Microsoft Entra ID - SCIM Client for Cloud Authentication Service - RSA Ready Implementation Guide
5 months ago

Certified: December 03, 2024
    

Solution Summary

This document describes Microsoft Entra ID integration with RSA Cloud Access Service’s (CAS) Unified Directory using SCIM.
     

Use Case

Microsoft Entra ID will serve as the SCIM client with CAS acting as a SCIM server, providing an endpoint for the SCIM client to connect to.
This integration will allow the administrators of Microsoft Entra ID to synchronize any changes performed to Microsoft Entra ID with the Unified Directory of CAS. Any CRUD operations (create, read, update, and delete) done on the users on the Microsoft side will automatically synchronize to the CAS without any manual intervention needed from the administrator side.
     

Configuration Summary

This section contains instruction steps that show how to configure Microsoft Entra ID with CAS Unified Directory using SCIM.

This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.

All RSA and Microsoft Entra ID components must be installed and working prior to the integration.

         

CAS as a SCIM Server

This section describes how to configure CAS as a SCIM server for Microsoft Entra ID.

    

Configure CAS

Perform these steps to configure CAS as a SCIM server. 
Procedure

  1. Sign in to the RSA Cloud Administration Console and click Users > Identity Sources > Add Identity Source.
  2. On the New Identity Source page, choose Azure Active Directory (SCIM).
     
  3. On the New Identity Source page, choose a name for the Identity Source and add an optional description. Take note of the SCIM Service Provider Base URI and the API Key that will be used in Microsoft Entra to complete the connection.
  4. Save the configuration and click Publish Changes.
              

    Microsoft Entra ID as a SCIM Client

    This section describes how to configure Microsoft Entra ID as a SCIM client for CAS.

        

    Configure Microsoft Entra ID

    Perform these steps to configure Microsoft Entra ID as a SCIM client.
    Procedure

    1. Sign in to Microsoft Entra ID Admin Center and in the left pane, click Enterprise apps
    2. On the Browse Microsoft Entra App Gallery page, click Create your own application.
    3. On the Create your own application window, choose a name for the RSA application and choose Non-gallery app.
    4. Click Create.
    5. Once redirected to the application page, in the Getting Started section, choose Provision User Accounts or navigate back to the newly created application homepage and choose Provisioning.
    6. Choose New configuration.
    7. On the New provisioning configuration page, in the Admin credentials section, use the SCIM Service Provider Base URI copied from step 3 in the previous section as the Tenant URL.
    8. In the Secret Token field, use the API key generated from step 3 in the previous section.
    9. Click Test connection.
      You should get a notification that the test was successful.

    10. Under the Manage section, navigate to Users and groups and assign the users who will be the scope of provisioning between RSA and Microsoft Entra.
    11. Once redirected to the provisioning screen, choose Provisioning under Manage in the left pane.
    12. Expand the Mappings section, click Provision Microsoft Entra ID Groups, and change the Enabled column value to No by disabling it.
    13. Go back to the Mappings section and click Provision Microsoft Entra ID Users.
    14. Enable Provision Microsoft Entra ID Users.
    15. Verify that the Target Object Actions options (Create, Update, and Delete) are selected.
      This allows you to create users, update any of their attributes, and remove them from Microsoft Entra ID, which will synchronize with CAS.
    16. In the Attribute Mapping section at the bottom of the page, map the attributes as shown in the following figure and click Save.
      Click Edit or Delete for each attribute to edit or delete it. You can create new mappings between Entra ID and RSA.
    17. Go back to the Provisioning page and make sure the Provisioning Status is turned on at the bottom of the page.
    18. By default, any changes made to users in Microsoft Entra ID are automatically synchronized with CAS every 40 minutes. If you need changes to take effect immediately, select Provision on demand in the left pane and enter the name of the user you want to sync. Ensure that the users you wish to synchronize are included on the Users and Groups tab.


    The configuration is complete. 

                   

      RSA Terminology Changes

      The following table describes the differences in the terminologies used in the different versions of RSA products and components. 

      Previous VersionNew VersionExamples/Comments
      Cloud Authentication ServiceCloud Access Service
      Token

      		OTP CredentialSecurID OTP Credential
      AuthenticatorHardware Authenticator
      Tokencode

      		OTPSecurID OTP, SMS OTP, Voice OTP
      Access CodeEmergency Access Code
      SecurID Authenticate appRSA Authenticator appRSA Authenticator app for iOS and Android, RSA Authenticator app for Windows
      DeviceAuthenticatorRegister an authenticator
      Company IDOrganization ID 
      AccountCredential 
      Device Serial NumberBinding ID 

                  

      Certification Details

      CAS
      Microsoft Entra ID 

         

      Known Issues

      No known issues.

      Related Articles

      Trending Articles

      Don't see what you're looking for?