SCIM and SAML combination to further enhance the SaaS application.

Question

SCIM and SAML combination to further enhance the SaaS application.

EnterpriseArchitect 6,061

Hi All,

I have a SaaS application that manually created the Enterprise Registration in Azure.

The vendor has already supplied me with the SCIM as the Provisioning mechanism for my access to my Hybrid Azure AD user account.

Provisioning mode automatic.

Use Azure AD to manage the creation and synchronization of user accounts in Verint based on user and group assignments.

User's image

With the above setting only, I can log in to the SaaS application using my web browser after completing the Provisioning cycle.

Do I have to configure an additional custom SAML like below to further enhance the security of the SaaS application access

?

Any help would be greatly appreciated.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-24T19:19:03.5133333+00:00

@EnterpriseArchitect

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-24T19:19:03.5133333+00:00

@EnterpriseArchitect

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Danny Zollner 10,801 Microsoft Employee Moderator

Creating a user in an application via SCIM does not set a password on the user. AAD Provisioning does not support syncing passwords from AAD -> apps. For a user to be able to log in to an app when they are provisioned via SCIM, you either need to federate your application with Azure AD via SAML or OIDC+OAuth, or a password would need to be set in the application via some other means - such as with an initial registration/redemption flow based off of something like an email invite. If your users are able to sign in without federation configured, then it would appear that a password is being set somehow or another authentication method is implemented.

Federation is by far the preferred option when it comes to security and overall identity management best practices.

EnterpriseArchitect 6,061 Reputation points

2023-05-18T05:15:52.54+00:00

@Anonymous ,
Yes, I am using Hybrid AD DS - Azure AD using the Password Hash Sync.

Do you mean it is better to use ADFS like what we deploy onpremise?
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2023-05-18T13:32:51.4633333+00:00

In this context, whether your organization's Azure AD tenant is cloud-only or hybrid/synced from on-premises AD is mostly irrelevant. As you're using SCIM, you're therefore using an Azure AD Enterprise Application or the custom non-gallery application.

The concept of federation that I mentioned above means to link two systems together, with one (the identity provider or IDP) acting as an authority for authentication into the other (the service provider, or SP). Federation can be done with a number of protocols - SAML is the most well known, but Open ID Connect(OIDC) and a few others (WS-Fed is one, I think) are also in use. Both ADFS and Azure AD support being configured as a SAML IDP. Given you're already using Azure AD and have an app set up for SCIM provisioning, it would be challenging to justify using ADFS, and you should look at using Azure AD to federate to the application in question.

Given you mentioned that you're using Password Hash Sync with Azure AD Connect, it sounds like you don't already have ADFS, and I'd advocate against using ADFS without some sort of very specific requirement that couldn't be met by Azure AD, since it is much more cost and effort to run a redundant ADFS farm.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-05-22T18:46:47.92+00:00

@EnterpriseArchitect

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Share via

SCIM and SAML combination to further enhance the SaaS application.

1 answer

Your answer