Configuring Hoxhunt Azure AD non-gallery app for SCIM – Hoxhunt

NOTE: Automatic user provisioning can now be configured with Hoxhunt Azure AD Gallery App.

Please use following instructions in new implementations: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hoxhunt-provisioning-tutorial

Overview

This page will contain instructions on how to create a non-gallery application for Hoxhunt in Azure AD and how to configure Automated User Federation feature in the application. This document should be enough in most cases to enable the feature, but you can always contact Hoxhunt Support (support@hoxhunt.com) for more information.

Glossary
Creating Hoxhunt application in Azure AD
Validate application configuration
Assigning users to Hoxhunt application
Verifying integration

Glossary

Authentication Token: A private key that is used to enable Automated User Federation to Hoxhunt in Azure AD. You will receive this key from Hoxhunt Support.

SCIM: System for Cross-Domain Identity Management. A protocol (“language”) that Azure AD and Hoxhunt use to communicate Automated User Federation to each other. Commonly referred to as “SCIM integration”.

SCIM Endpoint URL: URL or endpoint through which the AD can communicate to Hoxhunt via SCIM integration. You will receive this URL from Hoxhunt Support.

Creating Hoxhunt application in Azure AD

In this document we will go over the process of creating a new enterprise application.

Step 1: Open “Enterprise applications” view in Azure AD admin center and click “New application”.

Step 2: Create non-gallery application.

Step 3: Fill in the application name and press “Add” to create the new non-gallery application. Creating new application might take some time.

Step 4: Once the application is created, you will be directed to the application overview page. Please do the following:

Open the “Provisioning” page and set “Provisioning Mode” to “Automatic”. After that you will see the options below.
Enter SCIM Endpoint URL and Authentication Token you have received from Hoxhunt Support into “Admin Credentials”.
After filling the credentials in, press “Test Connection” button. If everything is working properly, you will see a notification in top-right corner informing you that the connection is working.
Click “Save” button in the top part of the page.

After pressing “Test Connection” button, you should see this notification in top-right corner of your browser window.

If you see this notification after pressing “Test Connection” button, please contact Hoxhunt Support.

In this notification Azure AD is informing us that the Authentication Token is unauthorized to connect to Hoxhunt.

Validate application configuration

Before we activate Automated User Federation, we must verify that application configuration is properly set. Currently Hoxhunt only supports User federation. New applications in Azure AD have both Users and Groups synchronization on by default, as well as a variety of User attributes not supported by Hoxhunt at this time.

Step 1: Open Azure AD Groups mapping page by clicking the link “Synchronize Azure Active Directory Groups to customappsso”.

Step 2: Change “Enabled” value to “No” and click “Save”.

Step 3: Open Azure AD Users mapping page by clicking the link “Synchronize Azure Active Directory Users to customappso”.

Step 4: Please modify your “Attribute Mappings” and “Target Object Actions” to be exactly as in this screenshot.

NOTE: If “userPrincipalName” and email addresses are not same in your organization, you might need to use “mail” attribute as “Source attribute” instead.

If you need to add, remove or modify any attributes, please reach out to Hoxhunt Support.

Step 4.1: When modifying “Attribute Mappings” you may encounter the attribute “userPrincipalName” mapped to customappsso attribute “userName”.

This needs to be changed so that “userPrincipalName” is mapped to “emails[type eq “work”].value”.
If you are using mail attribute instead of “userPrincipalName”, change “Source attribute” to “mail”
Click the attribute “userPrincipalName” open, so that the right-side bar slides open.
Change “Target attribute” to “emails[type eq “work”].value”.
Click “Ok” to save the change.
Once all of the mappings are done click “Save” button at the top of the screen.

Step 5: In the “Provisioning” view check that all changes are performed:

“Admin Credentials” and “Mappings” boxes should look identical to the screenshot.
Check that “Provisioning Status” is toggled to “On” and that “Scope” has value “Sync only assigned users and groups”.
Once everything is set, click “Save” in the top part of the screen. This will begin Automated User Federation from AD to Hoxhunt.
Please note that only assigned Users will be federated to Hoxhunt. You may assign Groups to the application, in which case only the Users in these Groups will be automatically provisioned to Hoxhunt.

Assigning users to Hoxhunt application

Before the Automated User Federation starts to work, users need to be assigned to the application.

Step 1: Open “Users and groups” page.

Click “Add user” button.

Step 2: Click “Users and groups” open.

Search for the users or groups you wish to assign.
Click users and/or groups you wish to assign - they will show as “Selected items”.
Finally, click “Select” button.

Step 3: Click “Assign”.

You should be directed back to application overview page.
You should also see a notification in top-right corner of the page indicating that user and/or group assignment was successful.

Figure 1: If user and/or group assignment was successful, you will see this notification.

NOTE! Group-based assignment requires Azure Active Directory Premium P1 or P2 edition. Group-based assignment is supported for Security groups only. Nested group memberships and Microsoft 365 groups are not currently supported. (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal)

Verifying integration

On after setup you should be able to see from provisioning logs what is happening. On error cases please contact us as soon as possible.

It can take up to 40 minutes before Azure AD starts the provisioning, so there might not be any logs before that.

Figure 1: View provisioning logs page by clicking “View provisioning logs”.

Figure 2: You can scroll and search through all past provisioning events in this view.

Initial provisioning may take up to 40 minutes, so you may not see any logs here right after enabling integration.

Articles in this section