Conversation
fisx
left a comment
fisx
left a comment
There was a problem hiding this comment.
i have some comments, but once you've processed those this should be good to go! 👍
| **IMPORTANT!** If you do set up a SCIM token within Wire Team Settings for your team, Ad-hoc/JIT SSO provisioning will be disabled and the users assigned to your Enterprise Application will not be able to login untill you provision them via SCIM! | ||
|
|
||
| To fix this, We are going to configure Entra ID to configure your users in wire ahead of time, using the SCIM protocol. | ||
| ## How to set up SCIM auto-provisioning with Microsoft Entra ID |
There was a problem hiding this comment.
there are two types of user provisioning: scim and saml (auto). scim auto sounds weird to me (but i don't think it'll do much harm).
(earlier this document reads "ad-hoc / jit provisioned", which i like better. should have thought of that when i wrote all the code and the docs!)
| * There will be one 'Required claim', for the 'Unique User Identifier(NameID)'. Click on it to edit it. | ||
| * Change the Name identifier format to 'Unspecified'. | ||
| * Change the Source attribute to user.objectid. | ||
| * click on 'Save' |
There was a problem hiding this comment.
this look ok to me 👍
(historically, we've used NameID to carry the email because we had no support for saml2 attributes, but today we should just use scim or ldap and set the email there.)
| Each user you add at this point can be Ad-hoc/JIT provisioned via SSO, when they login for the first time. | ||
|
|
||
| After the above setup, you will have Single-Sign-On for all of the users you add to this application. This will come with auto-provisioning, which uses the details from Entra ID to create a wire account automatically, after the user logs in. | ||
| If you want more control over provisioning users, you can follow the rest of this documentation on how to set up SCIM auto-provisioning. |
There was a problem hiding this comment.
if you want to set emails, you need to provision via scim, saml jit-provisioning doesn't support attributes. also, i've been lobbying without much success for sunsetting saml jit-provisioning, it's ugly and weird (not only with emails) and doesn't forces team admins to delete users manually from the team.
| * displayName - user display name in Wire, example User Usersky | ||
| * externalId - user UUID, very important as this needs to remain constant for a user | ||
| * active - is the user enabled/active | ||
| * roles - user permissions in Wire team (Owner, Administrator, Member, External) |
|
|
||
| You are now editing the mapping for the externalId that SSO and Wire agree on. | ||
|
|
||
| * Select the 'objectId' field to match the value we placed in the SSO configuration, and click the 'OK' button at the bottom of the page. |
There was a problem hiding this comment.
we removed objectID logic here?
3 participants
Change type
Basic information
Testing
Tracking