Articles in this section

See more

Configuring Hoxhunt Azure AD non-gallery app for SCIM

NOTE: Automatic user provisioning can now be configured with Hoxhunt Azure AD Gallery App.

Please use following instructions in new implementations: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hoxhunt-provisioning-tutorial

 

Overview

This page will contain instructions on how to create a non-gallery application for Hoxhunt in Azure AD and how to configure Automated User Federation feature in the application. This document should be enough in most cases to enable the feature, but you can always contact Hoxhunt Support (support@hoxhunt.com) for more information.

Glossary

Authentication Token: A private key that is used to enable Automated User Federation to Hoxhunt in Azure AD. You will receive this key from Hoxhunt Support.

SCIM: System for Cross-Domain Identity Management. A protocol (“language”) that Azure AD and Hoxhunt use to communicate Automated User Federation to each other. Commonly referred to as “SCIM integration”.

SCIM Endpoint URL: URL or endpoint through which the AD can communicate to Hoxhunt via SCIM integration. You will receive this URL from Hoxhunt Support.

 

Creating Hoxhunt application in Azure AD

In this document we will go over the process of creating a new enterprise application.

1.pngStep 1: Open “Enterprise applications” view in Azure AD admin center and click “New application”.

 

2.pngStep 2: Create non-gallery application.

 
 
3.png
Step 3: Fill in the application name and press “Add” to create the new non-gallery application. Creating new application might take some time.

 

4_new.png
Step 4: Once the application is created, you will be directed to the application overview page. Please do the following:

  • Open the “Provisioning” page and set “Provisioning Mode” to “Automatic”. After that you will see the options below.

  • Enter SCIM Endpoint URL and Authentication Token you have received from Hoxhunt Support into “Admin Credentials”.

  • After filling the credentials in, press “Test Connection” button. If everything is working properly, you will see a notification in top-right corner informing you that the connection is working.

  • Click “Save” button in the top part of the page.

5_2.png
After pressing “Test Connection” button, you should see this notification in top-right corner of your browser window.

 

6_2.png

If you see this notification after pressing “Test Connection” button, please contact Hoxhunt Support.

  • In this notification Azure AD is informing us that the Authentication Token is unauthorized to connect to Hoxhunt. 

 

Validate application configuration

Before we activate Automated User Federation, we must verify that application configuration is properly set. Currently Hoxhunt only supports User federation. New applications in Azure AD have both Users and Groups synchronization on by default, as well as a variety of User attributes not supported by Hoxhunt at this time.

7.pngStep 1: Open Azure AD Groups mapping page by clicking the link “Synchronize Azure Active Directory Groups to customappsso”.

 

8.pngStep 2: Change “Enabled” value to “No” and click “Save”.

 

9.pngStep 3: Open Azure AD Users mapping page by clicking the link “Synchronize Azure Active Directory Users to customappso”.
 
scim_1.PNG
 
Step 4: Please modify your “Attribute Mappings” and “Target Object Actions” to be as in this screenshot.
 
Mandatory mappings are:
userPrincipalName
Switch([IsSoftDeleted], , "False", "True", "True", "False")
givenName
surname
 
NOTE: If “userPrincipalName” and email addresses are not same in your organization, you might need to use “mail” attribute as “Source attribute” instead.
 
scim_3.PNG
 
For non-mandatory attributes you can change the source attribute (Azure Active Directory Attribute) and select the attribute that has data you want to sync. Do not change target attributes (customappsso Attribute).
 

UPDATE 1/4/2021: It is also possible to sync preferredLanguage and user's Site (companyName) to Hoxhunt. You can choose the best fit Azure AD source attribute for Site. 

mceclip0.png

 

 

scim_4.png

Step 4.1: When modifying “Attribute Mappings” you may encounter the attribute “userPrincipalName” mapped to customappsso attribute “userName”.

  • This needs to be changed so that “userPrincipalName” is mapped to “emails[type eq “work”].value”.

  • If you are using mail attribute instead of “userPrincipalName”, change “Source attribute” to “mail”

  • Click the attribute “userPrincipalName” open, so that the right-side bar slides open.

  • Change “Target attribute” to “emails[type eq “work”].value”.

  • Click “Ok” to save the change.

  • Once all of the mappings are done click “Save” button at the top of the screen.

 

12_new.png
Step 5: In the “Provisioning” view check that all changes are performed:

  • “Admin Credentials” and “Mappings” boxes should look identical to the screenshot.

  • Check that “Provisioning Status” is toggled to “On” and that “Scope” has value “Sync only assigned users and groups”.

  • Once everything is set, click “Save” in the top part of the screen. This will begin Automated User Federation from AD to Hoxhunt.

  • Please note that only assigned Users will be federated to Hoxhunt. You may assign Groups to the application, in which case only the Users in these Groups will be automatically provisioned to Hoxhunt. 

 

Assigning users to Hoxhunt application

Before the Automated User Federation starts to work, users need to be assigned to the application.

13.pngStep 1: Open “Users and groups” page.

  • Click “Add user” button.

 14_2.pngStep 2: Click “Users and groups” open.

  • Search for the users or groups you wish to assign.

  • Click users and/or groups you wish to assign - they will show as “Selected items”.

  • Finally, click “Select” button.

 

15_2.png

Step 3: Click “Assign”.

  • You should be directed back to application overview page.

  • You should also see a notification in top-right corner of the page indicating that user and/or group assignment was successful.

16_2.png
Figure 1: If user and/or group assignment was successful, you will see this notification.
 
NOTE! Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal)
 

Verifying integration

On after setup you should be able to see from provisioning logs what is happening. On error cases please contact us as soon as possible.

It can take up to 40 minutes before Azure AD starts the provisioning, so there might not be any logs before that.

17.pngFigure 1: View provisioning logs page by clicking “View provisioning logs”.
 
 
18.pngFigure 2: You can scroll and search through all past provisioning events in this view.
Was this article helpful?
7 out of 7 found this helpful
Return to top

Related articles