SCIM

Objective

This guide provides instructions on how to enable SCIM (System for Cross Domain Identity Management) in Distributed Cloud. To learn more about users, see Users.

SCIM is an open standard designed to manage user identity information. SCIM provides the ability to sync users and groups from one system to another.

As your company grows, new users onboard, and old users leave. This burdens administrators because they have to update many Identity Management systems. A better solution is for administrators to maintain a single group.

After enabling SCIM in the Distributed Cloud console, changes made in your Identity Management provider will be synced to Distributed Cloud.

A common scenario is an administrator that needs to update many users' permissions. For example, removing admin privileges from all users in a specific group.

The instructions in this document will demonstrate how to perform user management via SCIM in Distributed Cloud Console.


SCIM Terms

Technical Terms for SCIM Feature:

Externally Managed/SCIM Enabled Entities: Objects that are marked to be sourced by Azure.

Synced Entities: Objects that have successfully been sourced from Azure.

Dashboard (non-SCIM synced) Entities: Objects that are solely managed (CRUD) by F5XC dashboard.


FAQ

Which objects are synced?

Users and User Groups (name, email, user < - > group associations).

Which info can be managed via the dashboard for the synced entities?

Group creation/deletion/role assignment etc.


Prerequisites

Note: In case you do not have an account, see Create an Account.

  • SSO Azure.

  • Azure Subscription.

  • Resources required per node: Minimum 4 CPUs and 14 GB RAM.


Enable SCIM

Steps to enable and sync SCIM.

Note: SCIM enabled for Azure SSO user group management only in F5 Distributed Console.

Step 1: Open F5® Distributed Cloud Console, enable tenant SSO.

Enable SSO for the tenant.

  • Open F5® Distributed Cloud Console > select Administration box.

Note: Account Settings in profile icon in dashboard upper-right corner accesses Administration settings.

HOMEPAGE3
Figure: Homepage

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to display all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Select Tenant Setttings in left-menu > select Login Options.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Confirm SSO Azure is Enabled.

ENABLESCIM1 1
Figure: SCIM

Step 2: Enable SCIM.

Enable SCIM for the tenant.

  • Select Enable SCIM button in SCIM section.

ENABLESCIM1 1
Figure: SCIM

ENABLESCIMDEMOFLOW
Figure: SCIM

  • Select token validity length in Enable SCIM pop-up.

Note: Options are 3 months, 6 months, or 12 months.

  • Select Next button.

ENABLESCIM1 2
Figure: SCIM

  • Copy tenant URL.

  • Copy Secret Token.

Note: Note token provided for use in Azure. One token is used at one time. Once you regenerate a token it voids the old token.

  • Select Complete SCIM Setup button.

ENABLESCIM1 3
Figure: SCIM

Regenerate Token.

Note: Regenerate token as needed.

  • Select Regenerate Token button in SCIM section.

Note: One token is used at one time. Once you regenerate a token it voids the old token.

  • Select Regenerate Token button in pop-up to confirm.

SCIM1 1
Figure: SCIM

  • Select Done button.

F5SECRETTOKEN
Figure: SCIM

Note: Tenant Owner only has permissions to add SCIM permissions.

Step 3.1: Create User Group.

Create a user group in the tenant with external-id specified. See SSO - Azure to learn more.

  • Open Azure (portal.azure.com).

  • Select Azure Active Directory.

AZURPORTAL B 2
Figure: Azure

  • Select Enterprise Applications.

AZURE2 2
Figure: Azure

  • Select + New applicaton.

AZURE ENTERPRISEAPPS 2
Figure: Azure

  • Select Create your own application in Azure.

AZUREADD1 1
Figure: Azure

  • Input name in Create your own application pop-up window.

  • Check option Integrate any other applications you don't find in your gallery (Non-gallery).

Note: Non-gallery application option.

  • Select Create button.

  • Adding Application pop-up will appear when loading.

Note: Application name added successfully with green check mark verifies application added successfully.

  • Select Users and Groups in Manage tab in left column.

AZUREADDUSERSGROUPS3 3 2
Figure: Azure Users and Groups

Note: Need to add users and groups to our application to be synced with the F5XC platform.

  • Select + Add user group.

AZUREADDUSERSGROUPS3 3 2
Figure: Azure Users and Groups

  • Select None Selected in Users and groups if no users or groups are to be added.

  • Search for user group used previously in Users and groups pop-up in Add Assignment page.

  • Select Assign button.

Note: View Members to confirm users are the same in application.

Step 3.2: Provision User/Group.
  • Select Provisioning in Manage tab in Azure.

  • Select Get Started button.

Note: Get Started button will appear if this is your first time provisioning the application.

  • Select Automatic in Provisioning Mode drop-down menu.

Note: Provisioning can take up to 40 minutes.

PROVISIONINGAZURE 2
Figure: Azure Provisioning

Tentant URL/Secret Tokens
  • Enter Tenant URL in Azure from F5XC.

  • Enter Secret Token in Azure from F5XC.

PROVISIONINGAZURE 2
Figure: Azure Provisioning

  • Copy and paste Tenant URL from F5XC.

    • In Administration > Login Options > SCIM > copy SCIM Client URL for tenant URL.
  • Copy and paste Secret Token from F5XC.

    • In Administration > Login Options > SCIM > select Regenerate Token button > select Token Validity > Regenerate Token button in pop-up > copy Secret Token in F5XC.

