Tutorial: Configure Cerner Central for automatic user provisioning
The objective of this tutorial is to show you the steps you need to perform in Cerner Central and Microsoft Entra ID to automatically provision and de-provision user accounts from Microsoft Entra ID to a user roster in Cerner Central.
The scenario outlined in this tutorial assumes that you already have the following items:
- A Microsoft Entra tenant
- A Cerner Central tenant
Microsoft Entra ID integrates with Cerner Central using the SCIM protocol.
Assigning users to Cerner Central
Microsoft Entra ID uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user account provisioning, only the users and groups that have been "assigned" to an application in Microsoft Entra ID are synchronized.
Before configuring and enabling the provisioning service, you should decide what users and/or groups in Microsoft Entra ID represent the users who need access to Cerner Central. Once decided, you can assign these users to Cerner Central by following the instructions here:
Important tips for assigning users to Cerner Central
It is recommended that a single Microsoft Entra user be assigned to Cerner Central to test the provisioning configuration. Additional users and/or groups may be assigned later.
Once initial testing is complete for a single user, Cerner Central recommends assigning the entire list of users intended to access any Cerner solution (not just Cerner Central) to be provisioned to Cerner’s user roster. Other Cerner solutions leverage this list of users in the user roster.
When assigning a user to Cerner Central, you must select the User role in the assignment dialog. Users with the "Default Access" role are excluded from provisioning.
Configuring user provisioning to Cerner Central
This section guides you through connecting your Microsoft Entra ID to Cerner Central’s User Roster using Cerner's SCIM user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in Cerner Central based on user and group assignment in Microsoft Entra ID.
You may also choose to enable SAML-based single sign-on for Cerner Central, following the instructions provided in the Azure portal. Single sign-on can be configured independently of automatic provisioning, though these two features complement each other. For more information, see the Cerner Central single sign-on tutorial.
To configure automatic user account provisioning to Cerner Central in Microsoft Entra ID:
In order to provision user accounts to Cerner Central, you’ll need to request a Cerner Central system account from Cerner, and generate an OAuth bearer token that Microsoft Entra ID can use to connect to Cerner's SCIM endpoint. It is also recommended that the integration be performed in a Cerner sandbox environment before deploying to production.
The first step is to ensure the people managing the Cerner and Microsoft Entra integration have a CernerCare account, which is required to access the documentation necessary to complete the instructions. If necessary, use the URLs below to create CernerCare accounts in each applicable environment.
Next, a system account must be created for Microsoft Entra ID. Use the instructions below to request a System Account for your sandbox and production environments.
Next, generate an OAuth bearer token for each of your system accounts. To do this, follow the instructions below.
Finally, you need to acquire User Roster Realm IDs for both the sandbox and production environments in Cerner to complete the configuration. For information on how to acquire this, see: https://wiki.ucern.com/display/public/reference/Publishing+Identity+Data+Using+SCIM.
Browse to Identity > Applications > Enterprise applications > All applications.
If you have already configured Cerner Central for single sign-on, search for your instance of Cerner Central using the search field. Otherwise, select Add and search for Cerner Central in the application gallery. Select Cerner Central from the search results, and add it to your list of applications.
Select your instance of Cerner Central, then select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Fill in the following fields under Admin Credentials:
- In the Tenant URL field, enter a URL in the format below, replacing "User-Roster-Realm-ID" with the realm ID you acquired in step #4.
In the Secret Token field, enter the OAuth bearer token you generated in step #3 and click Test Connection.
You should see a success notification on the upper-right side of your portal.
Enter the email address of a person or group who should receive provisioning error notifications in the Notification Email field, and check the checkbox below.
In the Attribute Mappings section, review the user and group attributes to be synchronized from Microsoft Entra ID to Cerner Central. The attributes selected as Matching properties are used to match the user accounts and groups in Cerner Central for update operations. Select the Save button to commit any changes.
To enable the Microsoft Entra provisioning service for Cerner Central, change the Provisioning Status to On in the Settings section
This starts the initial synchronization of any users and/or groups assigned to Cerner Central in the Users and Groups section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. You can use the Synchronization Details section to monitor progress and follow links to provisioning activity logs, which describe all actions performed by the provisioning service on your Cerner Central app.
For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning.
- Cerner Central: Publishing identity data using Microsoft Entra ID
- Tutorial: Configuring Cerner Central for single sign-on with Microsoft Entra ID
- Managing user account provisioning for Enterprise Apps
- What is application access and single sign-on with Microsoft Entra ID?