Configure SCIM with Entra

You can configure your Igloo Flex digital workplace to continually sync users and their Entra profile data directly into Igloo Flex using SCIM (System for Cross-domain Identity Management)

Considerations

  • Provisioning users: When a user is first added, their profile information will not be included during the first provisioning from Entra. When the next provisioning is run, their profile information will be updated. This could take up to 1.5 hours, as Entra provisions every 40 minutes by default. 
  • Non-supported fields: Igloo Flex does not support syncing of the manager or reportTo fields. When syncing with Entra, they must be removed from any SCIM mappings before syncing. 
  • Valid content syncing: When syncing values into fields in Igloo Flex, it is important to ensure that the values are in the correct format. See Profile field for information on valid field formats. 

Who can do this?

  • Workplace administrators

Prepare your profile fields

Before configuring your SCIM connection, it is essential to review your profile field configuration. When SCIM updates a profile field, it overwrites the value in Igloo Flex with the value in Entra, even if it is blank in Entra, and erases any values a user has entered previously. Therefore, turning off the user's ability to edit that field in Igloo Flex is vital. 

To allow a profile field to sync via SCIM:

  1. Go to your Igloo Flex digital workplace and log in with an account with workplace administrator access permissions. 
  2. On the Top Bar, select Admin Settings.
  3. Under Administration in the left side panel, select Profile Field Configuration
  4. Next to each profile field you want to sync via SCIM:
    1. Select Menu and then Edit & Overview.
    2. In the window, toggle Editable by user to off. 
    3. Select Save

You should always perform this process for the following profile fields because they are required for syncing to SCIM: 

  • First Name
  • Last Name

Configure your Entra application

You will need the assistance of your IT team's Entra administrator to configure your Entra application. 

Create an enterprise application

If you already have an enterprise application used with your SSO, you can use your current one and skip the creation steps in this section.

  1. Go to the Microsoft Entra Admin Center and sign in with your administrator credentials.
  2. In the search box at the top of the page, search for Enterprise Applications and select it. 
  3. Select + New application
  4. Select + Create your own application
  5. In the right side panel, enter the following:
    • What's the name of your app?: Enter the application name. For example, Flex SCIM.
    • What are you looking to do with your application?: Select Integrate any other application you don't find in the gallery (non-gallery).
  6. Select Create and then open the application.

Connect the application to Igloo Flex

The enterprise application must be connected to Igloo Flex via a SCIM connection. To do so: 

  1. In the 2nd left sidebar, under Manage, select Provisioning
  2. Select Connect your application.
  3. Gather the information to fill out the form from Flex:
    1. Open your Igloo Flex digital workplace in a separate browser window and log in with an account with workplace administrator access permissions. 
    2. On the Top Bar, select Admin Settings
    3. Under Administration in the left side panel, select SCIM Settings.
    4. Select Generate Token. If prompted, select Yes to create a new token. Any previous token will be overwritten. 
    5. Select Copy and paste the value into the Secret Token field in your Entra browser window. 
    6. Return to the Igloo Flex browser window, and select Ok.
    7. Select  Copy in SCIM Endpoint and paste the value into the Tenant URL field in your Entra browser window. 
  4. In your Entra browser window, select Test Connection
  5. If the test is successful, select Create. Otherwise, verify the values in Step 3 are correct in both platforms. If the connection continues to have issues, log a support ticket with Igloo Support

Map profile fields between Entra and Igloo Flex

You must map the attributes in Entra to sync your Entra profile data to your Igloo Flex profile fields. 

To add new or edit existing field mappings: 

  1. In your Igloo Flex browser window, return to the SCIM Settings page. 
  2. Select Copy SCIM Mapping and paste those values into a text file where you can reference them. 
  3. Return to your Entra browser window, under Manage, select Attribute Mapping (Preview) in the left side bar. 
  4. Select Provision Microsoft Entra ID Users.
  5. At the bottom of the page, select Show advanced options
  6. Select Edit attribute list for customappsso.
  7. In the Name column, add the scimMapping value(s), without quotations, from the SCIM mapping file for the profile fields you want to map that do not already have an attribute listed in the table. You do not have to modify other column values. The following fields should not be mapped: 
    • First Name
    • Last Name
    • Username (Users are matched with this field, and the field's values must match in Igloo Flex and Entra to ensure proper user matching and creation.)
  8. Select Save, and when prompted, select Yes
  9. To add a new mapping: 
    1. Select Add New Mapping
    2. Enter the following: 
      • Mapping type: Select Direct.
      • Source attribute: Select the appropriate Entra attribute. This is the value that will be synced from the user. 
      • Target attribute: Select the appropriate Igloo Flex attribute. These were added in Step 7 above. 
    3. Select Ok.
  10. (Optional) Some fields may already be mapped. You can edit an existing mapping by: 
    1. Locate the attribute mapping in the Attribute Mapping list and select Edit.
    2. Update the following as needed:
      • (Optional) Mapping type: Select Direct.
      • (Optional) Source attribute: Select the appropriate Entra attribute. This is the value that will be synced from the user. 
      • (Optional) Target attribute: Select the appropriate Igloo Flex attribute. These were added in Step 7 above. 
    3. Select Ok
  11. (Optional) If the manager or reportsTo fields are mapped, they should be removed to prevent syncing issues. 
  12. Select Save, and when prompted, select Yes

Assign users and groups and provision them to Igloo Flex

Once you have successfully connected and mapped your profile fields, you need to add users and groups before provisioning them to allow them to be added to your Igloo Flex digital workplace.

Group name syncing is case and space-sensitive. For example, to properly sync the Entra group Research and Development, the Igloo Flex group name must be Research and Development.

  • No match found: If the group names don't match by case and spaces, a new group will be created with no assigned access permissions in Igloo Flex. After the sync has been completed, you can assign access permissions to the group site-by-site. For instructions, see Assign or edit access permissions for a site.
  • Match found: If the group name matches in Igloo Flex, once SCIM syncs, it will take over syncing the group's membership from Entra. 

For information on how provisioning functions with users and groups in different situations, see the SCIM and the Flex access model section of the SCIM (System for Cross-domain Identity Management) article. 

To select users and groups, and provision them:

  1. Under Manage, select Users and groups in the left side bar. 
  2. Assign users and groups to allow them to be provisioned. We recommend selecting groups to ensure appropriate access is granted in Igloo Flex on provisioning because they will be assigned to a group. See SCIM for more information about SCIM and Igloo Flex's access permissions. 
    1. Select Add user/group.
    2. Select None Selected or X user/group selected under Users or Groups
    3. Search for users or groups. Select them and then choose Select
    4. Select Assign.
    5. Repeat Steps 2.2-2.4 as necessary. 
  3. Start provisioning users to Igloo Flex.
    1. In the left sidebar, select Overview
    2. Select Start provisioning. By default, Entra will provision users to Igloo Flex every 40 minutes. 

Once all these settings have been configured, it can take up to 1.5 hours for users, their profile data, and groups to be synced to the Igloo Flex digital workplace. 

Troubleshooting

If you are experiencing issues with your sync, check the following: 

  • Non-supported fields: Igloo Flex does not support syncing of the manager or reportTo fields. When syncing with Entra, they must be removed from any SCIM mappings before syncing. 
  • Valid content syncing: When syncing values into fields in Igloo Flex, it is important to ensure that the values are in the correct format. See Profile field for information on valid field formats. 

Related to