This article explains how to use the Azure SCIM app to automatically sync user and group information, and provision users and groups from Azure AD to your Cato account.
-
Create and disable users in the Cato Management Application
-
Synchronize users and attributes from Azure AD to the Cato Management Application
-
Single Sign-On (SSO) to Azure
-
Users can authenticate with email or UPN depending on your Azure configuration.
Make sure that these items are ready before you create the Azure SCIM app:
-
An Azure AD tenant
-
Azure AD permissions to configure user provisioning
-
Removing a user from the IdP application disables the user in the Cato Management Application (see below Removing Users or Groups from the SCIM App)
-
For accounts that use LDAP sync for users, when you enable SCIM provisioning, this sync is disabled for your account.
-
LDAP sync for User Awareness continues to work regularly and isn't impacted by SCIM provisioning.
-
-
Nested groups provisioning are not supported
-
SCIM sync overrides existing LDAP groups with the same name. For more information, see How SCIM Sync Overrides Existing LDAP Groups
-
SCIM provisioned users are not identified with WMI-based User Awareness. User Awareness with SCIM is supported using Cato Identity Agent
-
On demand provisioning does not support assigning users to a user group
This section describes how to plan your Azure AD to sync users with your Cato account. For more about planning the user sync between Azure and Cato, see these Microsoft articles:
Azure AD lets you define the users that are included in the user sync with Cato according to one of these methods:
-
Assigning users to the Azure app
-
Filtering users based on the attributes for users or groups
As part of the process to plan the user sync with Cato, we recommend that you start with a small group of users. Depending on the method above, you can:
-
Assign a few users to the Azure app
-
Create an attribute based scoping filter that only matches a few users
You can connect your Azure AD to your Cato account and sync users between them. Add the Cato SCIM app in the Azure gallery to your account and then configure the settings to connect to your Cato account. Azure initiates the automatic user sync every 40 minutes.
Then you can define the Azure AD groups and users that are synced and enable automatic provisioning.
The status of users in your Identity Provider (IdP) are automatically synced to your Cato account. For example, when you disable users in the IdP, they are synced to your Cato account as disabled.
Configure the settings for the Cato SCIM app from the Azure gallery and then set the app to automatically sync users to Cato.
In the Cato Management Application, enable SCIM Provisioning and copy the URL and token to the Admin Credentials section in the Cato SCIM app.
To connect Cato Management Application to the SCIM app:
-
From the Azure portal, go to Enterprise Applications.
-
Search for the Cato Networks Provisioning app and click Create.
-
In the Cato Management Application, from the navigation menu select Access > Directory Services and click the SCIM tab.
-
Select Enable SCIM Provisioning to set your account to connect to the SCIM app.
-
Click Save.
-
Copy and paste the SCIM URL and token to blank text file.
-
In Base URL, click the copy icon to copy the SCIM URL to the clipboard and then paste it in the text file.
-
In Bearer Token, click the copy icon to copy the unique account token to the clipboard and then paste it in the text file.
-
-
In Azure, go to the Provisioning section for the SCIM app, and paste the SCIM URL and token.
-
Paste the URL in Tenant URL.
-
Paste the token in Secret Token.
-
Click Save.
-
-
In Azure, click Test Connection to make sure that Azure AD can connect to the Cato SCIM app.
-
Enable automatic provisioning in the app.
-
From the navigation menu, select Provisioning.
-
In the Provisioning screen, click Get started.
-
From the Provisioning Mode drop-down menu, select Automatic.
-
Click Save.
-
-
Assign groups and users to the app.
After the Cato SCIM app can connect to your account, enable automatic provisioning and select the users and groups that are synced.
After you configure the Cato SCIM app, you can review the mapping for the SCIM provisioning attributes between Azure AD and the Cato Management Application.
Azure AD Attribute |
Cato User Attribute |
Notes about User |
---|---|---|
userPrincipalName |
userName |
User name for user |
Coalesce([mail], [userPrincipalName]) |
emails[type eq "work"].value |
Email address |
givenName |
name.givenName |
First name |
surname |
name.familyName |
Last name |
telephoneNumber |
phoneNumbers[type eq "work"].value |
Phone number (including prefix) |
objectId |
externalId |
ID for user (used in events) |
Switch([IsSoftDeleted], , "False", "True", "True", "False") |
active |
When a user is unassigned from the SCIM app, the user is soft deleted with the parameters: "False", "True", "True", "False" |
In the IdP, define the groups and users that are synced to your Cato account. After the initial sync is completed, all users are then created in the Cato Management Application and visible on the Users Directory page.
You can then assign SDP licenses to users, for more information, see Assigning SDP Licenses to Users.
The Cato Management Application generates events whenever users and groups are blocked because they fail to meet the requirements of the Client Connectivity Policy.
Each hour, the Cato Management Application sends email alerts that summarize the SCIM provisioning actions (success or failure).
The following table explains the different events.
Event Type |
Action |
Description |
---|---|---|
SCIM Provisioning |
Success |
The action to sync the users or groups to your account with the SCIM app succeeded. |
SCIM Provisioning |
Failure |
The SCIM app failed to sync the IdP with your account. The event message explains the reason for the sync failure. |
SCIM Provisioning |
Disabled |
A disabled user in the IdP was successfully synced and disabled in your Cato account. |
0 comments
Article is closed for comments.