Set up SCIM for SSO

Here is how you can enhance your SSO experience by setting up SCIM

SCIM Integration 

You can further enhance SSO with SCIM user provisioning. The Microsoft Entra ID Provisioning Service provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Azure AD to programmatically create and update users. In this article, you'll learn how to take advantage of this functionality.


Important

  • We recommend managing and editing employees mainly in your Azure Active Directory. It will save you from keeping two platforms up to date.
  • Zapfloor does not support a Multi-team structure - one employee can’t be part of several teams (or customers). 
  • Please bear in mind that if an employee leaves the company and their profile is deleted from the Active Directory, they will not be deleted from Zapfloor fully but will be Archived. If they had any bookings in the system, they will be kept as well. Any future bookings of the said employee must be canceled manually.

Azure Active Directory Set Up


Below you can find the instruction how to setup.

  • Navigate to Microsoft Entry (https://entra.microsoft.com/)
  • Choose Applications > Enterprise Applications from the sidebar.
  • Create an application for the SCIM integration
  • Click on Create your own application
  • Enter a name for your application
  • Select the last option: “Integrate any other application you don’t find in the gallery

(non-gallery).”

  • On the overview page of the application, choose Manage > Provisioning from the

application sidebar.

  • Click on Provisioning again
  • Set Provisioning Mode to Automatic
  • The tenant URL is https://api.zapfloor.com/scim_v2/
  • The secret token can be generated from within Zapfloor
    • Log into zapfloor as an operator
    • Navigate to your user profile
    • Go to the Api Tokens tab
    • Create a new token with the ALL:ACCESS scope
    • Use the generated token as the secret token
  • Save the settings
  • Back on the `Provisioning` tab you’ll see the “Mappings” options, modify these as follows:
    • Disable Groups mapping
    • Go to the Users mapping page
    • Click on “Add New Mapping”
    • In the “Source Attribute” field select “companyName”
    • In the “Target Attribute” field select “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization”
    • Click Ok, and save these changes


** Make sure provisioning mapping department is existing

** Make sure provision status is on 



Field Mapping


The following attributes are used to sync users in zapfloor.

  • userName will become the user’s username
  • name.familyName will become Lastname
  • name.givenName will become Firstname
  • The work email will become the emailaddress
  • preferredLanguage will be used to determine language
  • Active will be used to set archival state
  • Organization will be used to find or create a team in zapfloor (based on team name)


 

Create

An existing user will be looked up in Zapfloor using SCIM

  • If found, this user will be updated.
  • If not found a new user will be created

Update

All fields will be updated in Zapfloor to ensure they match.


Delete

The user is removed from zapfloor