SCIM

Objective

This guide provides instructions on how to enable SCIM (System for Cross Domain Identity Management) in F5 Distributed Cloud. To learn more about users, see Users. SCIM is an open standard designed to manage user identity information. SCIM provides the ability to sync users and groups from one system to another.

After enabling SCIM in the F5 Distributed Cloud console, changes made in your Identity Management provider will be synced to Distributed Cloud.

The instructions in this document will demonstrate how to perform user management via SCIM in Distributed Cloud Console.

SCIM Overview

As your company grows, new users onboard, and old users leave. This burdens administrators because they have to update many Identity Management systems. A better solution is for administrators to maintain a single group. A common scenario is an administrator that needs to update many users' permissions. For example, removing admin privileges from all users in a specific group.

The F5 Distributed Cloud Services SCIM offers the following for ease of managing various user identity operations:

Externally Managed/SCIM Enabled Entities: Objects that are marked to be sourced by Azure.

Synced Entities: Objects that have successfully been sourced from Azure.

Note: Objects synced: Users and User Groups (name, email, user < - > group associations).

Dashboard (non-SCIM synced) Entities: Objects that are solely managed (CRUD) by F5 dashboard.

Note: Info managed: Group creation/deletion/role assignment etc.

Prerequisites

F5 Distributed Cloud Account is required.

Note: In case you do not have an account, see Create an Account.

SSO Azure.
Azure Subscription.
Resources required per node: Minimum 4 CPUs and 14 GB RAM.

Enable SCIM

Steps to enable and sync SCIM.

Note: SCIM enabled for Azure SSO user group management only in F5 Distributed Console.

Step 1: Open F5 Distributed Cloud Console, enable Tenant SSO.

Enable SSO for the tenant.

Open F5® Distributed Cloud Console > select Administration box.

Note: Account Settings in profile icon in dashboard upper-right corner accesses Administration settings.

Figure: Homepage

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to display all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Select Tenant Setttings in left-menu > select Login Options.

Figure: Tenant Settings

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Step 2: Enable SCIM.

Enable SCIM for the tenant.

Select Enable SCIM button in SCIM section.

Figure: Enable SCIM

Select token validity length in Enable SCIM pop-up.

Note: Options are 3 months, 6 months, or 12 months.

Select Next button.

Figure: Enable SCIM

Copy tenant URL.
Copy Secret Token.

Note: Note token provided for use in Azure. One token is used at one time. Once you regenerate a token it voids the old token.

Select Done button.

Figure: SCIM

Select Complete SCIM Setup button.

Figure: Complete SCIM Setup

Step 2.1: Regenerate Token.

Note: Regenerate token as needed.

Select Regenerate Token button in SCIM section.

Note: One token is used at one time. Once you regenerate a token it voids the old token.

Figure: Regenerate Token

Select Regenerate Token button in pop-up to confirm.
Copy tenant URL.
Copy Secret Token.

Note: Note token provided for use in Azure. One token is used at one time. Once you regenerate a token it voids the old token.

Select Done button.

Figure: Token

Note: Tenant Owner only has permissions to add SCIM permissions.

Step 3: Setup Azure Application, Sync User Group.

Create a user group in the tenant with external-id specified. See SSO - Azure to learn more.

Step 3.1: Setup Azure Application.

Open Azure (portal.azure.com).
Select Azure Active Directory.

Figure: Azure

Select Enterprise Applications.

Figure: Azure Enterprise Applications

Select + New applicaton.

Figure: New Azure Application

Select Create your own application in Azure.

Input name in Create your own application pop-up window.
Check option Integrate any other applications you don't find in your gallery (Non-gallery).

Note: Non-gallery application option.

Select Create button.
Adding Application pop-up will appear when loading.

Note: Application name added successfully with green check mark verifies application added successfully.

Figure: Azure

Step 3.2: Add Azure User Group.

Go to step 3.3 to set up new group if needed.

Select Users and Groups in Manage tab in left column in new Enterprise Application page in Azure.

Note: Add users and groups to your application to sync with F5 platform.

Select + Add user/group.

Figure: Azure Users and Groups

Select None Selected under Users and groups in Add Assignment page if no users or groups are to be added.
Search for user group used previously in Users and groups pop-up in Add Assignment page.
Select User or Group to add to Selected items list.
Select button to add.

Note: Number of Users or groups selected will show under Users and groups after added in pop-up form.

Select Assign button.

Figure: Azure Users and Groups

Note: View Members to confirm users are the same in application.

Step 3.3: Setup Azure Group.

Select Home in Application page to go back to Azure homepage.
Select Azure Active Directory.
Select Groups.
Select New group to load form.
Select Group type drop-down menu > Security.
Enter Group name.
Select Membership type drop-down menu > Assigned.
Select No members selected linked text under Members.
Search for users in Search box, select user to add to Selected items list.
Select button to add users to group.
Select Create button to create group.

Figure: New Azure Group

Note: View Members to confirm users are the same in application.

Step 3.4: Provision User/Group in Azure.

Azure Active Directory > Enterprise applications > select Nmae of application.
Select Provisioning in Manage in Azure Enterprise Application Overview page.
Select Get Started or Start Provisioning button.

Note: Get Started button will appear if this is your first time provisioning the application.

Select Automatic in Provisioning Mode drop-down menu.

Note: Provisioning can take up to 40 minutes.

