Deployment in an Organization

Deployment in an Organization / Configuring SSO and Provisioning / SCIM Automated Provisioning / Configuring SCIM With Entra ID

Configuring SCIM With Entra ID

If your organization uses Microsoft Entra ID, follow these detailed instructions to set up automated provisioning following the SCIM standard. The procedure is shown for this provider as an example; it is similar for other providers.

Requirements

Before you begin, make sure:
✅ you have configured Authentication with SAML;
✅ your organization holds an active Antidote subscription;
✅ your account is assigned the Administrator or Technician role.

The basic procedure consists of three key steps:

A. Preparing Entra ID

B. Linking the Client Portal and Entra ID

C. Configuring Users in Entra ID

The following settings are optional and can be configured according to your preferences:

D. Managing Antidote Access

E. Managing Roles in the Organization

A. Preparing Entra ID

  1. In the Azure portal, go to the Enterprise applications service. You can access it quickly by typing the first few characters in the search field.

    1

  2. Select the application you created for your Organization Client Portal when you configured the SAML settings.

    2

  3. Click Provisioning in the sidebar.

    3

  4. Click the Connect your application button.

    4

  5. Keep the next window open. You will need to come back to it later to enter information retrieved from the Client Portal. Open a new window to follow the instructions in the next section.

B. Linking the Client Portal and Entra ID

  1. In a new window, log in to the Organization Client Portal and click the Settings tab.

  2. Go to the SCIM Automated Provisioning section.

  3. Click Start.

    1
    2
    3

  4. Copy the Base URL by clicking the icon.

    4

  5. Go back to the Entra ID window from section A, and paste the link into the Tenant URL field.

    5

  6. Create a token in the Client Portal by clicking Add a token.

    6

  7. Click Add to confirm that you want to create a token.

    7

  8. Copy the token that appears on the screen by clicking the icon.

    Caution — The token will only appear once. As a security measure, it is not possible to display it again. Make sure you have copied the token before closing the window.

    8

  9. Go back to the Entra ID window, and paste the token into the Secret Token field.

  10. Click Create.

    9
    10

C. Configuring Users in Entra ID

  1. Expand the Manage section in the sidebar.

  2. Click Provisioning.

    1
    2

  3. Expand the Mappings section.

  4. Click Provision Microsoft Entra ID Users.

    3
    4

  5. Make sure the source attribute associated with the target attribute userName corresponds to an email address in your database. In this example, the source attribute is userPrincipleName (in the Microsoft Entra ID Attribute column). If needed, you can edit the attribute by clicking on it.

  6. Click Save if you made any changes, then close the panel.

    5
    6

  7. Expand the Settings section.

  8. Indicate whether you would like to synchronize all users and groups or only assigned users and groups.

    Note — If you plan to manage roles in the organization with provisioning, choose Sync only assigned users and groups. Make sure you assign the application from the Users and groups section. (You can find instructions for adding assignments to the application starting at step 7 of section B under Steps to Configure Authentication with SAML and Entra ID.)

  9. Click Save and close the panel.

    7
    8
    9

  10. Return to the Overview (Preview) page and click Start provisioning.

    10

  11. A prompt will appear to confirm you want to start provisioning. Click Yes.

    11

User and group provisioning is now active. If the initial cycle was unsuccessful, the errors will be displayed on this screen.

The following sections describe optional settings for managing Antidote access and roles in the Client Portal from Entra ID.

D. Managing Antidote Access

You can manage access to Antidote from Entra ID by configuring the following settings in the Client Portal.

Important — Access management for Antidote through automated provisioning overrides any access configured through Authentication with SAML.

  1. In the Client Portal, scroll down to the second part of the Automated provisioning settings.

  2. Choose how you would like to manage Antidote access. You have three options:

    • Manual management
      Choose this option if you do not want to grant Antidote access automatically or if you want to use the SAML authentication settings you have already configured. If the manual management option is also selected under SAML authentication settings, no users will be automatically granted Antidote access. You can manage access manually from the Users tab in the Client Portal.
    • Grant Antidote access to all synchronized users
      Choose this option to automatically grant Antidote access to all synchronized users. If your organization holds multiple subscriptions, indicate the one you want to use.
    • Grant Antidote access only to certain user groups
      Choose this option to grant Antidote access to users according to groups synchronized through automated provisioning. This option is particularly useful if your organization holds multiple subscriptions and, for example, you would like to give one group access to Antidote Web — Bilingual and another access to Antidote Web — French.

