Integration between an SCIM compatible authentication provider and capturi, so that users can manage (give, revoke) access using for example azure AD.
The integration have been developed for Azure AD and is therefore not tested on other SCIM providers.
- Sync users (create, disable)
- Sync and create teams and team members (create and delete teams)
- Sync team leads
- Sync administrators
As a rule of thumb, a user should only be in one AD group. The exception is team leads which can be in several groups.
- login to azure portal https://portal.azure.com/#home
- Open "Microsoft Entra ID"
- Select "Enterprise applications in the left menu"
- Click "New Application" in the top menu
- Click "Create your own application" in the top menu
- Give the application a name and select "Integrate any other application you don't find in the gallery (Non-gallery)" and click "create"
- Select "Provisioning" in the left menu
- Select "Provisioning" again
- Set provisioning mode to "Automatic"
- Open "Admin credentials"
- Tenant url should be "https://scim.capturi.ai/?aadOptscim062020"
- Secret token is the generated and supplied by Capturi, if you haven't got one. Contact your Capturi Customer Success Manager
- Click on test connection and then on save.
- Open mappings and click on "Provision Azure Active Directory Users"
- Remove the following rows
- jobtitle
- preferredLanguage
- givenName
- surname
- Join(" ", [givenName], [surname])
- physicalDeliveryOfficeName
- streetAddress
- city
- state
- postalCode
- country
- telephoneNumber
- mobile
- facsimileTelephoneNumber
- employeeId
- department
- manager
- Click on "mailNickname"
- Click on the "Source attribute" dropdown and select "objectId" and the "Ok"
- Click "Save" in the top menu
- Under settings make sure that "Scope" is "Sync only assigned users and groups"
- Refresh the page -> "Users and groups" should appear in the left menu. Click on "Users and groups"
- Add the users and groups that you want synced to Capturi. (See section below for naming conventions)
- Open overview in the left menu and select "Start provisioning"
Keep an eye on the status and the logs.
To be able to match the access model in Capturi (Link: "https://capturi.stonly.com/kb/guide/en/roles-Kci4BwzWcu/Steps/1655497") users with access to Capturi needs to be in AD Security Groups matching their role and permissions.
Note. Users can only have one role at a time.
Group names syncing to capturi must follow the following naming conventions:
Administative roles:
- To give users administrative role, add them to a group with the following name: 'capturi_role_admins' If you want to add a description to the group you can name the group 'capturi_role_admins_description'
- To give users owner role, add them to a group with the following name: 'capturi_role_owners' If you want to add a description to the group you can name the group 'capturi_role_owners_description'
For users not in Teams:
- Add them to a group with the following format: 'capturi_users_description' (eg: capturi_this-is-capturi-users)
For users in Teams:
- Add users to a group with the following format: 'capturi_team_teamName' (Teams will be created in Capturi with the name provided)
- Set users as team lead for team, Add users to a group with the following format: 'capturi_teamlead_teamName_teamExternalId' (teamExternalId is found under the team group. Click on the group in Entra Id, and copy the "object Id" field)
When SCIM is configured Capturi will provide a logging link that can be used by the AD administrator to see logs, errors, users, groups etc. for their own organization.