If your organization uses Microsoft Entra ID as your Identity Provider, this guide will help you provision users from an Entra ID Enterprise Application to 0patch Central using SCIM.
Important: Make sure to read the main SCIM article first. It may contain important information for your case.
Important: To configure Entra ID SCIM provisioning, make sure to fist configure Entra ID SAML single sign-on. These instructions depend on that.
- Log in to 0patch Central, and go to Account -> Single sign on. (It is assumed SAML is already configured there.)
- Enable SCIM Provisioning, which displays a configuration dialog. Keep the dialog open as you will need these values later, and you will never again see the authentication token once you close the dialog.
- Log in to Azure as administrator.
- In the Admin Console go to Microsoft Entra ID -> Manage -> App Registrations.
- Go to the "All applications" tab to see the enterprise application you have previously configured for SAML, then click on it.
- Under the selected App registration, go to Manage -> App Roles.
- Create the following app roles for Users/Groups:
Display Name Value Description Administrator Administrator 0patch Administrator Agent Manager AgentManager 0patch Agent Manager Billing Manager BillingManager 0patch Billing Manager Auditor Auditor 0patch Auditor
Note that an app registration in Entra ID may have some default roles present (e.g., "User" and "msiam_access"). Feel free to delete these roles as 0patch Server will not recognize them; note that in order to delete a role, you first need to disable it, and sometimes default roles don't have a value so you'll also have to set some random value for them in order to disable them.
- The goal is to have the following four app roles.
- In the Admin Console go to Microsoft Entra ID -> Manage -> Enterprise Applications, and click on the application you configured for 0patch SAML login.
- Under the selected Enterprise application, go to Manage -> Provisioning.
- Press "Get Started" to start configuring provisioning.
- For Provisioning Mode, select "Automatic".
- Under Admin Credentials, copy values from 0patch Central SCIM configuration dialog (see step 2):
- 0patch SCIM connector base URL -> Entra ID Tenant URL
- 0patch HTTP header authentication token -> Entra ID Secret Token
- Press Test Connection to validate credentials.
- Press Save to save the configuration.
- Return to Application's Provisioning page.
- Click on Edit Attribute Mappings and expand the Mappings section.
- Click on Provision Microsoft Entra ID Users.
- Scroll to the bottom of the page and click on Add New Mapping.
- Enter the following details for the new mapping, while leaving all other settings on their defaults:
Mapping type: Expression
Expression: SingleAppRoleAssignment([appRoleAssignments])
Target attribute: roles[primary eq "True"].value
- Press OK to save the new attribute mapping.
- On the Provisioning page, set Provisioning Status to On and save the configuration.
- Assign roles to users in one of the following ways:
- New users: Add a user to the Enterprise application by clicking Add User/Group under Users and Groups, then selecting one or more users, and selecting their role.
- Existing users: Assign a new role to an existing user by checking the box in front of one or more users under Users and Groups, then clicking on Edit Assignment and selecting a new role for selected users.
- Start user provisioning by clicking on Start provisioning on the Provisioning page. Note that provisioning in Entra ID works in 40-minute cycles so changes made in Entra ID may take a while to reflect in 0patch Central. To force instant provisioning for selected users (e.g., you have just added a new admin or change a user's role), click Provision on demand and select the user you want to provision.
Notes
- Disabling or un-assigning a provisioned user in Entra ID will disable the user in 0patch Central.
- Deleting a provisioned user in Entra ID will delete the user in 0patch Central.
- Provisioned ("managed") users are marked with a lock in 0patch Central – a managed user cannot be edited or deleted in 0patch Central, only through SCIM provisioning.
- An unmanaged 0patch Central user will become managed if provisioned through SCIM. The only exception is the account owner – the owner cannot be managed or provisioned.
- A user cannot be provisioned to a 0patch account if a user with the same email already exists in another 0patch account.
Troubleshooting
- If provisioning fails, double-check that you have specified the role values and attribute mappings correctly (copy-paste from these instructions instead of typing if possible).
- Another reason for provisioning to fail for a user is that the user with the same email already exists in another 0patch Account. To verify, please contact support@0patch.com.
0 Comments