Figure: Azure Provisioning

Step 3.5: Add Tentant URL/Secret Tokens.

Note: Regenerate token as necessary.

Enter Tenant URL in Azure from F5 Console.
Enter Secret Token in Azure from F5 Console.

Figure: Azure Provisioning

Copy and paste Tenant URL from F5 Console.
- In Administration > Login Options > SCIM > copy SCIM Client URL for tenant URL.
Copy and paste Secret Token from F5 Console.
- In Administration > Login Options > SCIM > select Regenerate Token button > select Token Validity > Regenerate Token button in pop-up > copy Secret Token in F5 Console.

Figure: SCIM

Select Done button to complete token generation in F5 Console.

Note: Once you create a new token the old token will be automatically destroyed. At any point in time there will only be one token associated with one primary tenant.

Figure: SCIM

Step 3.6: Provision Test Connection.

Provisioning to communicate Azure application with F5 console.

Select Test Connection button in Provisioning page in Azure.

Note: Testing connection to name - The applied credentials are authorized to enable provisioning pop-up appears in Azure upper-right corner validating connection is successful.

Figure: Azure Provisioning

Note: Uploading user provisionsing settings - successfully updated name pop-up appears in Azure upper-right corner validating provisioning successful.

In Provisioning page see ready to start provisioning.

Note: To start provisions you have to create a placeholder group to select which group you want to sync with F5 Console.

Step 3.7: Configure Azure Groups.

Select Users and groups in Manage tab.

Figure: Azure Users and Groups

Select Groups.
Copy Object id in group page.

Note: Object id is what Azure uses to keep track of the group.

Step 3.8: Add F5 Console Group.

In F5 Console Administration > IAM > Groups.

Figure: F5 Console Groups

Select + Add Group.

Figure: Add Group

Copy Object id from Azure application into Object ID from External Identity Provider box in Add Group pop-up form.

Figure: Copy Object id from Azure

Enter Group Name.
Select Add Group button.

Note: Group will show as added but Not Synced under Status. Group Type is SCIM.

Figure: Groups

Step 3.9: Complete Provisioning in Azure.

In Azure, select Provisionsing in your application.
To Start Provisioning, select View provisioning details drop-down option to view issues or updates.
Provisioning interval time (fixed): 40 minutes.
Select Start Provisioning button.

Note: Provisioning will happen between time button is selected and 40 minutes.

Figure: Azure Provisioning

Note: Start Provisioning pop-up will appear confirming Provisioning is scheduled to start.

Step 4: Push SCIM Users to F5 console.

Watch the group's non-existing users created in the dashboard with the type labelled SCIM.

In F5 Console Groups page, select Refresh. git add

Figure: SCIM Synced

Note: Group will show as Synced under Status.

Check Users in IAM tab shows users from Azure with Type as SCIM.
Select Refresh.

Note: Tenant Owner will show Type Tenant Owner/SCIM.

Step 5: Sync SCIM Users and Groups.

Watch the users (if already existing) converted to the type of SCIM in the dashboard.

In Azure, select Refresh in Provisioning page.
In F5 Console, open users and groups to confirm if SCIM has synced.
Provisioning interval time (fixed): 40 minutes.

Figure: Azure Provisioning

Step 5.1: Provision on Demand.

Option to select Provision on demand.

Note: Provision on demand, forceful request of users to sync application, but it is not recommended. Recommended to wait for provision sync time (40 minutes).

Enter group in search function in Select a user or group box in Provision on demand page.
Select group.
Select View members only.
Select users in selected drop-down box.

Figure: Azure Provision on Demand

Note: On-demand provisioning supports up to 5 members at a time. Please unselect members until 5 members are selected.

Select Provision button.

Note: Provision button shows validating as it syncs.

Provision page will show Success.

Figure: Azure Provision on Demand Success

Step 6: Confirm F5 SCIM Status.

In F5 Console > Administration > IAM > Groups > select Refresh.

Figure: F5 Groups

Select Users in IAM, users with Type SCIM should show Status Enabled.

In Azure, Provisioning page select Refresh to confirm Current cycle status.

Note: Current cycle status: Initial cycle completed 100% complete.

Figure: Azure Provisioning

Step 7: Log into F5 Console via SSO.

The synced users can now log into the F5 dashboard via SSO.

Select Sign in with Azure button to log into the F5 console.

Figure: Azure SSO Login

Step 8: Disable SCIM - Delete Users and Groups Syncing.

Select Stop provisioning in Azure Provisioning.

Note: Deleting the groups could delete the users as well (conditions apply).

Select OK button in Are you sure you want to pause sync pop-up.

Note: Recommended to stop provisioning in Azure before disabling SCIM in F5 console.

Figure: Azure Provisioning

Note: Stop future provisioning cycles: Please wait while future provisioning cycles are disabled. pop-up confirms stop provisioning is initiated and in process.

In F5 console > Administration > Tenant Settings > Login Options > SCIM > select Disable SCIM button.

Figure: Disable SCIM

Select Disable SCIM button in pop-up window to confirm.
Select Groups and Users in IAM in F5 console to confirm groups and users are unsynced after SCIM is disabled.

Figure: F5 Groups

Note: Tenant Owner will show Type Tenant Owner without /SCIM after SCIM is disabled.

SCIM

Objective

SCIM Overview

Prerequisites

Enable SCIM

Concepts

On this page: