API Developer Portal
API Docs
Community
Knowledgebase
Training
menu icon
  1. Home
  2.  / How To
  3.  / User Management
  4.  / SCIM

SCIM

On This Page:

Objective

This guide provides instructions on how to enable SCIM (System for Cross Domain Identity Management) in F5 Distributed Cloud. To learn more about users, see Users. SCIM is an open standard designed to manage user identity information. SCIM provides the ability to sync users and groups from one system to another.

After enabling SCIM in the F5 Distributed Cloud console, changes made in your Identity Management provider will be synced to Distributed Cloud.

The instructions in this document will demonstrate how to perform user management via SCIM in Distributed Cloud Console.

SCIM Overview

As your company grows, new users onboard, and old users leave. This burdens administrators because they have to update many Identity Management systems. A better solution is for administrators to maintain a single group. A common scenario is an administrator that needs to update many users' permissions. For example, removing admin privileges from all users in a specific group.

The F5 Distributed Cloud Services SCIM offers the following for ease of managing various user identity operations:

Externally Managed/SCIM Enabled Entities: Objects that are marked to be sourced by Azure.

Synced Entities: Objects that have successfully been sourced from Azure.

Note: Objects synced: Users and User Groups (name, email, user < - > group associations).

Dashboard (non-SCIM synced) Entities: Objects that are solely managed (CRUD) by F5 dashboard.

Note: Info managed: Group creation/deletion/role assignment etc.

Prerequisites

Note: In case you do not have an account, see Create an Account.

  • SSO Azure.

  • Azure Subscription.

  • Resources required per node: Minimum 4 CPUs and 14 GB RAM.

Enable SCIM

Steps to enable and sync SCIM.

Note: SCIM enabled for Azure SSO user group management only in F5 Distributed Console.

Step 1: Open F5 Distributed Cloud Console, enable Tenant SSO.

Enable SSO for the tenant.

  • Open F5® Distributed Cloud Console > select Administration box.

Note: Account Settings in profile icon in dashboard upper-right corner accesses Administration settings.

NEW HOMEPAGE 22
Figure: Homepage

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to display all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

  • Select Tenant Setttings in left-menu > select Login Options.
ENABLESCIM1 1
Figure: Tenant Settings

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Step 2: Enable SCIM.

Enable SCIM for the tenant.

  • Select Enable SCIM button in SCIM section.
ENABLESCIM1 1
Figure: Enable SCIM
  • Select token validity length in Enable SCIM pop-up.

Note: Options are 3 months, 6 months, or 12 months.

  • Select Next button.
ENABLESCIM1 2
Figure: Enable SCIM

  • Copy tenant URL.

  • Copy Secret Token.

Note: Note token provided for use in Azure. One token is used at one time. Once you regenerate a token it voids the old token.

  • Select Done button.
ENABLESCIMDEMOFLOW
Figure: SCIM
  • Select Complete SCIM Setup button.
ENABLESCIM1 3
Figure: Complete SCIM Setup
Step 2.1: Regenerate Token.

Note: Regenerate token as needed.

  • Select Regenerate Token button in SCIM section.

Note: One token is used at one time. Once you regenerate a token it voids the old token.

SCIM1 1
Figure: Regenerate Token

  • Select Regenerate Token button in pop-up to confirm.

  • Copy tenant URL.

  • Copy Secret Token.

Note: Note token provided for use in Azure. One token is used at one time. Once you regenerate a token it voids the old token.

  • Select Done button.
F5SECRETTOKEN
Figure: Token

Note: Tenant Owner only has permissions to add SCIM permissions.

Step 3: Setup Azure Application, Sync User Group.

Create a user group in the tenant with external-id specified. See SSO - Azure to learn more.

Step 3.1: Setup Azure Application.

  • Open Azure (portal.azure.com).

  • Select Azure Active Directory.

AZURPORTAL B3
Figure: Azure
  • Select Enterprise Applications.
AZURPORTAL B 2 2B
Figure: Azure Enterprise Applications
  • Select + New applicaton.
AZURE2 2 2B
Figure: New Azure Application
  • Select Create your own application in Azure.

  • Input name in Create your own application pop-up window.

  • Check option Integrate any other applications you don't find in your gallery (Non-gallery).

