Cloud SCIM User Provisioning with AzureAD Identity Provider

Business Problem

You want to create user accounts on your Cloud Suite and want to use your corporate user accounts for authentication. You can automate the user provisioning on the cloud using SCIM (System for Cross-Domain Management) from your Identity Provider, if the Identity Provider supports and is compatible with SCIM.

---

---

Tutorial

The Infor Cloud (inforSTS or Infor Security Token Service) can leverage Microsoft’s AzureAD Identity Provider SCIM (System for Cross-domain Management) interface to automate user provisioning, deprovisioning, and updating of user accounts, giving access to corporate user accounts and enabling Single Sign On (SSO) capabilities when accessing the Infor Cloud Portal and enterprise applications.

Azure AD SCIM User Provisioning with Infor CloudSuite Portal

Here are a few documents on configuring Azure AD SCIM with Infor CloudSuite.

• SCIM Accounts
  • Adding a SCIM user identifier and password
  • Deleting a SCIM user identifier and password
• SCIM Groups
  • Adding a security role to a SCIM group
  • Removing a security role from a SCIM group
• Settings > General Settings
  • Manage Features
    • SCIM Service

SCIM (System for Cross-domain Management) Cloud Portal to AzureAD Configuration

This video provides instructions on how to configure AzureAD SCIM to automate user provisioning, deprovisioning, and updating of user accounts and maintenance to the cloud portal.:

Familiarize yourself with the Infor Security Federation page and the Microsoft Azure SCIM setup procedures.

By following the instructions in the video, you should now be able to set up the SCIM connection between the Cloudsuite portal and Microsoft’s AzureAD Identity provider (IdP).

Best Practices

CloudSuite Portal to AzureAD Identity Provider SCIM setup through a Federated Connection

• Authentication to Infor CloudSuite solutions is accomplished by establishing a federation trust between Infor CloudSuite and a customer’s Identity Provider (e.g. Azure). 
• Supports SAML 2.0 or OpenlD connect.
• If using Azure’s OpenlD connect federation, the identity provider has to externally accessible.
• If you have multiple authentication sources, you can have up to 5 identity providers federated to a single lnfor CloudSuite tenant
• Infor supports ldP and SP initiated SSO and SLO.

Important deployment considerations when federating CloudSuite to AzureAD Identity Provider.

• If SCIM is not initially available, user provisioning can be handled manually or by file import or by enabling JIT on the federated connections.
• Custom SCIM mappings may be required and based on the AzureAD enterprise applications user attribute requirements.
• MFA requirements for users authenticating via the Azure federated connection will need to be configured on the Azure identity provider configuration.
• lnfor cloud identity accounts can be leveraged for guest users that do not exist within customers AzureAD system.