Is it possible to set up SCIM for the custom app (Salesforce) that used OIDC-based SSO?

Artur Gulbicki 20 Reputation points
2023-03-01T12:34:19.6433333+00:00

Hello,

I tried to ask a similar question at https://learn.microsoft.com/en-us/answers/questions/1184977/how-to-properly-setup-salesforce-with-oidc-based-s but haven't received any proper solution or workaround.

Currently, It's impossible to set up Salesforce (if we choose it from the app gallery) for SCIM because the Salesforce app in AAD only support SAML-based SSO but we are using OIDC.

We are wondering if a possible workaround could be where we would use 2 apps for that (one for OIDC SSO, another for SCIM)

The first app (Salesfroce) would be selected from the app gallery and we would use the "Password-based" sig-on method in "Single Sign-on" section in "Enterprise Application". This app would be used for the SCIM.

The second app would be a custom (created through the App registration) and would be configured for the OIDC SSO.

Both apps would be configured somehow (would need help with that) so that both SCIM and OIDC-based SSO could work together in parallel.

Any ideas if this is possible? If yes - can you provide some basic guides?

Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,291 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 33,621 Reputation points Microsoft Employee
    2023-03-03T19:40:43.0333333+00:00

    Hi Artur Gulbicki,

    In the workaround you mentioned, one registration needs to be via an App Registration for the OIDC authentication, and another should be a non-gallery Application via the Enterprise Applications blade for the SCIM provisioning. However, this should really only be done for internal use, and if you are building an app for use by other organizations, you need to get it listed in the Azure AD Gallery. Provisioning is only enabled when you go through enterprise applications to create the application. When you go into the gallery, there is an option to create a custom or non-gallery app. If you go through an app registration, this is correct for OIDC SSO, but provisioning won't be available

    If this is an application that is used for multiple applications, you need to follow the process to get it listed in the app gallery. That will light up the provisioning UI. https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/howto-app-gallery-listing

    In the two application scenario, the first one will be set up for OIDC-based SSO, and the second one will be marked as SAML but not have any SAML/SSO configured, but instead is just be used for the SCIM provisioning configuration.

    https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/known-issues#service-issues

    Let me know if this helps. I'm also looping in @Anonymous in case he has any additional guidance to add, since he is a specialist in OIDC integrations.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who

    0 comments No comments

0 additional answers

Sort by: Most helpful