Azure authorization for SCIM

Collibra supports only basic and bearer token authentication with JWT.

The following table summarizes acquiring and using JWT in Collibra REST API requests.

Process

Steps
Initial setup
  1. Create a client credential account with a secret in your IdP.
  2. Determine the JSON Web Key Set (JWKS) endpoint URL for your IdP.
  3. Register the JWKS endpoint with Collibra.
  4. Create a user in Collibra for your client application account.

    Provide a meaningful first and last name to identify that this is a service account.
When your application starts
  1. Authenticate your client application with your IdP.
  2. Save the returned access token for use in REST API calls.
When your application calls the Collibra REST APIs
  1. Include the JWT token in the authorization HTTP header as a bearer token.
  2. If the API call responds with unauthorized, the access token or JWKS credentials may have expired. Re-authenticate and retry the request.

Obtain the client secret

  1. Sign in to your Azure portal.
  2. Search for and select Azure Active Directory.
  3. In the Manage section of the Directory page, select App registrationsNew registration.
  4. On the Register an application page, enter the required information:
    • Name: The name of your application.
    • Supported account types: Select Accounts in this organizational directory only (Single tenant).
  5. Click Register.
  6. In the Manage section of your application page, select Certificates & secretsClient secrets.
  7. Click New client secret.
  8. In the Add a client secret dialog box, enter the required information:
    • Description: The description of your client secret.
    • Expires: Select an expiry period.
  9. Click Add.

    Your new secret is generated and added to the Client secrets list.

  10. Copy the Value of your secret for future use.

Obtain the client and tenant IDs

  1. Sign in to your Azure portal.
  2. Search for and select Azure Active Directory.
  3. In the Manage section of the Directory page, select App registrations → your application.
  4. In the Overview section, copy the Application (client) ID and Directory (tenant) ID values for future use.

Obtain the jwks_uri parameter

  1. Request a verbose output from https://login.microsoftonline.com/<tenant_id>/.well-known/openid-configuration.
  2. From the JSON response, copy the jwks_uri value for future use.

Obtain the typ, iss, sub, and aud parameters

  1. Send a POST request to the https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token endpoint using your tenant ID, client ID, and client secret:
    • Windows, Postman, Powershell
    • Linux, Mac
    curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
  -d 'client_id=<client_id>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default' \
  -d 'client_secret=<client_secret>'
    curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
  -d 'client_id=<client_id>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d%2F.default' \
  -d 'client_secret=<client_secret>'
  2. From the response, copy the access token.
  3. Decode the JWT with an application such as JWT.io.
  4. Copy the typ, iss, sub, and aud parameters for future use.

Register the JWKS endpoint with Collibra

Follow the instructions to Register the JWKS endpoint with Collibra and use the following values:

Collibra Console field Value
JSON Web Key Set URL The jwks_uri from the verbose output.
JWT Token Types The typ parameter from the decoded JWT.
JWT Issuer The iss parameter from the decoded JWT.
JWT Audience The aud parameter from the decoded JWT.

Create a user in Collibra

Follow the instructions to Create a user in Collibra for your client application account:

User details Value
Username The sub parameter from the decoded JWT.
User groups Assign the user to a group that has elevated permissions such as Sysadmin or one that has similar permissions.

Create a SCIM application

Create a new SCIM application and authenticate with Collibra:

  1. Sign in to your Azure portal.
  2. Search for and select Azure Active Directory.
  3. In the Manage section of the Directory page, select Enterprise applicationsNew registration.
  4. Click on “Create your own application” button and provide the application name in the input field, then click on “Create” button
  5. On the Browse Azure AD Gallery page, click Create your own application and enter the required information:
    • What's the name of your app?: The name of your application.
    • What are you looking to do with your application?: Select Integrate any other application you don't find in the gallery (Non-gallery).
  6. Click Create.

    Your newly created application appears in the list of Enterprise applications.

  7. From the list of applications, select your new application → Provisioning.
  8. On the Provisioning page, in the Manage provisioning section, select Update credentials.
  9. On the Provisioning details page, enter the require information:
    • Provisioning mode: Automatic
    • Admin credentials:
      • Tenant URL: The endpoint of the CollibraSCIM API, for example https://<your_collibra_url>/rest/scim/v2.
      • Secret Token: Your JSON Web Token.
  10. Click Test Connection.

    If your credentials are successfully verified, Azure displays a confirmation message.

  11. Click Save to complete the process.

Map SCIM app attributes

  1. Sign in to your Azure portal.
  2. Search for and select Azure Active Directory.
  3. In the Manage section of the Directory page, select Enterprise applications → your application → Provisioning.
  4. On the Provisioning page, in the Manage provisioning section, select Edit attribute mappings.
  5. On the Provisioning details page, in the Mappings section, click Provision Azure Active Directory Users.
  6. On the Attribute Mapping page, edit or add your desired mappings.

    Collibra supports a limited number of SCIM attributes.

    Azure Active Directory Attributecustomappsso Attribute
    userPrincipalNameuserName
    Switch([IsSoftDeleted],,"False" "True","True","False")active
    Coalesce([mail], [userPrincipalName])emails[type eq "work"].value
    givenNamename.givenName
    surnamename.familyName
    streetAddressaddresses[type eq "work"].streetAddress
    cityaddresses[type eq "work"].locality
    stateaddresses[type eq "work"].region
    postalCodeaddresses[type eq "work"].postalCode
    countryaddresses[type eq "work"].country
    telephoneNumberphoneNumbers[type eq "work"].value
    mobilephoneNumbers[type eq "mobile"].value
    facsimileTelephoneNumberphoneNumbers[type eq "fax"].value
    otherMailsemails[type eq "other"].value
    preferredLanguagelocale
  7. Click Save to complete the process.

Start and stop a provisioning job

Azure access tokens are valid only for one hour and cannot be refreshed due to the Azure AD limitations on token refresh. The workaround to achieve users and groups provisioning and deprovisioning is to start and stop the provisioning job based on your need:

  1. Generate a new client secret.
  2. In the Manage section of the Directory page, select Enterprise applications → your application → Provisioning.
  3. On the Provisioning page, in the Manage provisioning section, select Update credentials.
  4. Click Test Connection.

    If your credentials are successfully verified, Azure displays a confirmation message.

  5. Click Save to complete the process.
  6. Return to the Provisioning page and click Start provisioning to perform the initial synchronization of Collibra users.

    Wait for the process to complete and validate the results in Collibra.

  7. Click Stop provisioning.
  8. Generate a new client secret and update the credentials.
  9. Start the provisioning again when you need to perform another synchronization of users and groups.

Additional resources