Azure AD SCIM Integration

System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.

備考

SCIM Integrations are available for Enterprise organizations. Teams organizations, or customers not using a SCIM-compatible identity provider, may consider using Directory Connector as an alternative means of provisioning.

This article will help you configure a SCIM integration with Azure. Configuration involves working simultaneously with the Bitwarden web vault and Azure Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented.

Enable SCIM

備考

Are you self-hosting Bitwarden? If so, complete these steps to enable SCIM for your server before proceeding.

To start your SCIM integration, open your organization's Settings SCIM Provisioning page:

SCIM Provisioning
SCIM Provisioning

Select the Enable SCIM checkbox and take note of your SCIM URL and SCIM API Key. You will need to use both values in a later step.

Create an enterprise application

tip

If you are already using this IdP for Login with SSO, open that existing enterprise application and skip to this step. Otherwise, proceed with this section to create a new application

In the Azure Portal, navigate to Azure Active Directory and select Enterprise applications from the navigation menu:

Enterprise applications
Enterprise applications

Select the New application button:

Create new application
Create new application

On the Browse Azure AD Gallery screen, select the Create your own application button:

Create your own application
Create your own application

On the Create your own application screen, give the application a unique, Bitwarden-specific name and select the Create button.

Enable provisioning

Select Provisioning from the navigation and complete the following steps:

Select Provisioning
Select Provisioning
  1. Select the Get started button.

  2. Select Automatic from the Provisioning Mode dropdown menu.

  3. Enter your SCIM URL (learn more) in the Tenant URL field.

  4. Enter your SCIM API Key (learn more) in the Secret Token field.

  5. Select the Test Connection button.

  6. If your connection test successfully, select the Save button.

Mappings

Bitwarden uses standard SCIM v2 attribute names, though these may differ from Azure AD attribute names. The default mappings will work, but you can use this section to make changes if you wish. Bitwarden will use the following properties for users and groups:

User mapping

Bitwarden attribute Default AAD attribute
active Switch([IsSoftDeleted], , "False", "True", "True", "False")
emailsª or userName mail or userPrincipalName
displayName displayName
externalId mailNickname

ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the value of the object which contains "primary": true.

Group mapping

Bitwarden attribute Default AAD attribute
displayName displayName
members members
externalId objectId

Settings

Under the Settings dropdown, choose:

  • Whether to send an email notification when failure occurs, and if so, what address to send it to (recommended).

  • Whether to sync only assigned users and groups or sync all users and groups. If you choose to sync all users and groups, skip the next step.

Assign users and groups

Complete this step if you have selected to sync only assigned users and groups from the provisioning settings. Select Users and groups from the navigation:

Enterprise application users and groups
Enterprise application users and groups

Select the Add user/group button to assign access to the SCIM application on a user or group level. Users and groups added here will be invited to Bitwarden when SCIM provisioning begins.

Start provisioning

Once the application is fully configured, start provisioning by selecting the Start provisioning button on the enterprise application's Provisioning page:

Start provisioning
Start provisioning

Finish user onboarding

Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to accept the invitation and, once they have, confirm them to the organization.

備考

The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data.


言語
© 2022 Bitwarden, Inc.
利用規約プライバシーポリシーサイトマップ