Note: Non-gallery application option.

  • Select Create button.

  • Adding Application pop-up will appear when loading.

Note: Application name added successfully with green check mark verifies application added successfully.

AZUREADDAPP 2B
Figure: Azure
Step 3.2: Add Azure User Group.

Go to step 3.3 to set up new group if needed.

  • Select Users and Groups in Manage tab in left column in new Enterprise Application page in Azure.

Note: Add users and groups to your application to sync with F5 platform.

  • Select + Add user/group.
AZUREADDUSERSGROUPS3 3 2
Figure: Azure Users and Groups

  • Select None Selected under Users and groups in Add Assignment page if no users or groups are to be added.

  • Search for user group used previously in Users and groups pop-up in Add Assignment page.

  • Select User or Group to add to Selected items list.

  • Select button to add.

Note: Number of Users or groups selected will show under Users and groups after added in pop-up form.

  • Select Assign button.
ADDASSIGNMENTFORMB
Figure: Azure Users and Groups

Note: View Members to confirm users are the same in application.

Step 3.3: Setup Azure Group.

  • Select Home in Application page to go back to Azure homepage.

  • Select Azure Active Directory.

  • Select Groups.

  • Select New group to load form.

  • Select Group type drop-down menu > Security.

  • Enter Group name.

  • Select Membership type drop-down menu > Assigned.

  • Select No members selected linked text under Members.

  • Search for users in Search box, select user to add to Selected items list.

  • Select button to add users to group.

  • Select Create button to create group.

AZUREADDUSERSGROUPS3 3 2 2B
Figure: New Azure Group

Note: View Members to confirm users are the same in application.

Step 3.4: Provision User/Group in Azure.

  • Azure Active Directory > Enterprise applications > select Nmae of application.

  • Select Provisioning in Manage in Azure Enterprise Application Overview page.

  • Select Get Started or Start Provisioning button.

Note: Get Started button will appear if this is your first time provisioning the application.

  • Select Automatic in Provisioning Mode drop-down menu.

Note: Provisioning can take up to 40 minutes.

PROVISIONINGAZURE 2
Figure: Azure Provisioning
Step 3.5: Add Tentant URL/Secret Tokens.

Note: Regenerate token as necessary.

  • Enter Tenant URL in Azure from F5 Console.

  • Enter Secret Token in Azure from F5 Console.

PROVISIONINGAZURE 2
Figure: Azure Provisioning

  • Copy and paste Tenant URL from F5 Console.

    • In Administration > Login Options > SCIM > copy SCIM Client URL for tenant URL.

  • Copy and paste Secret Token from F5 Console.

    • In Administration > Login Options > SCIM > select Regenerate Token button > select Token Validity > Regenerate Token button in pop-up > copy Secret Token in F5 Console.
SCIM1 1
Figure: SCIM
  • Select Done button to complete token generation in F5 Console.

Note: Once you create a new token the old token will be automatically destroyed. At any point in time there will only be one token associated with one primary tenant.

F5SECRETTOKEN
Figure: SCIM
Step 3.6: Provision Test Connection.

Provisioning to communicate Azure application with F5 console.

  • Select Test Connection button in Provisioning page in Azure.

Note: Testing connection to name - The applied credentials are authorized to enable provisioning pop-up appears in Azure upper-right corner validating connection is successful.

PROVISIONINGAZURE 2
Figure: Azure Provisioning

Note: Uploading user provisionsing settings - successfully updated name pop-up appears in Azure upper-right corner validating provisioning successful.

  • In Provisioning page see ready to start provisioning.

Note: To start provisions you have to create a placeholder group to select which group you want to sync with F5 Console.

Step 3.7: Configure Azure Groups.
  • Select Users and groups in Manage tab.
AZUREADDUSERSGROUPS3 3 2 2
Figure: Azure Users and Groups

  • Select Groups.

  • Copy Object id in group page.

Note: Object id is what Azure uses to keep track of the group.

Step 3.8: Add F5 Console Group.
  • In F5 Console Administration > IAM > Groups.
F5GROUPREFRESH
Figure: F5 Console Groups
  • Select + Add Group.
F5ADDGROUP
Figure: Add Group
  • Copy Object id from Azure application into Object ID from External Identity Provider box in Add Group pop-up form.
PROVISIONONDEMANDSUCCESS 2
Figure: Copy Object id from Azure

  • Enter Group Name.

