Azure AD SCIM Setup
This section explains how to configure Azure AD SCIM to automatically provision and deprovision users to specific teams or groups based on the organizations directory in a selected Autodesk team.
Following are the key steps to Azure AD SCIM setup:
- Step-1 Obtain Credentials from Autodesk User Management Account
- Step-2 Configure Autodesk SSO Application from Azure Account
- Step-3 Configure Provisioning
- Step-4 Attribute Mapping
- Step-5 View settings in Directory sync
Step-1 Obtain Credentials from Autodesk User Management Account
Following are the steps to obtain credentials from Autodesk user management account for teams with SSO setup and syncing multiple team directories:
Credentials for the team with SSO setup
Sign-in to Autodesk account and follow the steps in Access to Directory Sync. Make sure to select Azure AD SCIM as the directory environment.
Click Next to generate the Azure admin credentials.
After successful generation of the credentials, Tenant URL, Secret token, and the Map attributes (scroll down to see the Attributes) are displayed under Copy Azure admin credential modal.
Note:The credentials (Tenant URL and Secret token) generated from Autodesk are valid for only one connection and cannot be reused to create a directory sync connection for another team.
Now copy the Tenant URL and the Secret token and enter these values in the Tenant URL and Secret token fields, respectively, in the Provisioning tab of the Autodesk application in the Azure account.
Click Close, the modal closes and the user is redirected to the Settings page with a success message Directory sync environment created. Now the Directory sync is displayed with a table that has Directory Environment, and Settings columns. Azure AD SCIM appears under the directory environment.
Click View settings to see the Access credentials information created in the Azure AD SCIM environment. To learn more, see View settings in Directory sync.
Credentials for the teams with Multiple Team Directory Sync
Sign-in to Autodesk account and follow the steps in Access to Directory sync. Make sure to select Azure AD SCIM as the directory environment.
Click Next
Note:While setting up the directory sync in another team where SSO is not set up, Azure AD SCIM is pre-selected. As the multiple team directory sync feature is currently supported for Azure AD SCIM setup only.
The Select team with SSO connection modal is displayed.
Click on the Select dropdown to choose a Team. The list appears only for the team that has permission for the Team with SSO connection.
Select the Team.
Click Next to generate the Azure admin credentials.
After successful generation of the credentials, Tenant URL, Secret token, and the Map attributes (scroll down to see the Attributes) are displayed under Copy Azure admin credential modal.
Note:The credentials (Tenant URL and Secret token) generated from Autodesk are valid for only one connection and cannot be reused to create a directory sync connection for another team.
Now copy the Tenant URL and the Secret token and enter these values in the Tenant URL and Secret token fields, respectively, in the Provisioning tab of the Autodesk application in the Azure account.
Click Close, the modal closes and the user is redirected to the Settings page with a success message Directory sync environment created. Now the Directory sync is displayed with a table that has Directory Environment, Team with SSO connection and Settings columns. Azure AD SCIM appears under the directory environment.
Note:- The Manage SSO button in the same team appears disabled, when directory sync is set up using an SSO connection from another team.
- To view or change the SSO settings used to set up the directory sync on the current team, refer to the team name specified in the Team with the SSO connection and navigate to the respective Team using the team selector at the top of the page.
- This button will not appear for teams on the normal plan. It is disabled if no SSO has been set up for the selected team or any other team where you are not on Business plan or an SSO Admin.
- Team with SSO connection is masked if the user is not the primary or SSO admin for the team.
Click View settings to see the Access credentials information created in the Azure AD SCIM environment. To learn more, see View settings in Directory sync.
Step-2 Configure Autodesk SSO Application from Azure Account
Go to Azure account and click View under "Manage Azure Active Directory". Alternatively, in the filter search field, enter "Azure Active Directory" and click Azure Active Directory from the search results.
Click Enterprise applications and Select + New application.
In the Browse Azure AD Gallery section, type "Autodesk SSO" in the search field, select the Autodesk SSO application from the results panel.
Note:This application is pre-configured with all the essential settings including the SAML attributes mapping. Refer to the manual setup procedure in case of any issues with the Autodesk pre-configured template or to view/update the SAML mapping source.
Click Create to add the Autodesk application.
