Skip to main content
Setting up SCIM with Azure
Kim Giaoui avatar
Written by Kim Giaoui
Updated over a week ago

If you use Azure as your identity provider, please follow this guide to set up the SCIM protocol for your Tomorro organization.

Please note: only an admin can manage these settings on Tomorro.

If you're already using a Tomorro application for, say, a SAML connection, go straight to step 2.

Step 1 - Create an application on AZURE

Log in to your Azure account, then :

  • Go to the Enterprise applications section > Click on the "New application" button

  • Then click on "Create my own application"

  • Choose the name of your application, "Tomorro" for example, and select the "Integrate with any other application" option. Click on "Create".

Step 2 - Configure SCIM settings for the app

  • Go to "Provisioning" in the left-hand menu

  • Fill in the information from Tomorro's SCIM module, copying and pasting the information from the integration module into Azure, then test the connection

  • Once tested, save the information

  • A "Mappings" section should then appear below the test button, allowing us to continue with the configuration

Step 3 - Configure user mapping

In this step, we'll update existing mappings, create the mapping to automatically assign Tomorro roles from Azure, and finally remove superfluous fields.

  • Open the user mapping section

1. Setting existing fields

  • Open the attribute whose customappsso is "userName" by clicking on its line

  • Make sure the information is filled in as shown below, in particular that the source attribute is set to "mail", then validate using the "Ok" button in the bottom left-hand corner

  • Also open the attribute whose customappsso is "externalId", and make sure the information is filled in as below, in particular that the source attribute is set to "objectId", then validate via the "Ok" button in the bottom left-hand corner

2. Assigning Tomorro roles via userType

  • To set up a Tomorro role (admin, manager, contributor) directly from Azure, you'll need to add a new mapping, click on "Add New Mapping"

  • Fill in all the information as shown below, making sure that the target attribute is userType. As for the source attribute, this is any attribute you use on Azure. We've taken "jobTitle" as an example. But you could, for example, create a "tomorroRole" attribute

  • You can then fill in this attribute value from within Azure to indicate the role to be assigned in Tomorro, either from the user directly, or from an assignment to an Azure group. Here's an example of how to fill in the attribute from a user file for an admin role

  • The values to be entered in the attribute for the various Tomorro roles are as follows:

Azure attribute ➡️ Tomorro role

admin ➡️ Admin

manager ➡️ Manager

user ➡️ Contributor

3. Removing superfluous fields

  • Finally, delete all superfluous attributes using the "Delete" button at the far right of the line, to keep only the 6 attributes whose cusomappsso is userName, active, name.givenName, name.familyName, externalId and userType, then save using the button at the top left

Step 4 - Enable automatic provisioning

  • Now return to the previous section via the breadcrumb. Then refresh the page if necessary after a few minutes to see the Tomorro application

  • Ouvrez l'application.

  • Open the "Provisioning" section, then the "Provisioning" section again

  • Activate automatic provisioning, then save

Step 5 - Select the groups and users to be provisioned

  • Open the "Users and groups" section, then select "Add user/group"

  • Open the right-hand pane by clicking on "None selected" under "Users and groups". Then select a first group or test user in the right-hand pane. Save at the bottom of the panel

  • Confirm the operation by clicking on "Assign" in the bottom left-hand corner

  • All users and groups assigned in this way will be provisioned in Tomorro. If provisioning is via a group, the group will be created in Tomorro, and users added to this group

And that's it, the SCIM protocol is now enabled for Tomorro! 🚀

Additional information, our tips!

  • Groups created on Tomorro cannot be back-synchronized with Azure groups. We recommend that you recreate these groups from Azure, then use these new groups provisioned via SCIM to add access to the various Tomorro folders and templates. This is an initial investment that will save you valuable time in the long term, automating more granular access to Tomorro directly from Azure.

  • It may be clearer and more efficient to separate "access" and "role" groups. You could have different groups for your departments, or geographical areas, giving access to certain templates or parts of your contract library, and then have an "Admins" group and a "Managers" group that set the userType attribute.

  • Azure enables particularly precise and complex mappings. If this is important to you, please visit this Microsoft documentation directly.

Did this answer your question?