Introduction
Microsoft Entra ID (formerly Azure AD) a identity provider that provides Single Sign-on (SSO) functionality. If your company has added SSO to their ModernLoop plan, you can manage login access to ModernLoop and maintain consistent security across your organization through your Microsoft Entra ID system.
Using SCIM allows you to proactively remove users from ModernLoop when you delete them in your user directory. For steps to set up SSO for Azure, see Azure Single Sign-on (SAML).
In this article
- Enabling SCIM
- Manage ModernLoop Role Assignment using SCIM (using Microsoft Entra ID)
- SCIM Attributes
Enabling SCIM
- Navigate to http://portal.azure.com and log in as an administrator
- Navigate to the previously created Enterprise Application
- Access the Provisioning tab within the application settings
- Click on the Get Started button
- In the Provisioning Mode field, select Automatic
- Copy and paste the following Tenant URL:
https://mloop.prod.modernloop.io/org/scim/v2
- Copy and paste the secret token provided by your ModernLoop CSM in the Secret Token field
- Click Save
Manage ModernLoop Role Assignment using SCIM (using Microsoft Entra ID)
- Go to "App Registrations" and select the SAML application you created for ModernLoop.
- Navigate to the App Roles section.
- Create a new App Role named ML_ADMIN.
- Set the Allowed member types to "Users/Groups".
- Set the Value to "ADMIN".
- Add a description.
- Click Apply to save the app role.
- Repeat this process for additional ModernLoop roles, such as SCHEDULER and INTERVIEWER.
SCIM Attributes
The following properties passed by Microsoft Entra ID, if provided, will be mapped directly to ModernLoop SCIMUser object and stored in the ModernLoop Database. The minimum required attributes are familyName, givenName, emails, and modernloopRole.
- userName: mapped directly to 'userName' property coming from SCIM
- name: mapped directly to 'name' property coming from SCIM
- familyName: The family name of the User, or last name in most Western languages (e.g., "Jensen" given the full name "Ms. Barbara Jane Jensen, III”).
- givenName: The given name of the User, or first name in most Western languages (e.g., "Barbara" given the full name "Ms. Barbara Jane Jensen, III”).
- emails: mapped directly to 'emails' multivalued property coming from SCIM
- displayName: mapped directly to 'displayName' property coming from SCIM
- locale: mapped directly to ‘locale' property coming from SCIM
- active: mapped directly to ‘active' property coming from SCIM. Denotes if user is active or inactive (true/false)
- modernloopRole: this is a custom property to map to ModernLoop roles - INTERVIEWER/SCHEDULER/ADMIN
Create a custom attribute
You must enable the creation of custom attributes for the SAML Application on Azure AD / Entra ID.
- Open the SAML Enterprise App.
- Navigate to the Provisioning section.
- Click Edit attribute mappings.
- Ensure the Tenant URL and Secret Token are working by entering the correct values and clicking Test Connection.
- Expand the Mappings section and select Provision Microsoft Entra ID Users.
- Scroll to the bottom of the page and select Show advanced options.
- Select Edit attribute list for custom SSO app. If these options are not available to you, open the Azure portal using the following URL: Azure AD portal with schema full enabled.
- Add a custom attribute called urn:ietf:params:scim:schemas:extension:modernloop:enterprise:2.0:User:modernloopRole and set the data type to string.
- Save the new configuration and click Save then Yes.
Map custom attributes to App roles using expression language
- Navigate to your Enterprise SAML Application > Provisioning
- Click on Edit Attribute Mapping
- Expand “Mappings” section and click on Provision Microsoft Entra ID Users
- Click Add New Mapping and Add a new mapping for ModernLoop Role Parameter
- Give Mapping Type as “Expression”
- Add the following Expression:
-
Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "ML_ADMIN", "ADMIN", "ML_SCHEDULER", "SCHEDULER", "ML_INTERVIEWER", "INTERVIEWER")
-
- Default Value: INTERVIEWER
- Target: modernloopRole
- Click “Ok” to save the mapping
Set up security groups for member role setting
- Navigate to AD Groups.
- Create a New group called ModernLoop Admins.
- Click Create to save the security group.
- Open the SAML Enterprise App.
- Navigate to Users and groups.
- Click Add user/group.
- Set the Group name to the group ModernLoop Admin
- Set the Select a role to the app role ML_ADMIN.
- Click Assign.
- You can choose individual user also and assign Role to the user. Create additional groups with corresponding app roles if required.
Run SCIM Provisioning
Run SCIM provisioning again so that these roles will be provisioned in ModernLoop