Azure SCIM Setup

This guide describes how to configure Azure AD to automatically provision and deprovision users and groups to Autodesk.

Known Issues

  1. The nested groups are not supported. They will be sent as the users in the group.

Prerequisites

Both the SCIM tenant URL and secret token will be available in the directory sync set up in Autodesk Account.

Obtain Credentials from Autodesk User Management Portal

  1. Login to Autodesk and select the User management tab on the left navigation bar.

  2. Go to By User or By Group to access the team settings.

  3. Click the Set up directory sync button and select Azure AD SCIM as the directory environment.

  4. Click Next to access the Azure admin crendentials.

  5. Copy the Tenant URL and the Secret token. These values will be entered in the Tenant URL field and Secret Token field respectively in the Provisioning tab of your Autodesk application in the Azure portal.

Configure Autodesk SSO Application from Azure Portal

  1. Go to Azure Portal and click View under "Manage Azure Active Directory". Alternatively, in the filter search field, enter "Azure Active Directory" and click Azure Active Directory from the search results.

  2. Click Enterprise applications and Select + New application.

  3. In the Browse Azure AD Gallery section, type "Autodesk SSO" in the search field, select the Autodesk SSO application from the results panel.

    Note: This application is pre-configured with all the essential settings including the SAML attributes mapping. Refer to the manual setup procedure in case of any issues with the Autodesk pre-configured template or to view/update the SAML mapping source.

  4. Click Create to add the Autodesk application.

Configure Provisioning

  1. Go to Azure Portal and select Enterprise Applications to choose the Autodesk application.

  2. Select the Provisioning tab from the left navigation bar.

  3. Click Get started button to select the Automatic provisioning mode from the drop-down menu.

  4. Under the provisioning mode, the Admin Credentials pane is displayed.

  5. In the Admin Credentials, enter the Tenant URL and Secret Token in the respective fields.

  6. Select Test Connection to make sure that Azure AD can connect to the application.

  7. Once the connection is successful, Save the connection to view additional settings as shown in the following sections.

    Note: Once the users and groups are mapped and the automatic provisioning is enabled in Autodesk Account, Azure AD users and groups will be synchronized in a regular default interval of 40 mins. The details of requests made to the SCIM server are logged under "View Provisioning Logs."

Attribute Mapping

View Group Mappings

  1. Under Provisioning > Mappings, click "Provision Azure Active Directory Groups" to view the mappings. Group mappings are pre-configured as follows,

  2. No additional adjustment on group attribute mappings is required. Click Save to close the provisioning settings page.

View User Mappings

  1. Under Provisioning > Mappings, click Provision Azure Active Directory Users to view the user mappings. User mappings are pre-configured.

  2. Click on the row with AutodeskSso Attribute userName.

  3. Change the Source Attribute to the email used in SSO Attributes & Claimss and click Save. Where do I find this?

    Note: While mapping the source attributes,

    • The "userName" attribute should use the same value that is used in "email" attribute for SAML mapping.
    • The last name field cannot be left empty, if the user does not have a last name, enter "-" in the space provided. Also, follow the SAML attributes mapping if the user is already on ESSO.

Additional Information on ObjectGUID Attribute Mapping

User attribute mappings are pre-configured and need not require further action. However, if the user wants to view/customise the ObjectGUID attribute, follow this section to see the custom mapping procedure:

  1. Check Show advanced options box in the above screen.

  2. Add objectGUID to the attribute list with these details:

    • Name: urn:ietf:params:scim:schemas:extension:AdskUserExt:2.0:User:objectGUID

    • Type: String

    • Required: Yes

  3. Click Save, then add a new mapping for objectGUID with these details:

    • Mapping type: Direct

    • Source mapping: objectId

    • Default value if null (optional): (leave blank)

    • Target attribute: urn:ietf:params:scim:schemas:extension:AdskUserExt:2.0:Useā€¦

    • Match objects using this attribute: No

    • Matching precedence: 0

    • Apply this mapping: Always

  4. Click Save to go back to the provisioning screen.

Define Provisioning Scope

  1. Under the Provisioning screen, click Settings to select the provisioning scope.

  2. You can select the scope as Sync only assigned users and groups and also select the Provisioning Status.

Adding users and groups in Azure AD

In the Azure's Active Directory admin center,

  1. Under the Enterprise Applications, select the Autodesk application.

  2. On the left panel, under Manage, click Users or Groups.

  3. Click the + Add user/group button, then manually select users and groups that you want to sync with your Autodesk Account.

  4. Under the Add Assignment page click "None selected" link to select the required users from the right-hand list and assign the selected user. The role of the user can also be selected.

  5. Click Assign. You can assign multiple AD users and groups to your Autodesk app. Only those users and groups that are assigned to your Autodesk app can be provisioned to your Autodesk Account.

Start Provisioning

  1. Go to the Provisioning tab in your enterprise app.

  2. If the Provisioning mode is set to automatic, by default the provisioning interval is fixed to 40 minutes. Alternatively, you can manually start or stop provisioning.

    You can view the number of users and groups, current cycle status and statistics details in this page.

Parent page: About Directory Sync