CGR Foundation supports automatic user and group provisioning through SCIM2 (System for Cross-domain Identity Management) integration with identity providers. This guide covers configuration for Microsoft Entra ID (Azure AD).
TABLE OF CONTENTS
- Prerequisites
- Set Up
- Configuring Attribute Mappings
- Sync Strategy and Scoping Users
- Role Mapping via Position ID
- Viewing Logs
Prerequisites
Before beginning the SCIM2 configuration, please ensure:
- Contact CGR Support at support@corpgovrisk.com to:
- Generate a SCIM authentication token
- Receive your organisation's SCIM endpoint URL
- Discuss your user identifier strategy - Understand Identifier Selection: The identifier you choose for user accounts is critical for seamless integration between auto-provisioning and Single Sign-On (SSO).
- Admin Access: Ensure you have administrator access to your identity provider
Set Up
Entra ID
From the Microsoft Entra ID home page navigate to:
Add → Enterprise Application → Create your own application → Name: CGR Foundation → Create
After this go to:
Provisioning → Connect your Application
And insert the Tenant URL and Secret Token as given on the set up on the CGR side.
Click on Test Connection to ensure everything is working.
CGR Foundation
Head to the page /admin/provisioners and edit an existing configuration or create one.
Below are some explanations for the fields
- Configuration Type: set to SCIM2.
- Position: only refers to the ordering of the list at /admin/provisioners
- Active: should be true
- Contacts: a list of emails
- Notify on failure: if set to Yes, a csv of any failed users will be created and sent to the list of contacts
- Sync users: has 3 options
- Do not sync: effectively turns off provisioning on foundation end
- Update only: only allow previously existing users to be updated through provisioning
- Create and update: allow users to be both created and updated through provisioning
- Bind roles: has 3 options
- Do not bind roles: ignore role management completely
- Create roles: for every new user, create a corresponding role in CGR if no role is already bound
- Find or create roles by position: assign roles based on position ID, expanded on in Role Mapping via Position ID
- Enable notifications on new users: set Yes if you want provisioned users to have notifications enabled by default, No otherwise
- Default project/location/user type: set the defaults on created users for each respective attribute
Configuring Attribute Mappings
Entra ID
Under Manage → Attribute mapping will be a link to Provision Microsoft Entra ID Users
Ensure you disable Provision Microsoft Entra ID Groups.
This page depends on your specific configuration as well as your CGR Foundation's configuration. A good place to start is to delete the attribute you definitely do not need to be provisioned and add any ones you do.
A special case is roles/positions and will be expanded further in Role Mapping via Position ID.
CGR Foundation
Similar as to above, this depends on your specific configuration as to how attributes should be mapped. Below is an example of one possible set of Attribute Mappings.
Sync Strategy and Scoping Users
Under Manage → Provisioning → Settings
There is a Scope that can allow you to allow sync certain users.
You can then navigate to Manage → Users and groups to add these select users.
Finally we can click the Start provisioning button at the top.
Role Mapping via Position ID
CGR Foundation supports automatic role assignment based on position identifiers from your identity provider. This feature allows you to maintain role-based access control that automatically updates when users change positions.
How It Works
When a user's position ID is synchronised via SCIM:
- if a role exists with a matching external ID, the user is assigned to that role
- if no matching role exists, a new role is automatically created
- the role's title is set from the user's job title
- when a user's position changes, they are automatically moved to the new role
Entra ID
Navigate to Attribute mapping (Preview) → Provision Microsoft Entra ID Users.
Click Show advanced options and then Edit attribute list for customappsso.
Add an attribute to the list with Name urn:cgr:params:scim:schemas:extension:custom:2.0:User:positionId and Type String, then click Save.
On the Attribute Mapping page, click Add New Mapping.
Choose the attribute you want to map to urn:cgr:params:scim:schemas:extension:custom:2.0:User:positionId (e.g. extensionAttribute5).
Once the attribute has been mapped, ensure the changes are saved.
You may need to manually Restart provisioning or Provision on demand to ensure the newly mapped attribute is pushed to CGR Foundation.
CGR Foundation
All that is required for Foundation to accept roles thorugh positionID is to ensure the Bind roles attribute is set to Find or create roles by position.
Viewing Logs
You can view the provisioning logs in order to debug any potential issues on both the Entra ID side and the CGR Foundation side.
Entra ID
Under Overview → Monitoring → View Provisioning Logs.
CGR Foundation
On the Admin Provisioners page there is a panel for notices which contain any failures with error messages for debugging.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article