  • Select Add Group button.

Note: Group will show as added but Not Synced under Status. Group Type is SCIM.

F5ADDGROUP
Figure: Groups
Step 3.9: Complete Provisioning in Azure.

  • In Azure, select Provisionsing in your application.

  • To Start Provisioning, select View provisioning details drop-down option to view issues or updates.

  • Provisioning interval time (fixed): 40 minutes.

  • Select Start Provisioning button.

Note: Provisioning will happen between time button is selected and 40 minutes.

PROVISIONING40 2
Figure: Azure Provisioning

Note: Start Provisioning pop-up will appear confirming Provisioning is scheduled to start.

Step 4: Push SCIM Users to F5 console.

Watch the group's non-existing users created in the dashboard with the type labelled SCIM.

  • In F5 Console Groups page, select Refresh. git add
SCIMSYNCED
Figure: SCIM Synced

Note: Group will show as Synced under Status.

  • Check Users in IAM tab shows users from Azure with Type as SCIM.

  • Select Refresh.

Note: Tenant Owner will show Type Tenant Owner/SCIM.

Step 5: Sync SCIM Users and Groups.

Watch the users (if already existing) converted to the type of SCIM in the dashboard.

  • In Azure, select Refresh in Provisioning page.

  • In F5 Console, open users and groups to confirm if SCIM has synced.

  • Provisioning interval time (fixed): 40 minutes.

PROVISIONING40 2
Figure: Azure Provisioning
Step 5.1: Provision on Demand.
  • Option to select Provision on demand.

Note: Provision on demand, forceful request of users to sync application, but it is not recommended. Recommended to wait for provision sync time (40 minutes).

  • Enter group in search function in Select a user or group box in Provision on demand page.

  • Select group.

  • Select View members only.

  • Select users in selected drop-down box.

PROVISIONONDEMAND 2
Figure: Azure Provision on Demand

Note: On-demand provisioning supports up to 5 members at a time. Please unselect members until 5 members are selected.

  • Select Provision button.

Note: Provision button shows validating as it syncs.

  • Provision page will show Success.
PROVISIONONDEMANDSUCCESS 2
Figure: Azure Provision on Demand Success
Step 6: Confirm F5 SCIM Status.
  • In F5 Console > Administration > IAM > Groups > select Refresh.
SCIMSYNCED 6
Figure: F5 Groups
  • Select Users in IAM, users with Type SCIM should show Status Enabled.
  • In Azure, Provisioning page select Refresh to confirm Current cycle status.

Note: Current cycle status: Initial cycle completed 100% complete.

PROVISIONING40 2
Figure: Azure Provisioning
Step 7: Log into F5 Console via SSO.

The synced users can now log into the F5 dashboard via SSO.

  • Select Sign in with Azure button to log into the F5 console.
SCIMLOGINAZURE
Figure: Azure SSO Login
Step 8: Disable SCIM - Delete Users and Groups Syncing.
  • Select Stop provisioning in Azure Provisioning.

Note: Deleting the groups could delete the users as well (conditions apply).

  • Select OK button in Are you sure you want to pause sync pop-up.

Note: Recommended to stop provisioning in Azure before disabling SCIM in F5 console.

PROVISIONING40 2
Figure: Azure Provisioning

Note: Stop future provisioning cycles: Please wait while future provisioning cycles are disabled. pop-up confirms stop provisioning is initiated and in process.

  • In F5 console > Administration > Tenant Settings > Login Options > SCIM > select Disable SCIM button.
SCIM1 1
Figure: Disable SCIM

  • Select Disable SCIM button in pop-up window to confirm.

  • Select Groups and Users in IAM in F5 console to confirm groups and users are unsynced after SCIM is disabled.

SCIMSYNCED
Figure: F5 Groups

Note: Tenant Owner will show Type Tenant Owner without /SCIM after SCIM is disabled.

Concepts

© 2024 F5, Inc. All rights reserved | Trademarks | Policies | Privacy | California Privacy | Do Not Sell My Personal Information |