to be sent as a SAML claim. All other data can and should be sent via SCIM. 

Welcome Emails

After assigning 15Five to an Azure AD user for the first time, a new user in 15Five will be created. If SSO is enabled for that user’s company in 15Five, that user will be sent a welcome email with a link to the SSO page at 15Five. If SSO is not enabled, that user will be sent a link to sign in and set their password.

Passwords

When updating an Azure AD user’s password, that user’s 15Five password may be updated (depending on whether the"passwordProfile.password" attribute is being sent by Azure AD). If SSO is enabled for the user’s company in 15Five, no password changes will occur for the user within 15Five. If SSO is not enabled in 15Five and the"passwordProfile.password" attribute is being sent by Azure AD to 15Five, then a user will receive an email with a link to reset their password in 15Five.

 

Groups

Please note that these are the only Group attributes that are updatable via the Azure AD integration:

  • Group Name
  • Group Members

Groups created in 15Five cannot be imported into Azure AD. Since groups cannot be imported from 15Five into Azure AD it is suggested to create groups in Azure AD first. These groups, when assigned to the 15Five non-gallery app, will be pushed to 15Five along with users.

Groups cannot be used to manage access to 15Five. For example, the following steps will NOT cause a user to be de-provisioned from 15Five:

  1. Create a group in Azure AD
  2. Assign users to that group in Azure AD
  3. Assign the group to 15Five application in Azure AD
  4. Remove a user (User A) from the group in Azure AD

Steps 1 through 3 will cause users to be provisioned to 15Five, but the last step will not cause User A to be removed from 15Five. User A will only be removed from the group within 15Five. 

To remove users from 15Five, users must be individually unassigned from the application within Azure AD. Therefore, it is suggested that users be individually assigned to the 15Five application within Azure AD (rather via group assignment) for consistency.

 How to name your groups?

When you create or edit groups in Azure AD you have the option of prefixing their names in order to give them a type within 15Five. For example, if you wanted to add a new group named "Party Planning" to 15Five but with the type of "People Ops" you would name your group "People Ops \ Party Planning" within Azure AD. If you do not provide a group type for your group, your group will be added to the default "Groups" group type in 15Five.

Please note:

  • Group type names are case insensitive. Thus, People Ops, people ops, and PeOpLe OpS would all be the same group type.

  • Group names are case insensitive. Thus, Party Planning, party planning, and PaRtY PlAnNiNg would all be the same group.

  • The Department group type can not be removed from 15Five.

  • If a group is renamed in Azure AD, the group name will change in 15Five. Membership in the group will not change.

  • If a group type is changed for a group in your Azure AD, the group will be placed in the new group type in 15Five. Membership in the group will not change.

  • Once a group is created in 15Five via SCIM, the Azure AD identifies the group by a numeric ID and the group type and group name can change without changes in membership.

 

Troubleshooting + Support

Manager/Reviewer not syncing? 

Make sure that the manager exists within 15Five prior to provisioning. 15Five will ignore any manager assignments that include managers not present in 15Five. 

Azure AD sends the manager information present in the manager attribute for a given user. The information in the attribute can be an email address for the manager or a 15Five ID for the user. Make sure this field is populated.

Finally, ensure that Sync Managers is enabled within 15Five's SCIM settings.

Please note, for consistency reasons, manager updates are not performed during active Best-Self Reviews. 

Changing a username?

15Five depends on the uniqueness of a user’s email address. Therefore, provisioning will fail if a user’s userPricipleName is updated but their email address is not. Ensure these two source attributes (userPricipleName and mail) send the same value and retry the provision if has failed. 


Updates or de-provisioning not working for some users? 

Users added to 15Five before SCIM was enabled for the 15Five account may not be tracked by Azure AD. To make Azure AD aware of these users' membership in 15Five, select "Clear current state and restart synchronization" and save the non-gallery app. NOTE: This could remove users from 15Five if they are not assigned to the non-gallery app in Azure AD. 

 

Have questions that need a human touch? 

This integration is built and supported by 15Five and our Support Team. Contact the 15Five Support Team at support@15five.com if any issues arise. Thanks!

Related articles