Is it possible to set up SCIM for the custom app (Salesforce) that used OIDC-based SSO?

Artur Gulbicki 20 Reputation points
2023-03-01T12:34:19.6433333+00:00

Hello,

I tried to ask a similar question at https://learn.microsoft.com/en-us/answers/questions/1184977/how-to-properly-setup-salesforce-with-oidc-based-s but haven't received any proper solution or workaround.

Currently, It's impossible to set up Salesforce (if we choose it from the app gallery) for SCIM because the Salesforce app in AAD only support SAML-based SSO but we are using OIDC.

We are wondering if a possible workaround could be where we would use 2 apps for that (one for OIDC SSO, another for SCIM)

The first app (Salesfroce) would be selected from the app gallery and we would use the "Password-based" sig-on method in "Single Sign-on" section in "Enterprise Application". This app would be used for the SCIM.

The second app would be a custom (created through the App registration) and would be configured for the OIDC SSO.

Both apps would be configured somehow (would need help with that) so that both SCIM and OIDC-based SSO could work together in parallel.

Any ideas if this is possible? If yes - can you provide some basic guides?

Thank you!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,625 questions
Accepted answer
  1. Marilee Turscak-MSFT 22,311 Reputation points Microsoft Employee
    2023-03-03T19:40:43.0333333+00:00

    Hi Artur Gulbicki,

    In the workaround you mentioned, one registration needs to be via an App Registration for the OIDC authentication, and another should be a non-gallery Application via the Enterprise Applications blade for the SCIM provisioning. However, this should really only be done for internal use, and if you are building an app for use by other organizations, you need to get it listed in the Azure AD Gallery. Provisioning is only enabled when you go through enterprise applications to create the application. When you go into the gallery, there is an option to create a custom or non-gallery app. If you go through an app registration, this is correct for OIDC SSO, but provisioning won't be available

    If this is an application that is used for multiple applications, you need to follow the process to get it listed in the app gallery. That will light up the provisioning UI. https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/howto-app-gallery-listing

    In the two application scenario, the first one will be set up for OIDC-based SSO, and the second one will be marked as SAML but not have any SAML/SSO configured, but instead is just be used for the SCIM provisioning configuration.

    https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/known-issues#service-issues

    Let me know if this helps. I'm also looping in @Danny Zollner in case he has any additional guidance to add, since he is a specialist in OIDC integrations.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest