Here are the different steps to follow in Paradigm in order to configure the automatic user provisioning in Paradigm from Microsoft Entra ID (formerly Azure Active Directory).
Paradigm side
- Activate SCIM feature instance-wise: Put the config key
SCIM_INSTANCE_ACTIVATION
toTrue
- Have a user with the permissions to manage users in the desired company
- Create an API key linked to that user
Microsoft side
-
From the Microsoft Admin interface, go to the Identity Administration area (Entra ID)
- Create a new application in the Identity administration site
- Select
Create your own application
, give the name you want and select the 3rd optionIntegrate any other application you don’t find in the gallery (Non-gallery)
and click onCreate
.
- Once the application has been created, click on
Provisioning
- Click on
+ New configuration
-
Configure the provisioning to use the desired Paradigm instance:
Tenant URL
:
It should follow the pattern
https://<paradigm_domain_name>/scim/v2/?aadOptscim062020
.The
<paradigm_domain_name>
should be replaced byparadigm.lighton.ai
to use the LightOn SaaS solution or by the client domain name for on-premise solutions
⚠️
The ?aadOptscim062020
flag is currently necessary to fix bugs on Microsoft side. Microsoft is actively working on implementing the related behavior modifications in the default behavior.
-
Secret token
: Put the created Paradigm API key in this field.- Click on
Test connection
to verify the Paradigm instance can be reached and has the SCIM feature available / activated. - Click on
Create
once the test is successful
- Go to the
Users and groups
area to assign users or a group of users to the application
- Go to the
Attribute mapping
area and set theProvision Microsoft Entra ID Groups
toNo
(disabled)
LightOn Paradigm authorized users
group will not be created in Paradigm. The request will be refused if Microsoft Entra ID tries to.-
In the
Attribute mapping
area, check what is used for theemails[type eq "work"].value
attribute, we advise to use theuserPrincipalName
to avoid forgetting to fill themail
microsoft field when creating a user (used by default for SCIM in Entra ID)You can find the suggested attributes configuration for users in the image below
- Go back to the
Overview
and click onStart provisioning
Expected behavior with this configuration
Here is a table summarizing the expected behaviors in Paradigm following an action in Microsoft Entra ID:
Microsoft Entra ID action | Paradigm behavior |
---|---|
create a new user and assign him/her to the group assigned to Paradigm | creates the related account in Paradigm |
modify an information about the user in Microsoft Entra ID | the change will be forwarded to Paradigm if it touches to an attribute which is used by Paradigm |
delete a user from the Entra ID administration panel | it will deactivate the user in Paradigm as well as modifying the username and email to be restored if needed |
permanently delete a user from the Entra ID administration panel | the user will be deactivated and anonymized in Paradigm. |