You are viewing limited content. For full access, please sign in.

Question

Question

SCIM with AzureAD for self-hosted LFDS

Directory Server
Updated May 9, 2023
asked on September 2, 2022

I see the LF Cloud documentation addresses configuring SCIM with AzureAD, but the self-hosted docs only reference configuring SCIM with Okta.

Given it's an open standard, I assumed there was a good chance it would work whether it was in the docs or not. 

The roadblock we hit was LFDS generates a username/password combo for authenticating the IDP making the SCIM connection, and AzureAD is expecting a bearer token.  That brought us to a halt at that point. 

I just wanted to double-check that we hadn't overlooked something simple (i.e. the ability of LFDS to provided a bearer token instead or other) before we officially considered it not supported at this time.  Did we miss anything?

If not... is this on the roadmap? 99% of our clients are sync'ing their classic Active Directory Domain Services to Azure AD and are moving full speed towards centralizing identity management in Azure AD.  Not having the SCIM support is going to leave a hole. 

0 0

Answer

APPROVED ANSWER SELECTED ANSWER
replied on September 2, 2022 Show version history

SCIM 1.1 (supported by Okta) and SCIM 2.0 (supported by Azure AD) are not interchangeable. One notable difference is that Azure AD SCIM 2.0 requires OAuth/bearer token authentication for the SCIM client/server calls whereas SCIM 1.1 does not.

Laserfiche Cloud supports both SCIM protocol versions. Though the current release of LFDS only supports SCIM 1.1, SCIM 2.0 support is on the short-term roadmap in the "features we're actively working on" category and I believe scheduled to go out with the next LFDS update release. I think that should be before the end of the year, but don't quote me on the timeline.

That said, even once SCIM 2.0 is available, in any scenario where the customer is sync'ing AD DS to Azure AD and LFDS has a connection to an AD Domain Controller, you should almost always configure AD and Azure AD as Linked Providers in LFDS and use AD Group Sync Rules for user lifecycle management.

0 0
View 1 previous reply
replied on September 6, 2022

@████████ thanks for the clarification on v1.1 vs v2, and the roadmap regarding v2 support for on-prem LFDS. 

In the specific implementations I work with, there's never a connection to the AD Domain Controllers the accounts exist within, nor any trust between the domain where those accounts exist and the domain where the LFDS is hosted. Absolutely agree with leveraging that as the easier path where available. As always, I appreciate the thoroughness of your responses and the reminder!

1 0
replied on September 6, 2022

Very welcome =)

I suspected your scenario was one where you didn't have connections to any DCs, so the last line of my response was mostly for the benefit of others who may read this.

0 0
replied on November 11, 2022

Hello,

 

Is there any update on the release timeline for on-prem Laserfiche to support SCIM 2.0? We have clients who will need this feature in order to successfully migrate to Azure for authentication in their LF environment.

0 0
replied on May 9, 2023

Self-hosted support for SCIM 2.0 in Laserfiche Directory Server has been released. See the list of changes and the release announcement on Answers. The Laserfiche 11 package has been updated.

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...