      To register synchronized groups, click in the appropriate field and type the first few letters of the group name, then select from the list of corresponding groups that appears. To remove a group, click the X beside its name.

      When a user is removed from a group by SCIM synchronization, Antidote access will be automatically withdrawn from that user. This also applies for a user added to a synchronized group; that user will be automatically granted access to the Antidote subscription associated with the group in question.

  3. Click Save once you have made your choice.

    1
    2
    3

You do not need to send out invitations from the Client Portal for users to activate their Antidote access. You can simply send users an email explaining how they can connect.

E. Managing Roles in the Organization

You can manage roles in the organization assigned to accounts in the Client Portal from Entra ID by configuring the following settings in Entra ID. Begin by synchronizing the roles.

Synchronizing Roles

  1. From within the application you created for Druide’s Client Portal when you configured SAML authentication, click Provisioning in the sidebar.

  2. Expand the Mappings section.

  3. Click Provision Microsoft Entra ID Users.

    1
    2
    3

  4. Click the check box Show advanced options.

  5. Click Edit attribute list for customappsso.

    4
    5

  6. At the bottom of the list, create a new line by entering roles in the field in the first column.

  7. Check the box for Multi-Value.

    6
    7

  8. Click Save.

  9. Click Yes in the dialogue box that appears.

    8
    9

  10. Click Add new mapping.

    10

  11. Select the mapping type Expression from the drop-down menu.

  12. Enter the expression AppRoleAssignmentsComplex([appRoleAssignments]).

  13. Select the target attribute roles from the next drop-down menu.

  14. Click OK.

    11
    12
    13
    14

  15. Click Save.

  16. Click Yes in the dialogue box that appears.

    15
    16

Roles are now synchronized through provisioning. Next, configure roles in the organization.


Configuring Roles

  1. Change services in Azure, and go to the App registrations section. You can access it quickly by typing the first few characters of the section name in the search bar.

    1

  2. Click All applications.

  3. Select the application you created for Druide’s Client Portal.

    2
    3

  4. Click App roles in the sidebar, under the Manage section.

    4

  5. Click Create app role.

  6. Configure the following settings:
    A) Display name: enter Administrator.
    B) Allowed member types: select Users/Groups.
    C) Value: enter admin (all lowercase).
    D) Description: enter Administrator.
    E) Do you want to enable this app role?: leave the box checked.

  7. Click Apply.

    5
    A
    B
    C
    D
    E
    7

  8. Repeat steps 5 to 7 for the technician role:
    A) Display name: enter Technician.
    B) Allowed member types: select Users/Groups.
    C) Value: enter technician (all lowercase).
    D) Description: enter Technician.
    E) Do you want to enable this app role?: leave the box checked.

  9. Repeat steps 5 to 7 for the group supervisor role:
    A) Display name: enter Group supervisor.
    B) Allowed member types: select Users/Groups.
    C) Value: enter supervisor (all lowercase).
    D) Description: enter Group supervisor.
    E) Do you want to enable this app role?: leave the box checked.

Roles in the organization are now configured, and you can assign users to them.


Assigning Roles

  1. Return to Enterprise applications.

    1

  2. Select the application.

    2

  3. Click Users and groups in the sidebar.

  4. Select the users to whom you want to assign a role.

  5. Click Edit assignment.

    3
    4
    5

  6. Click None Selected.

  7. Choose the role in the organization you would like to assign from the panel on the right side of the screen.

  8. Click Select.

  9. Click Assign.

    6
    7
    8
    9

  10. Repeat steps 5 to 9 to assign other roles.

Client Portal roles in the organization are now managed from within Entra ID.