Ignite supports user provisioning using the SCIM standard. This enables customers to sync users and roles between Entra ID (formerly Azure ID) and Ignite using Entra as the source of truth. More information from Microsoft about user provisioning in Entra can be found here: What is app provisioning in Entra Active Directory?
This article explains how you set up a custom application for user provisioning. You also need to add Ignite’s Entra ID app to log in using Microsoft.
1. Log into your company’s Entra account.
⚠️ Note: You need to be an Entra admin in order to do the following steps.
1.1 Create a new Application in Entra ID
Browse to Entra Active Directory > Enterprise applications.
Select + New application > + Create your own application.
Enter a fitting name ("Ignite SCIM Provisioning" e.g.) for your application, choose the option "integrate any other application you don't find in the gallery" and select Add to create an app object. The new app is added to the list of enterprise applications and opens to its app management screen.
In the new enterprise application, select Provisioning.
Select Get started.
Select Automatic for the provisioning mode.
1.2 Generate or grab an API Token from Ignite
Note: You will need to be an Admin on your Ignite workspace to complete this step.
In Ignite navigate to Settings -> API Tokens.
Create a new API token and set its role as Admin - you will need to have the Admin role to complete this step.
Copy the API token.
1.3 Enter Admin Credential in the Entra Application
Navigate back to the Entra portal window. Under "Admin Credentials":
Paste the API token from Ignite into the "secret token" field in Entra.
In the "tenant url" field enter: https://authsidecar.igniteprocurement.com/api/v1/scim/v2?aadOptscim062020
Click "Test Connection"
Save
1.4 Set up Entra Mapping
Open the Mapping tab.
Click "provision Entra active directory groups" and toggle enabled to "no"
save
Click "Provision Entra Active Directory Users"
Toggle "Show advanced options"
"Edit attribute list for customappsso"
Add "roles" to the list with the following values:
type=string
required=true
multi-value=true
for the attribute "active" set: required=true
Exit the attribute list
click "Add new mapping"
set mapping type to "expression"
in expression field enter "AppRoleAssignmentsComplex([appRoleAssignments])"
Create a new mapping from objectId to externalId
Your attribute mapping should look like this. Make sure to delete the mappings not in the screenshot:
In Entra navigate to app registrations and the app registration with the same name as the enterprise application you created earlier. In the left sidbar navigate to "app roles" and create the following roles:
Navigate back to the enterprise application "ignite scim provisioning" and add users with roles.
Click "start provisioning"
Users and roles will now be synced between Entra and Ignite every 40 minutes.
The provisioning can be tested by provisioning user manually by clicking: "provision on demand"