SCIM1 1
Figure: SCIM

  • Select Done button to complete token generation in F5XC.

Note: Once you create a new token the old token will be automatically destroyed. At any point in time there will only be one token associated with one primary tenant.

F5SECRETTOKEN
Figure: SCIM

Provision Test Connection

Provisionsing to version communication with Azure application with F5XC console.

  • Select Test Connection button in Provisioning page in Azure.

Note: Testing connection to name - The applied credentials are authorized to enable provisioning pop-up appears in Azure upper-right corner validating connection is successful.

PROVISIONINGAZURE 2
Figure: Azure Provisioning

Note: Uploading user provisionsing settings - successfully updated name pop-up appears in Azure upper-right corner validating provisioning successful.

  • In Provisioning page see ready to start provisioning.

Note: To start provisions you have to create a placeholder group to select which group you want to sync with F5XC.

Configure Azure Groups
  • Select Users and groups in Manage tab.

AZUREADDUSERSGROUPS3 3 2 2
Figure: Azure Users and Groups

  • Select Groups.

  • Copy Object id in group page.

Note: Object id is what Azure uses to keep track of the group.

Step 3.3: F5 Console Group.
  • In F5XC Console Administration > IAM > Groups.

F5GROUPREFRESH
Figure: F5 Groups

  • Select + Add Group.

F5ADDGROUP
Figure: F5 Groups

  • Copy Object id from Azure application into Object ID from External Identity Provider box in Add Group pop-up form.

PROVISIONONDEMANDSUCCESS 2
Figure: F5 Groups

  • Enter Group Name.

  • Select Add Group button.

Note: Group will show as added but Not Synced under Status. Group Type is SCIM.

Step 3.4: Complete Provisioning in Azure.
  • In Azure, select Provisionsing in your application.

  • To Start Provisioning, select View provisioning details drop-down option to view issues or updates.

  • Provisioning interval(fixed): 40 minutes is standard time.

  • Select Start Provisioning button.

Note: Provisioning will happen between time button is selected and 40 minutes.

Note: Start Provisioning pop-up will appear confirming Provisioning is scheduled to start.

PROVISIONING40 2
Figure: Azure Provisioning

Step 4: Sync SCIM Users and Groups.

Watch the group's non-existing users created in the dashboard with the type labelled SCIM.

  • In F5XC Groups page, select Refresh.

F5GROUPREFRESH
Figure: F5 Groups

Note: Group will show as Synced under Status.

  • Check Users in IAM tab shows users from Azure with Type as SCIM.

  • Select Refresh.

Note: Tenant Owner will show Type Tenant Owner/SCIM.

Step 5.1: Push SCIM users to F5 console.

Watch the users (if already existing) converted to the type of SCIM in the dashboard.

  • In Azure, select Refresh in Provisioning page.

  • In F5XC, open users and groups to confirm if SCIM has synced.

  • Provisioning interval (fixed): 40 minutes is standard time.

PROVISIONING40 2
Figure: Azure Provisioning

Step 5.2: Provision on Demand.
  • Option to select Provision on demand.

Note: Provision on demand, forceful request of users to sync application, but it is not recommended. Recommended to wait for provision sync time (40 minutes).

  • Enter group in search function in Select a user or group box in Provision on demand page.

  • Select group.

  • Select View members only.

  • Select users in selected drop-down box.

PROVISIONONDEMAND 2
Figure: Azure Provision on Demand

Note: On-demand provisioning supports up to 5 members at a time. Please unselect members until 5 members are selected.

  • Select Provision button.

Note: Provision button shows validating as it syncs.

  • Provision page will show Success.

PROVISIONONDEMANDSUCCESS 2
Figure: Azure Provision on Demand Success

Step 6: Enable F5 SCIM status.

Handle role assignment to these synced groups from the dashboard.

  • In F5XC > Administration > IAM > Groups > select Refresh.

F5GROUPREFRESH
Figure: F5 Groups

  • Select Users in IAM, users with Type SCIM should show Status Enabled.

  • In Azure, Provisioning page select Refresh to confirm Current cycle status.

Note: Current cycle status: Initial cycle completed 100% complete.

PROVISIONING40 2
Figure: Azure Provisioning

Step 7: Log into F5 console via SSO .

The synced users can now log into the F5 dashboard via SSO.

  • Select Sign in with Azure button to log into the F5 console.

SCIMLOGINAZURE
Figure: Azure SSO Login

Step 8: Disable SCIM - delete users and groups syncing.
  • Select Stop provisioning in Azure Provisioning.

Note: Deleting the groups could delete the users as well (conditions apply).

  • Select OK button in Are you sure you want to pause sync pop-up.

Note: Recommended to stop provisioning in Azure before disabling SCIM in F5XC console.

PROVISIONING40 2
Figure: Azure Provisioning

Note: Stop future provisioning cycles: Please wait while future provisioning cycles are disabled. pop-up confirms stop provisioning is initiated and in process.

  • In F5XC console > Administration > Tenant Settings > Login Options > SCIM > select Disable SCIM button.

SCIM1 1
Figure: Disable SCIM

  • Select Disable SCIM button in pop-up window to confirm.

  • Select Groups and Users in IAM in F5 console to confirm groups and users are unsynced after SCIM is disabled.

F5GROUPREFRESH
Figure: F5 Groups

Note: Tenant Owner will show Type Tenant Owner without /SCIM after SCIM is disabled.


Concepts