Versions Compared

Old Version 1

changes.mady.by.user Kim Jakobsson

Saved on

compared with

New Version 2

changes.mady.by.user Kim Jakobsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document is applicable starting from Voice Portal version 2.136 and onwards.

Table of Contents

Introduction to Azure AD integration

Enreach provides identity management service, which allows customers to enable single sign-on authentication (SSO) to the end users, using existing Azure AD instance. Customers can automate end-user provisioning and control the data flow towards Enreach cloud services.

...

  • AD group for user accounts provisioned as active users in Enreach Voice platform

  • AD group for user accounts synchronized into the contact directory. The contact directory group is optional and needed only if the selected users need to be maintained in the internal phone book.

What is SCIM?

SCIM (System for Cross-domain Identity Management) is a protocol used for automating the process of user provisioning and deprovisioning in enterprise applications. In Azure AD, SCIM is used to synchronize user accounts between Azure AD and the identity management service in Voice Portal by Enreach.

...

Panel
panelIconIdatlassian-info
panelIcon:info:
bgColor#F4F5F7

Description of the Azure SCIM implementation is available form Microsoft:

What is SSO?

SSO (Single Sign-On) is a mechanism that allows end-users to authenticate themselves once and access multiple applications without the need to repeatedly enter their credentials. In the context of Azure AD and Enreach Voice services, SSO refers to the ability of users to access Enreach cloud applications using the same credentials as in corporate applications.

Overview of the provisioning process

The following illustration introduces the components involved in the integration model.

...

Microsoft Azure AD provides tools for enabling automatic provisioning for enterprise applications. Voice Portal is introduced as an enterprise application and further configured for automatic provisioning.

Identity management in Voice Portal

In the following chapters we explain the SCIM integration models available in Voice Portal.

...

The corresponding AD groups must be created. The names of these groups are then configured in the Voice Portal and the group membership dictates how the AD user account is processed in the synchronization process.

Automatic identity synchronization

Automatic identity synchronization refers to the lowest level of SCIM integration. Only the technical identity (“objectId”) of an end user is shared to Voice Portal. This attribute is required by the Enreach identity service when enabling the SSO to the end users.

Note

The users in Azure AD are mapped by their username, which must use the email address format. In practice, the “userPrincipalName” attribute in Azure AD must be the email address of a user.

Automatic user data synchronization

In automatic user data synchronization, in addition to the identity information, the SCIM protocol synchronizes the selected AD attributes to the corresponding user data fields in Voice Portal, and thus makes this data available to the Enreach Voice services.

...

Respectively, Voice Portal provides tools for mapping the required SCIM data attributes to the required data fields in Voice Portal user objects.

Automatic user provisioning

In the highest level of SCIM integration, the end users get automatically created and updated to Enreach services as they are managed in Azure AD. The Azure AD administrator has full control of which users and what data is reflected to Enreach cloud.

In the current SCIM implementation, the users are not automatically deleted from Enreach cloud. They are marked as inactive (“soft-deleted”) and must be processed manually.

Automatic contact directory synchronization

In automatic contact data synchronization, all the user data in the configured AD group will be synchronized to the contact directory of the customer in Enreach Voice platform. The contact directory is the internal phone book that can be used in the Voice clients for finding the colleagues and other contacts of interest.

Setting up SCIM provisioning in Voice Portal

The following chapters explain how to set up the SCIM integration between Enreach Voice platform and Azure AD. The setup process consists of two parts;

  • configuring identity service in Enreach Voice Portal

  • configuring Portal as an enterprise application in the Azure AD and enabling automatic provisioning.

Configuring identity service in Voice Portal

As a Voice Portal administrator, log into your customer account.

...

If the identity management service is not active, you can activate it by clicking the “Activate service” button.

...

Connecting to Azure AD

When the identity service has been activated, the section for “Azure integration” is shown:

...

Enter your Azure AD domain name and click “Connect to Azure AD”. In this document, we are using our example domain name “azdev.enreachvoice.com”.

