NOTE: Automatic user provisioning can now be configured with Hoxhunt Azure AD Gallery App.
Please use following instructions in new implementations: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hoxhunt-provisioning-tutorial
This page will contain instructions on how to create a non-gallery application for Hoxhunt in Azure AD and how to configure Automated User Federation feature in the application. This document should be enough in most cases to enable the feature, but you can always contact Hoxhunt Support (firstname.lastname@example.org) for more information.
- Creating Hoxhunt application in Azure AD
- Validate application configuration
- Assigning users to Hoxhunt application
- Verifying integration
Authentication Token: A private key that is used to enable Automated User Federation to Hoxhunt in Azure AD. You will receive this key from Hoxhunt Support.
SCIM: System for Cross-Domain Identity Management. A protocol (“language”) that Azure AD and Hoxhunt use to communicate Automated User Federation to each other. Commonly referred to as “SCIM integration”.
SCIM Endpoint URL: URL or endpoint through which the AD can communicate to Hoxhunt via SCIM integration. You will receive this URL from Hoxhunt Support.
Creating Hoxhunt application in Azure AD
In this document we will go over the process of creating a new enterprise application.
Step 1: Open “Enterprise applications” view in Azure AD admin center and click “New application”.
Step 2: Create non-gallery application.
Open the “Provisioning” page and set “Provisioning Mode” to “Automatic”. After that you will see the options below.
Enter SCIM Endpoint URL and Authentication Token you have received from Hoxhunt Support into “Admin Credentials”.
After filling the credentials in, press “Test Connection” button. If everything is working properly, you will see a notification in top-right corner informing you that the connection is working.
Click “Save” button in the top part of the page.
If you see this notification after pressing “Test Connection” button, please contact Hoxhunt Support.
In this notification Azure AD is informing us that the Authentication Token is unauthorized to connect to Hoxhunt.
Validate application configuration
Before we activate Automated User Federation, we must verify that application configuration is properly set. Currently Hoxhunt only supports User federation. New applications in Azure AD have both Users and Groups synchronization on by default, as well as a variety of User attributes not supported by Hoxhunt at this time.
NOTE: If “userPrincipalName” and email addresses are not same in your organization, you might need to use “mail” attribute as “Source attribute” instead.
If you need to add, remove or modify any attributes, please reach out to Hoxhunt Support.
Step 4.1: When modifying “Attribute Mappings” you may encounter the attribute “userPrincipalName” mapped to customappsso attribute “userName”.
This needs to be changed so that “userPrincipalName” is mapped to “emails[type eq “work”].value”.
If you are using mail attribute instead of “userPrincipalName”, change “Source attribute” to “mail”
Click the attribute “userPrincipalName” open, so that the right-side bar slides open.
Change “Target attribute” to “emails[type eq “work”].value”.
Click “Ok” to save the change.
Once all of the mappings are done click “Save” button at the top of the screen.
“Admin Credentials” and “Mappings” boxes should look identical to the screenshot.
Check that “Provisioning Status” is toggled to “On” and that “Scope” has value “Sync only assigned users and groups”.
Once everything is set, click “Save” in the top part of the screen. This will begin Automated User Federation from AD to Hoxhunt.
Please note that only assigned Users will be federated to Hoxhunt. You may assign Groups to the application, in which case only the Users in these Groups will be automatically provisioned to Hoxhunt.
Assigning users to Hoxhunt application
Before the Automated User Federation starts to work, users need to be assigned to the application.
Click “Add user” button.
Step 2: Click “Users and groups” open.
Search for the users or groups you wish to assign.
Click users and/or groups you wish to assign - they will show as “Selected items”.
Finally, click “Select” button.
You should be directed back to application overview page.
You should also see a notification in top-right corner of the page indicating that user and/or group assignment was successful.
On after setup you should be able to see from provisioning logs what is happening. On error cases please contact us as soon as possible.
It can take up to 40 minutes before Azure AD starts the provisioning, so there might not be any logs before that.
Initial provisioning may take up to 40 minutes, so you may not see any logs here right after enabling integration.