SCIM Provisioning with Azure

This article explains how to use the Azure SCIM app to automatically sync user and group information, and provision users and groups from Azure AD to your Cato account.

Capabilities Supported

  • Create and disable SDP users in the Cato Management Application

  • Synchronize SDP users and attributes from Azure AD to the Cato Management Application

  • Single Sign-On (SSO) to Azure


Make sure that these items are ready before you create the Azure SCIM app:

  • An Azure AD tenant

  • Azure AD permissions to configure user provisioning

  • Every user provisioned with the Cato SCIM app, must have an SDP user license available in the Cato Management Application.

  • The following fields are mandatory and must be configured for each user (otherwise, the SCIM app can have errors when provisioning the users to your account):

    • Name

    • First name

    • Last name

    • User Principal Name

    • User type

    • Object ID

    • Email


  • Removing a user from the IdP application disables the SDP user in the Cato Management Application (see below Removing SDP Users or Groups from the SCIM App)

  • For accounts that use LDAP sync for SDP users, when you enable SCIM provisioning, this sync is disabled for your account.

    • LDAP sync for User Awareness continues to work regularly and isn't impacted by SCIM provisioning.

  • Nested groups provisioning are not supported
  • SCIM sync overrides existing LDAP groups with the same name. For more information, see How SCIM Sync Overrides Existing LDAP Groups

  • SCIM provisioned users are not identified with WMI-based User Awareness. User Awareness with SCIM is supported using Cato Identity Agent
  • On demand provisioning does not support assigning users to a user group  

Planning the SDP User Sync

This section describes how to plan your Azure AD to sync SDP users with your Cato account. For more about planning the SDP user sync between Azure and Cato, see these Microsoft articles:

Defining Users and Groups for the SDP User Sync

Azure AD lets you define the users that are included in the SDP user sync with Cato according to one of these methods:

  • Assigning users to the Azure app

  • Filtering users based on the attributes for users or groups

As part of the process to plan the SDP user sync with Cato, we recommend that you start with a small group of users. Depending on the method above, you can:

  • Assign a few users to the Azure app

  • Create an attribute based scoping filter that only matches a few users

Configuring Automatic SDP User Sync to Cato with the Cato SCIM App

You can connect your Azure AD to your Cato account and sync SDP users between them. Add the Cato SCIM app in the Azure gallery to your account and then configure the settings to connect to your Cato account. Azure initiates the automatic SDP user sync every 40 minutes.

Then you can define the Azure AD groups and users that are synced and enable automatic provisioning.

The status of users in your Identity Provider (IdP) are automatically synced to your Cato account. For example, when you disable users in the IdP, they are synced to your Cato account as disabled.

Configuring the Cato SCIM App

Configure the settings for the Cato SCIM app from the Azure gallery and then set the app to automatically sync SDP users to Cato.

In the Cato Management Application, enable SCIM Provisioning and copy the URL and token to the Admin Credentials section in the Cato SCIM app.

To connect Cato Management Application to the SCIM app:

  1. From the Azure portal, go to Enterprise Applications.

  2. Search for the Cato Networks Provisioning app and click Create.

  3. In the Cato Management Application, from the navigation menu select Access > Directory Services and click the SCIM section/tab.

  4. Select Enable SCIM Provisioning to set your account to connect to the SCIM app.

  5. Click Save.

  6. Copy and paste the SCIM URL and token to blank text file.

    1. In Base URL, click the copy icon copy.png to copy the SCIM URL to the clipboard and then paste it in the text file.

    2. In Bearer Token, click the copy icon copy.png to copy the unique account token to the clipboard and then paste it in the text file.

  7. In Azure, go to the Provisioning section for the SCIM app, and paste the SCIM URL and token.

    1. Paste the URL in Tenant URL.

    2. Paste the token in Secret Token.

    3. Click Save.

  8. In Azure, click Test Connection to make sure that Azure AD can connect to the Cato SCIM app.

  9. Enable automatic provisioning in the app.

    1. From the navigation menu, select Provisioning.

    2. In the Provisioning screen, click Get started.

    3. From the Provisioning Mode drop-down menu, select Automatic.

    4. Click Save.

  10. Assign groups and users to the app.

Provisioning SDP Users to Your Cato Account

After the Cato SCIM app can connect to your account, enable automatic provisioning and select the users and groups that are synced.


Note: Before you start provisioning users to your account with the Cato SCIM app, make sure that:

  • The fields in Prerequisites above are configured for each user

  • There are enough SDP licenses available in your account for each user. The sync can fail when there aren't enough user licenses available.

To provision SDP users to your Cato account:

  1. In the Cato SCIM app, go to the Provisioning section.

  2. In Provisioning Status, click Start provisioning.


    The initial synchronization between your Azure AD and Cato account starts.

Reviewing the SCIM Provisioning Attributes

After you configure the Cato SCIM app, you can review the mapping for the SCIM provisioning attributes between Azure AD and the Cato Management Application.

Azure AD Attribute

Cato SDP User Attribute

Notes about SDP User



User name for SDP user

Coalesce([mail], [userPrincipalName])

emails[type eq "work"].value

Email address



First name



Last name


phoneNumbers[type eq "work"].value

Phone number (including prefix)



ID for SDP user (used in events)

Switch([IsSoftDeleted], , "False", "True", "True", "False")


When a user is unassigned from the SCIM app, the user is soft deleted with the parameters: "False", "True", "True", "False"

Understanding Events for SCIM Provisioning

The Cato Management Application generates events whenever users and groups are blocked because they fail to meet the requirements of the Client Connectivity Policy.

Each hour, the Cato Management Application sends email alerts that summarize the SCIM provisioning actions (success or failure).

The following table explains the different events.

Event Type



SCIM Provisioning


The action to sync the users or groups to your account with the SCIM app succeeded.

SCIM Provisioning


The SCIM app failed to sync the IdP with your account. The event message explains the reason for the sync failure.

The SCIM app can fail to sync users and groups when there aren't enough user licenses available.

SCIM Provisioning


A disabled user in the IdP was successfully synced and disabled in your Cato account.

Was this article helpful?


Add your comment