SCIM
Enterprise EditionYou can sync users and groups from your identity provider (such as Microsoft Entra ID) to Data Mesh Manager.
This guide will show you how to set up SCIM2 (System for Cross-domain Identity Management) for your organization using Microsoft Entra ID (formerly known as Azure Active Directory). Other SCIM compliant providers work similarly, but the setup might differ.
Note: SCIM2 is only available in the Enterprise Edition of Data Mesh Manager / Data Contract Manager.
Prerequisites
- You must have the Cloud Application Administrator role in Microsoft Entra ID.
- If you want to provision groups, a Microsoft Entra tenant with Microsoft Entra ID P2 or other another premium license is required.
- You must be Organization Owner in Data Mesh Manager
- Your Entra ID usernames are valid email addresses
Configure SCIM provisioning using Microsoft Entra ID
Learn more in the official reference: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-scim-provisioning
Note: The Microsoft tutorial refers to "on-premises" SCIM provisioning, but the steps are the same for Data Mesh Manager Cloud and Self-Hosted deployments.
Step 1: Generate API-Key
See API Key
Step 2: Create an Enterprise Application
- Go to https://entra.microsoft.com/
- Sign in as a Cloud Application Administrator
- Ensure that the correct directory (=tenant) is selected
- Click Applications in the left navigation
- Click Enterprise applications
- Click New application
- Enter a name, e.g., Data Mesh Manager
- Select Integrate any other application you don't find in the gallery (Non-gallery) and click Create
Step 3: Configure SCIM provisioning
- In the Enterprise Application, click Provisioning
- Click New configuration
- Enter the following values:
- Tenant URL:
https://api.datamesh-manager.com/api/scim/v2
(replacehttps://api.datamesh-manager.com
with the URL of your instance if you are using the self-hosted version) - Secret Token: The API-Key you generated in Step 1
- Tenant URL:
- Click Test Connection to verify the connection
- Click Create
Step 4: Assign users and groups
- Go to Users and groups
- Click Add user/group
- Select the users and groups you want to provision to Data Mesh Manager
If you want to sync all users and groups to Data Mesh Manager, you can change the scope in Provisioning > Settings > Scope to Sync all users and groups.
Step 5: Configure User Attribute Mapping
- Go to Attribute mapping (Preview)
- Click Provision Microsoft Entra ID Users
- Configure the following attribute mapping:
customappsso Attribute | Microsoft Entra ID Attribute | Matching precedence |
---|---|---|
userName | userPrincipalName | 1 |
active | Switch([IsSoftDeleted], , "False", "True", "False") | |
displayName | displayName | |
emails[type eq "work"].value | ||
externalId | objectId |
If your userPrincipalName is not a valid email address, use the mail
attribute instead for userName
.
The externalId should be mapped to the objectId
, as this ID will be used in Entra ID OpenID Connect SSO to identify the user.
Delete all other mappings and click Save.
Step 6: Test the provisioning
- Go to Provision on demand
- Select a single user
- Click Provision
- Make sure that the operation is successfully performed
Step 7: Enable SCIM provisioning
- Go to Provisioning
- Select Provisioning Status to On
- Click Save
- Validate that the provisioning is working as expected by checking the Provisioning logs
User Provisioning
If you provision a user to Data Mesh Manager, this logic will be applied:
- Create a new user with the userName as email address, if the user does not exist yet.
- The user is added to your organization (which is linked to the API key) with the role Organization Member in status active, when the
active
property is true. - The email address is considered as validated, if the
userName
matches theemails[type eq "work"].value
attribute. - If your organization is using SSO, the user will be able to log in with the SSO provider. Make sure, that the externalId is using the same ID as the configured subject in the SSO token. In case, you use Entra ID, the externalId should be the
objectId
from the user (which would be theoid
claim in the ID token).
The user can be updated and patched. Note, that the userName
cannot be updated as of now.
Group Mapping
Coming Soon
A configuration to map SCIM groups to teams, team roles, and organization roles is coming soon.