System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once.
To set up SCIM provisioning in Azure AD you will need to have the involvement of both the Blinq organization admin and the manager of your Azure AD account.
User provisioning should work with any service that adheres to the SCIM protocol. If you are looking to setup user provisioning with a service other than Azure AD please contact us at firstname.lastname@example.org so we can help you get set up.
SCIM capabilities supported in Blinq
- Provisioning one or more users and their Blinq cards
- Deprovisioning of users and their Blinq cards
- Updating user details (which can propagate to a Blinq card)
Creating the Blinq application in Azure AD
To create the Azure application that will connect to Blinq:
- Navigate to portal.azure.com and log in
- Search for 'Enterprise Applications'
- Click on New Application
- Click on Create your own application
- Name your application (we recommend calling it 'Blinq') and make sure 'Integrate any other application you don't find in the gallery (Non-gallery)' is selected
- Click Create
|Steps 4 - 6|
We are in the process of adding an official app to the Azure App Gallery which will remove the need to create your own Enterprise Application. When the official app is published we will upload instructions on how to switch over although you absolutely don't have to - this method of creating your own application will continue to work.
Setting up user provisioning
Navigate to your newly created Enterprise Application in Azure and do the following:
- Select Provisioning in the left panel
- Click Get started
- Set the Provisioning Mode to Automatic
You should see a Tenant URL field and a Secret Token field. We will need to get this information from your account in Blinq so let's do that now.
- Navigate to https://dash.blinq.me in a seperate browser tab
- If you aren't logged in to Blinq you will need to do so
- Click on your workspace in the top left of the screen
- In the dropdown click Settings
- Under the Integrations page you should see Team Card Provisioning which contains a URL and Token. You will need to generate the token by clicking Generate
- Copy the URL and Token and navigate back to the Provisioning page in your Azure app. Paste the URL and Token in the corresponding fields
- Click Test Connection
- After a few seconds you should see a success message letting you know that the supplied credentials are authorized to enable provisioning. With your credentials verified you can now click Save
|Steps 3 - 4|
The Card Settings section allows you to configure how a card is created for a newly provisioned user. We will go over this in the Provisioning users section of this guide
You can generate a new token at any time by navigating back to this Integrations settings page and clicking Regenerate next to the token field. You can navigate to the Security tab of the settings page to see a list of your active tokens, as well as delete a token.
Configuring user provisioning in Azure
After saving you should now see a Mappings and Settings section. We need to modify the mappings in order for users to provisioned correctly in Blinq.
Blinq doesn't currently support provisioning groups. This doesn't mean that you can't provision all the users in a group, that still works perfectly if you add a group to your Azure app. However there is no concept of a group in Blinq. So we will need to disable this:
- Click on Provision Azure Active Directory Groups
- Toggle the Enabled setting to No
- Click Save on the left-hand side of the page to save the configuration - You may see a warning about resyncronizing users, if you do click 'Yes'
We also need to modify the mappings between user attributes in Azure and user attributes in Blinq:
- Click on Provision Azure Active Directory Users
- Click on Add New Mapping
- Select companyName as a Source attribute
- Select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization as the Target attribute
- Click Ok to finalize adding this new attribute
- Click Save on the left-hand side of the page to save the configuration - You may see a warning about resyncronizing users, if you do click Yes
If you don't want a particular attribute to be sent to Blinq then you can remove it from this list and it won't be sent.
Finally, under Settings, make sure to set the scope to Sync only assigned users and groups and set Provisioning Status too On in order to start provisioning. Once that is done click Save button in the top left of the page.
A sync occurs between Azure and Blinq every 40 minutes
Configuring user provisioning in Blinq
Now that user provisioning is completely configured we can add users to the Azure app in order for them to be provisioned in Blinq. However before you proceed we should go over what happens when a user is provisioned in Blinq.
When a user is provisioned in your Blinq workspace the following actions will occur by default:
- A user is created in your Blinq workspace
- A card is automatically created for this user
- This card will contain any relevant details from the users profile in Azure AD
- These card fields will even stay in sync with whatever value is in the users profile
- An email is sent to the user to let them activate their account.
We can extend this behaviour with the Card Settings section in Blinq - which is found on the same page as the URL and Token.
Card Settings allows you to configure:
- Which Templates are applied to newly created cards (if any)
- Whether or not an activation email is sent to new users automatically
Configuring which Templates are applied
Templates are the best way to ensure consistent branding across a team, department, or company. If a template contains your company logo and name then every card created with that template will contain the logo and name. If you edit the logo or name in your template than every card that inherits from the template will get the new value.
In Card Settings you can choose when a particular Template will be applied to a new card. For example we could add a Filter that states that we should apply Template A when:
- A new user is in the Marketing department
- OR a new user is in the Sales department
If a newly provisioned user belongs to either of these departments (as stated in their Azure AD profile) then Template A will be applied to their card.
Template fields take precedence over fields from Azure. For example, if on their Azure AD profile their company is Blinq and on the applied Template it is Blinq Inc. then Blinq Inc. is what will appear on their card.
Templates are only applied to a newly provisioned users card. After the user has been provisioned you will need to manually assign the Template to their card on the Blinq dashboard.
Configuring activation emails
If this toggle is turned on then as soon as a user is provisioned they will get an email notifying them that they can activate their account.
If this toggle is turned off then the activation email will not be sent and you will need to manually send the activation emails from the Team Cards page in the Blinq Dashboard.
We are approaching the finish line! User provisioning has now been setup and configured so let's actually provision some users.
- Navigate back to the main page of your Azure application
- Click Users and Groups in the left-hand side of the page
- Click Add user/group
- Click on Users and groups
- Select the users and/or groups that you would like to provision
- Click the Select button at the bottom of the selection section
- Click the Assign button at the bottom left of the screen
If you deprovision a user from the Azure application (by removing them from the list of Users), the user will exist in Blinq as an inactive user and will not be counted towards your Blinq user count.
If you select a group then all users within that group will be provisioned.
Supported user attributes
A users attributes can be found on the Azure AD User Profile. We support the following attributes:
- First name
- Last name
- Job title
- Company name
- Office phone
- Mobile phone
Unfortunately whilst Blinq supports syncing profile images via SCIM, Azure AD does not expose this to us. Profile images will need to be uploaded to each card by the card owner or by the team admin.
Viewing a provisioned user in Blinq
To view a provisioned users card navigate to the Team Cards section in the Blinq Dashboard. To view a card select the corresponding row and click the Edit button.
By default all card fields that were created when the user is provisioned are:
- Locked so that they can't be overridden by the card owner
- Linked so that any changes to the users Azure profile will be synced
If you edit the field value and Save then the field will be unlinked so that your new changes aren't overridden by any changes to the corresponding attribute in the users Azure profile.
If you remove a lock on a field to allow the card owner to make changes then the field will be unlinked so that any changes that the card owner makes to the field aren't overridden by any changes to the corresponding attribute in the users Azure profile.
You made it. We know this was a lot to digest so if you have any questions that aren't addressed in the FAQ below please email us at email@example.com.
What happens if the admin who set up the initial SCIM token is no longer admin or their account was deactivated?
If the original admin who created the SCIM provisioning token on your workspace was deactivated, SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the workspace can generate a new token and enter it into the provisioning details of your Azure application.