Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

SCIM Integration with Microsoft Entra ID and Okta

The Mist Access Assurance cloud uses OAuth 2.0 to integrate with Microsoft Entra ID (Azure AD) and Okta for secure user authentication and authorization. System for Cross-domain Identity Management (SCIM) integration enhances the authorization performance by enabling the Access Assurance cloud to maintain a locally synchronized repository of users and groups, reducing latency and dependency on external IdPs. Follow these steps to integrate SCIM with Entra ID or Okta.

The Mist Access Assurance cloud integrates with external Identity Providers (IdPs) such as Microsoft Entra ID (Azure AD) and Okta using OAuth 2.0. With this integration, Mist Access Assurance manages the:

  • Authentication for EAP-TTLS and Admin-Auth

  • Authorization (retrieving user group information) for EAP-TLS, EAP-TTLS, and Admin-Auth through OAuth 2.0 connections to the IdPs

As the authentication and authorization operations involve real-time communication with external IdPs, each control-path call can introduce additional latency, affecting the overall response time for authentication and policy evaluation. It also adds a potential bottleneck and failure domain in cases where the IdP service is degraded.

To optimize the authorization process, Juniper Mist Access Assurance supports System for Cross-domain Identity Management (SCIM)-based integration with IdPs. A key benefit of SCIM-based integration is reduced latency during the authorization process.

The Mist Access Assurance cloud utilizes SCIM to maintain a locally synchronized repository of user and group information for each customer organization. This repository enables the policy service to assess user group memberships and enforce authorization rules without requiring real-time lookups to the external IdP.

Note:

If the Mist Access Assurance cloud encounters any error while retrieving group mapping from the SCIM data, it automatically reverts to the existing OAuth-based authorization by connecting to the external IdP.

Disabling SCIM will remove all synchronized user and group data and prevent any further synchronization from the IdP.

Prerequisites

Before you integrate SCIM, ensure to complete the following tasks:

  1. Integrate Mist Access Assurance with the Microsoft Entra ID or Okta IdP. See Microsoft Entra ID Integration and Okta Integration for detailed instructions.

  2. Ensure that at least one client is onboarded with Mist Access Assurance before proceeding with the SCIM configuration.

  3. Enable SCIM provisioning in the IdP configuration. The SCIM Authentication Token and SCIM Base URL are automatically generated when you enable SCIM provisioning. These parameters are required for synchronizing user and group information from the IdP to Mist Access Assurance.

How to Integrate SCIM with Microsoft Entra ID

To Integrate SCIM with Microsoft Entra ID:
Note:

The screenshots from third-party applications are correct at the time of publishing. We have no way to know when or if the screenshots will be accurate at any future time. Please refer to the third-party website for guidance about changes to these screens or the workflows involved.
  1. Sign in to Microsoft Entra Admin Center, navigate to Enterprise applications, and then click New application.
  2. Click Create your own application. Enter a name for the application and click Create.
  3. After the application is created, navigate to Provisioning under the Manage section and click New Configuration.
  4. Enter the following details from the Mist Access Assurance IdP configuration:

    • Tenant URL—SCIM Base URL

    • Secret Token—SCIM Authentication Token

    Click Test Connection and verify that the test is successful. Then, click Create.

  5. Select Users and groups under Manage, and click Add user/group to assign groups for provisioning.
  6. Add the groups that need to be provisioned on the Mist Access Assurance cloud.
  7. Click Start Provisioning.
    Note: The provisioning interval in Microsoft Entra ID is approximately 40 minutes. You must wait for the next sync cycle to verify the provisioning status.
  8. Verify that the provisioning status shows as Completed in Entra ID after the 40-minute provisioning interval. The setup for SCIM provisioning with Entra ID is now complete.

How to Integrate SCIM with Okta

To integrate SCIM with Okta:
Note:

Some of the screenshots included in this topic are sourced from third-party applications. Be aware that these screenshots might change over time and might not always match the current version of the applications.

  1. Log in to the Okta Admin Console and navigate to Applications>Create App Integration.
  2. Select the Sign-in method as SWA - Secure Web Authentication and click Next.
  3. Enter a name for the application and specify the login page URL for the app. Select the options for App Visibility and App Type, then click Finish.
  4. Switch to the General tab and click Edit Settings. Set the Provisioning Type as SCIM and click Save.
  5. In the Provisioning tab:

    1. Enter the following details:

      • SCIM Connector Base URL—SCIM Base URL from the IdP configuration
      • Unique Identifier Field for Users—userName
      • Authentication Mode—HTTP header

      • Authorization—SCIM Authentication token from the IdP configuration

    2. Enable the Push New Users, Push Profile Updates, and Push Groups checkboxes.

    3. Click Test Connector Configuration. If you see a success message, click Save.

  6. In the Provisioning Settings tab, enable the first three provisioning options and click Save.

    • Create Users

    • Update User Attributes

    • Deactivate Users

  7. Select the Assignments tab and select Assign>Assign to Groups. Select and assign the groups that need to be provisioned on Mist Access Assurance.
  8. Navigate to the Push Groups tab and click Push Groups > Find groups by name. Push all the required groups for provisioning.

    Verify that the Push Status shows as Active. The setup for SCIM provisioning with Okta IdP is now complete.

Client Connection and Verification

When a client is connected, you'll see the client events on the Insights page on the Mist portal. In the following examples, clients were connected using both EAP-TLS and EAP-TTLS authentication methods. In both cases, the authorization (that is, user group retrieval and mapping) was performed through the Mist Access Assurance SCIM database. This behavior can be verified in the event description, where the source of group information is shown as the SCIM repository.

Example 1: Client connected using the EAP-TLS authentication

Example 2: Client connected using the EAP-TTLS authentication