SCIM is a technology that enables automatic provisioning in combination with an identity manager like Azure Entra ID. The benefit is that you can automate the creation and deactivation of user accounts in Workpath, which reduces manual work and is beneficial to security.
This article assumes that:
- Your organization uses Azure Entra ID.
- You have talked to your Client Success Manager at Workpath to activate the SCIM feature.
Step 1: Create SCIM application in Workpath
- Log in to Workpath as an admin
- Navigate to Organization Settings → Integrations, and click on "SCIM"
- Give the SCIM application a name, for example the name of the identity provider, such as "Entra ID"
- Choose whether to automatically send invitation emails to new users. These emails contain a link to the login page, as well as to the Workpath support center:
- Once the SCIM application is created, you will see a URL and token, which will become relevant in the next step:
Step 2: Configure Automatic Provisioning in Azure Entra ID
ⓘ This flow shows the setup of an Enterprise application from scratch. The Workpath application on the Azure Marketplace has not yet been updated to reflect support for Automatic Provisioning.
- Log into the Azure portal as a user with permissions to manage Enterprise applications
- Navigate to Enterprise applications
-
Click "+ New application":
-
Click "+ Create your own application":
-
Fill in information in the following form, select "Integrate any other application
you don't find in the gallery (Non-gallery)", and click "Create"
-
You should see your application overview page at this step
-
Navigate to the "Provisioning" section, then under "Manage", click "Provisioning"
- Select "Automatic" provisioning mode
- Fill in the admin credentials which you created in Workpath in the previous step
- Test the connection and save it
-
Navigate to "Mappings"
-
Navigate to "Provision Microsoft Entra ID Groups", and disable this option
– it is not supported by Workpath right now. Click "Save" at the top
- Navigate to "Provision Microsoft Entra ID Users", and enter the following attributes:
|
customappsso Attribute
|
Microsoft Entra ID Attribute
|
|---|---|
| userName | userPrincipalName |
| active | Switch([IsSoftDeleted], , "False", "True", "True", "False") |
| title | jobTitle |
| name.givenName | givenName |
| name.familyName | surname |
| externalId | employeeId |
| locale |
en
as default value in case
Prefered Language
is empty
|
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | department |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager | manager |
⚠ If you have already configured SAML with Workpath, make sure that your choice of userName and externalId matches the name ID and email attributes you send.
Your application should now be ready to use! From the Overview page, click Restart provisioning. It generally takes up to 45 minutes for first changes to be visible in Workpath.
Step 3 (Optional): Assign Roles
The following roles can be automatically assigned in Workpath:
analystsuper_adminprogram_leadcoachviewer
If no role is assigned, the default role (regular user) is assumed.
If you send one of these strings as the "roles" SCIM attribute, Workpath will automatically assign that role. There are different ways to achieve this; we recommend using Entra app roles:
- Create Entra groups (type: Security) for the Workpath roles you wish to map via SCIM (one for each role)
-
Create app roles with a display name and value exactly equal to one of the role names above
- Navigate to App registrations
- Search for your SCIM app
-
On the left navigation panel, click App roles
- Click + Create app role
-
Fill in the information with
Display Name:
viewer(mandatory and must exactly match a role name from the list above)
Allowed member types:
Users/GroupsValue:
viewer(mandatory and must exactly match the display name)Description:
Workpath Viewer Role
Click the Apply button – you should now see the newly created role in the list of App roles
-
Add the Entra groups and roles to the Workpath Enterprise Application
Navigate to Enterprise spplications
Search for your SCIM app
On the left navigation panel, click Users and groups
-
Click + Add user/group
- Select the group you created in the previous step and click the Select button
- Select the role and click the Select button
- You should see a resume view with the Selected Group(s) and Role
- Click the Assign button
-
Create an attribute mapping with these values:
- Navigate to the Provisioning section under the Enterprise SCIM App
- Under the section Manage, navigate to Attribute mapping
- Click Provision Microsoft Entra ID Users
- Click Show advanced options at the bottom of the page
- Then click Edit attribute list for customappsso
-
Add a new attribute called roles of type String, and tick the checkbox for Multi-Value?
- Click Save to return to the Attribute Mapping screen
-
Add New Mapping (located at the bottom of the Attributes list)
- Mapping Type: Expression
- Expression:
AppRoleAssignments([appRoleAssignments]) - Target attribute:
roles - Match objects using this attribute: No
- Apply this mapping: Always
- Click OK
- Navigate to the SCIM app overview page, and restart the provisioning
⚠ If you have already configured SAML with Workpath, make sure that the viewer attribute claim is configured to use the same groups as this app role, or omit the viewer attribute altogether.