Enabling SSO permissions in Azure AD

If adding the Azure AD instance information was successful, you will see an overview of the status of AD integration. On the top half of the page, you see the services currently activated for this AD integration.

...

You can retry the permission grant any time if needed.

Configuring SCIM integration services

After granting the SSO permissions, you may continue with enabling the SCIM integration services.

...

The settings page appears.

...

Generating SCIM token for Azure AD

In order to make Azure AD to communicate with Voice Portal, an authentication token needs to be generated. This token will be used in Azure AD when configuring the automatic provisioning for enterprise application.

...

The new secret token is generated. This token will be used later when configuring the provisioning in the Azure AD.

Configuring the AD group names for mapping the users

The AD groups are used for mapping the users for provisioning or contact directory.

...

These AD groups need to be configured in Azure at later steps.

Enabling synchronization modes

Next, Click on “Enable” for “Identity sync” and “User data sync”. This will enable user identity linking between Azure AD and Enreach identity service. This step is mandatory if you are using automated SSO.

...

Next we will configure the Azure AD tenant.

...

Configuring Azure AD tenant for SCIM integration

Enabling SCIM provisioning in Azure AD involves a few steps.

...

Step by step instructions are provided below.

Creating new enterprise application

Sign in to your Azure AD admin center: https://aad.portal.azure.com

...

Now the enterprise application is set up.

Configuring automatic provisioning

Next we will activate automatic provisioning, i.e. enable SCIM integration to Enreach Voice services.

...

  1. Set “Provisioning mode” to “Automatic”.

  2. Set “Tenant URL” by copying its value from Enreach Voice Portal (see next chapter)

  3. Set “Secret Token” by copying its value from Enreach Voice Portal (see next chapter)

  4. Check connection by clicking “Test Connection

  5. Verify that connection works.

  6. Save configuration.

...

Obtaining “Tenant URL” and “Secret Token” from Voice Portal

In Enreach Voice Portal, navigate to the Azure AD settings in “Identity” section. Copy the “Tenant URL” and “Secret token” and paste them to the provisioning settings in Azure AD.

...

Attribute mapping is now ready for basic requirements.

Setting the scope for SCIM provisioning

You can control which AD groups are provisioned to Enreach Voice services by setting the scope of provisioning. This can be done in the “Provisioning” page, under section “Settings”.

...

By default the “Scope” is set to “Sync only assigned users and groups”. You can change this at will.

Creating AD user groups for provisioning

Next we need to create the AD groups to be used in the user provisioning towards Enreach Voice platform. As stated earlier in this document, we need two groups; one for user provisioning and one for contact directory data.

Navigate to the “Groups” section in your AD admin center.

...

Create new AD groups

Use the same AD group name what you configured in Voice Portal. In this example, we chose the names

...

As the result, you have two new AD groups:

...

Assign users to the AD groups

For the user provisioning group, assign AD users you wish to get provisioned as active user accounts in the Voice Portal.

For the contact directory group, assign AD users whose data you need to have only as contact entries in the company wide contact directory.

Assigning AD user groups to the scope of SCIM provisioning

If your provisioning scope is “Sync only assigned users and groups”, you must explicitly assign the AD groups to the application “Enreach Voice Portal”.

...

Info

When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.

Activating user provisioning

In the “Provisioning” page, click on “Overview”.

...

There details of the synced data can be adjusted by further configuring the data mapping and scoping the users and groups to be provisioned.

Monitoring SCIM events in Voice Portal

The provisioning activity can be verified in Azure AD provisioning logs. It can also be verified in the Enreach Voice Portal.

...

Example of SCIM groups view:

...

Required SCIM attributes for user provisioning

There are some attributes that are required to be present, depending on the level of integration. The following SCIM attributes must be present in order to have functional SCIM integration:

...

/wiki/spaces/PORTAL/pages/2379579438

Configuring data mapping in Voice Portal

SCIM protocol transfers user data from the Azure AD. The data attributes from AD are mapped to corresponding data fields in the SCIM data model. As seen in previous chapters, this mapping can be configured in Azure provisioning.

...

Click “Save mappings” to save the changes.

Further reading

...