Step-3 Configure Provisioning
Go to Azure account and select Enterprise Applications to choose the Autodesk application.
Select the Provisioning tab from the left navigation bar.
Click Get started button to select the Automatic provisioning mode from the drop-down menu.
Under the provisioning mode, the Admin Credentials pane is displayed.
In the Admin Credentials, enter the Tenant URL and Secret Token in the respective fields.
Select Test Connection to make sure that Azure AD can connect to the application.
Once the connection is successful, Save the connection to view additional settings as shown in the following sections.
Note:Once the users and groups are mapped and the automatic provisioning is enabled in Autodesk Account, Azure AD users and groups will be synchronized in a regular default interval of 40 mins. The details of requests made to the SCIM server are logged under "View Provisioning Logs."
Step-4 Attribute Mapping
View Group Mappings
Under Provisioning > Mappings, click "Provision Azure Active Directory Groups" to view the mappings. Group mappings are pre-configured as follows,
No additional adjustment on group attribute mappings is required. Click Save to close the provisioning settings page.
View User Mappings
Under Provisioning > Mappings, click Provision Azure Active Directory Users to view the user mappings. User mappings are pre-configured.
Click on the row with AutodeskSso Attribute userName.
Change the Source Attribute to the email used in SSO Attributes & Claimss and click Save. Where do I find this?
Note:While mapping the source attributes,
- The "userName" attribute should use the same value that is used in "email" attribute for SAML mapping.
- The last name field cannot be left empty, if the user does not have a last name, enter "-" in the space provided. Also, follow the SAML attributes mapping if the user is already on ESSO.
Additional Information on ObjectGUID Attribute Mapping
User attribute mappings are pre-configured and need not require further action. However, if the user wants to view/customise the ObjectGUID attribute, follow this section to see the custom mapping procedure:
Check Show advanced options box in the above screen.
Add objectGUID to the attribute list with these details:
Name: urn:ietf:params:scim:schemas:extension:AdskUserExt:2.0:User:objectGUID
Type: String
Required: Yes
Click Save, then add a new mapping for objectGUID with these details:
Mapping type: Direct
Source mapping: objectId
Default value if null (optional): (leave blank)
Target attribute: urn:ietf:params:scim:schemas:extension:AdskUserExt:2.0:Use…
Match objects using this attribute: No
Matching precedence: 0
Apply this mapping: Always
Click Save to go back to the provisioning screen.
Define Provisioning Scope
Under the Provisioning screen, click Settings to select the provisioning scope.
You can select the scope as Sync only assigned users and groups and also select the Provisioning Status.
Adding users and groups in Azure AD
In the Azure's Active Directory admin center,
Under the Enterprise Applications, select the Autodesk application.
On the left panel, under Manage, click Users or Groups.
Click the + Add user/group button, then manually select users and groups that you want to sync with your Autodesk Account.
Under the Add Assignment page click "None selected" link to select the required users from the right-hand list and assign the selected user. The role of the user can also be selected.
Click Assign. You can assign multiple AD users and groups to your Autodesk app. Only those users and groups that are assigned to your Autodesk app can be provisioned to your Autodesk Account.
Start Provisioning
Go to the Provisioning tab in your enterprise app.
If the Provisioning mode is set to automatic, by default the provisioning interval is fixed to 40 minutes. Alternatively, you can manually start or stop provisioning.
You can view the number of users and groups, current cycle status and statistics details in this page.
Step-5 View settings in Directory sync
Click View setting under the Directory sync feature.
Directory sync settings is displayed with the Access credentials, View synced teams and Get support information.
Access credentials, provides the Tenant URL, Secret Token, and Map attributes.
View synced teams, provides the Team with SSO connection and the Teams with directory sync. The directory sync is available across multiple teams with the team synced with SSO connection.
Note:- Team with SSO connection is masked if the user is not the primary or SSO admin for the team.
- Team with SSO connection is masked if the user is not the primary or SSO admin for the team.
Get support, provides the Autodesk support information for issue at any point of sync:
While changing the directory environment or deleting directory sync from Autodesk.
Changes to the directory environment after selection.
Any changes to the connection type or adding another connection.
During uploading the domains and verifying them.
- Click Close, the modal closes and the user is redirected to the Settings page.