Skip to main content
The user provisioning is the process of automatically creating, updating, and removing users accounts. It ensures that the users get the right access when they join, change roles, or leave the organization. To enable user provisioning, our system uses SCIM standard which provides a consistent and automated way to create, update, and deactivate users. In order to setup the user provisioning, you will have to create an identity provider following the SSO configuration instructions in this document, enable the SCIM option on it and then setup the SCIM configuration on the external identity provider.

1. Enable SCIM on PADS4 identity provider

While you are configuring your PADS4 identity provider, you have the possibility to enable a SCIM Provisioning option. To enable it, while creating the identity provider :
  • Click on “SCIM Provisioning” step
  • Click “Enable SCIM Provisioning”
Scim Ms1 Once you enabled it, please keep the following data:
  • SCIM URL
  • SCIM Access Token
Those values will be reused later while configuring the SCIM Provisioning on the external identity provider side.

2. Configure SCIM on external identity provider

Now that SCIM Provisioning is enabled on PADS4, you will need to setup the user provisioning SCIM configuration on the external identity provider

Microsoft Entra identity provider

On Microsoft Entra, the user provisioning feature can be enabled on the same application you did previously created for the SSO.
  • Open the enterprise application you previously created
  • On the left menu, click on “Provisioning”
Scim Ms2
  • On the overview page just opened, click on “New Configuration”
Scim Ms3

Create the provisioning configuration

  • On this new configuration page, you will have to fill some information :
    • Authentication method – PADS4 does uses Bearer authentication for SCIM so select “Bearer authentication”
    • Tenant URL – Here you will need to fill in the url that was given on the PADS4 identity provider as “SCIM URL” (e.g. https://pads4.mycompany.com /rdx/nds.services.user.scim/api/v1/scim)
    • Secret Token – Here you will need to fill in the token that was given on the PADS4 identity provider as “SCIM Access token”
Attention: This Tenant URL must be publicly accessible because Azure uses it as a callback for user provisioning.
  • Click on “Test connection” to ensure the connection is OK
  • Then if the connection is ok, you can click on the “Create” button
Scim Ms4

Configure user & group mapping

Now the user provisioning configuration is done, the user & group mapping need to be configured.
  • On the menu of Provisioning page, click on “Attribute mapping
Scim Ms5
  • Setup the group mapping configuration
The group mapping is by default configured as expected, you can just ensure the following settings are applied.
Scim Ms6
  • Setup the user mapping configuration
    • The user mapping should be configured as below per default.
Scim Ms7
  • From the initial configuration, the attributes that can be kept are the following ones
    • All non-existing mapped attributes can be deleted.
Scim Ms8
  • Add the new externalId custom attribute
    • When all non-existing attributes are deleted, click “Add New Mapping” button and fill the following information to create the externalId attribute
Scim Ms9
  • (Optional) Add optional attributes
You can also add some optional attributes that are defined by PADS4 To use them, you will have to click on “Add New Mapping” again for each of those attributes and setup those. Currently, the optional attributes available are:
Target attributeComment
NFCThis property will be used to synchronize any value filled in the NFC property of PADS4 User
  • Click save to save the user mapping configuration

Assign allowed group to access the application

On Microsoft Entra, you will have to define which group members will be synchronized with the application. This is configured the same way as the Single Sign-on configuration and the user groups already defined for the SSO will already be applied to this configuration. If you need to extend this user group list, please follow those instructions in the respective SSO article at part: Assign user groups to the application

Start the provisioning service

Now the provisioning configuration is done on both Microsoft Entra (Azure) and PADS4, and the groups has been assigned to the application, the provisioning service can be started. To start it , go to provisioning tab on the left menu and click on the “Start provisioning” button. Scim Ms10