Tags | Provisioning | Azure | SCIM | Security | Entra ID |
ADMIN PRIVILEGES REQUIRED
This documentation is for Stack Overflow Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Enterprise (SOE), SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM sends updates whenever they occur. This provides SOE near-real-time updates to user status and role as changes happen at the IdP.
This article covers integrating Microsoft Entra ID and your SOE site with SCIM. For a better understanding of using SCIM with SOE, read our SCIM 2.0 support article.
NOTE: Before you can configure SCIM for Entra ID, you must have an Entra ID Enterprise application for your SOE site. If you haven't yet configured a SAML Entra ID Enterprise application, follow the instructions in the SSO with Microsoft Entra ID article.
When setting up SCIM, you'll configure Entra ID and your SOE site in a back-and-forth process. We recommend having a browser tab open to each site.
Configure SCIM on SOE
As an SOE admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.
Configure the following settings:
SCIM Set to On to enable SCIM.
SCIM authorization bearer token Create a token (password) you'll later enter into the SCIM configuration on Entra ID. You can enter any string of characters, but be sure to follow best practices for creating a strong password. SOE hides the value by default. Click Show password to view and copy the value.
Allow Moderator Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and moderator roles.
Allow Admin Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and admin roles.
Click Save settings.
Configure Entra ID
On Entra ID, open your Stack Overflow Enterprise application.
Click Provisioning in the left-hand menu, then Get started.
Set Provisioning Mode to Automatic.
Enter the following for Admin Credentials:
Tenant URL Set to https://[your_site]/api/scim/v2.
Secret Token Paste the authorization bearer token you created on the SOE SCIM page.
Click Test Connection. A green checkmark will appear in Tenant URL if the connection is successful.
Click Save.
Configure Entra ID SCIM user mapping
User mapping lets you define which SOE users SCIM will affect.
Go to the Entra ID application's Mappings page. Set mapping at the group or user level by clicking Provision Azure Active Directory Groups or Provision Azure Active Directory Users respectively.
On the provisioning configuration page, set Target Object Actions to Update.
NOTE: SOE doesn't support the creation or deletion of users via SCIM.
Configure the following attributes:
userNameSet this to the Display Name Assertion from your SOE SAML 2.0 authentication settings (check this value by clicking Admin Settings, then Authentication, then Configure SAML 2.0 in SOE).active(true/false) Determines whether the user should be deactivated or reactivated in SOE.Other required fields for SCIM
name.givenName,name.familyName,emails(Entra ID should map these by default.)
Click Save.
NOTE: Microsoft Entra ID SCIM doesn't support user role promotion or demotion.