Microsoft Entra ID authorization for SCIM

Collibra supports only basic, bearer token authentication with JWT, and OAuth.

The following table summarizes acquiring and using JWT in Collibra REST API requests.

Process

Steps
Initial setup
  1. Create a client credential account with a secret in your IdP.
  2. Determine the JSON Web Key Set (JWKS) endpoint URL for your IdP.
  3. Register the JWKS endpoint with Collibra.
  4. Create a user in Collibra for your client application account.

    Provide a meaningful first and last name to identify that this is a service account.
When your application starts
  1. Authenticate your client application with your IdP.
  2. Save the returned access token for use in REST API calls.
When your application calls the Collibra REST APIs
  1. Include the JWT token in the authorization HTTP header as a bearer token.
  2. If the API call responds with unauthorized, the access token or JWKS credentials may have expired. Re-authenticate and retry the request.

Obtain the client secret

  1. Sign in to your Microsoft Entra admin center.
  2. Select Entra IDApp registrationsNew registration.
  3. On the Register an application page, enter the required information:
    • Name: The name of your application.
    • Supported account types: Select Accounts in this organizational directory only (Single tenant).
  4. Click Register.
  5. In the Manage section of your application page, select Certificates & secretsClient secrets.
  6. Click New client secret.
  7. In the Add a client secret dialog box, enter the required information:
    • Description: The description of your client secret.
    • Expires: Select an expiry period.
  8. Click Add.

    Your new secret is generated and added to the Client secrets list.

  9. Copy the Value of your secret for future use.

Obtain the client and tenant IDs

  1. Sign in to your Microsoft Entra admin center.
  2. Select Entra IDApp registrations → your application.
  3. In the Overview section, copy the Application (client) ID and Directory (tenant) ID values for future use.

Obtain the jwks_uri parameter

  1. Request a verbose output from https://login.microsoftonline.com/<tenant_id>/.well-known/openid-configuration.
  2. From the JSON response, copy the jwks_uri value for future use.

Obtain the typ, iss, sub, and aud parameters

  1. Send a POST request to the https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token endpoint using your tenant ID, client ID, and client secret:
    curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
  -d 'client_id=<client_id>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default' \
  -d 'client_secret=<client_secret>'
    curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
  -d 'client_id=<client_id>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d%2F.default' \
  -d 'client_secret=<client_secret>'
  2. From the response, copy the access token.
  3. Decode the JWT with an application such as JWT.io.
  4. Copy the typ, iss, sub, and aud parameters for future use.

Register the JWKS endpoint with Collibra

Follow the instructions to Register the JWKS endpoint with Collibra and use the following values:

Collibra Console field Value
JSON Web Key Set URL The jwks_uri from the verbose output.
JWT Token Types The typ parameter from the decoded JWT.
JWT Issuer The iss parameter from the decoded JWT.
JWT Audience The aud parameter from the decoded JWT.

Create a user in Collibra

Follow the instructions to Create a user in Collibra for your client application account:

User details Value
Username The sub parameter from the decoded JWT.
User groups Assign the user to a group that has elevated permissions such as Sysadmin or one that has similar permissions.

Create a SCIM application

Create a new SCIM application and authorize it:

  1. Sign in to your Microsoft Entra admin center.
  2. Select Entra IDEnterprise applications.
  3. Select New applicationCreate your own application.
  4. In the Create your own application dialog box, enter the required information:
    • What's the name of your app?: The name of your application.
    • What are you looking to do with your application?: Select Integrate any other application you don't find in the gallery (Non-gallery).
  5. Click Create.

Your newly created application appears in the list of Enterprise applications.

Authorize your SCIM application

  1. From the list of applications, select your new application → Provisioning.
  2. Select New configuration.
  3. Enter the require information:
    • Provisioning mode: Automatic
    • Admin credentials:
      • Tenant URL: The endpoint of the CollibraSCIM API, for example https://<your_collibra_url>/rest/scim/v2.
      • Secret Token: Your JSON Web Token.
  4. Click Test Connection.

    If your credentials are successfully verified, Microsoft Entra ID displays a confirmation message.

  5. Click Save to complete the process.

Start and stop a provisioning job

Microsoft Entra access tokens are valid only for one hour and cannot be refreshed due to the Entra ID limitations on token refresh. The workaround to achieve users and groups provisioning and deprovisioning is to start and stop the provisioning job based on your need:

  1. Generate a new client secret.
  2. Select Entra IDEnterprise applications → your application → Provisioning.
  3. On the Provisioning page, in the Manage provisioning section, select Update credentials.
  4. Enter the new token.
  5. Click Test Connection.

    If your credentials are successfully verified, Microsoft Entra ID displays a confirmation message.

  6. Click Save to complete the process.
  7. Return to the Provisioning page and click Start provisioning to perform the initial synchronization of Collibra users.

    Wait for the process to complete and validate the results in Collibra.

  8. Click Stop provisioning.
  9. Generate a new client secret and update the credentials.
  10. Start the provisioning again when you need to perform another synchronization of users and groups.

Register an application

To access Collibra public APIs without requiring individual user credentials you must first register your application in Collibra and obtain a client ID and client secret that are required to request an access token. You can register new applications in Cogwheel icon SettingsOAuth ApplicationsManage OAuth:

  1. Click Register New Application

    The Register New Application dialog box appears.

  2. Enter the required information:
    FieldDescription
    Application Type

    Integration: For applications that are developed by you to access and interact with the Collibra public APIs, facilitating integration with our product suite.

    Application NameThe name of you application, used to identify it in the list of registered applications.
  3. Click Register.

    The Registration Confirmation dialog box appears.

  4. Copy and safely store the Client ID and Client Secret.

    This is the only time you are able to see the client secret.

Create a SCIM application

Create a new SCIM application and authorize it:

  1. Sign in to your Microsoft Entra admin center.
  2. Select Entra IDEnterprise applications.
  3. Select New applicationCreate your own application.
  4. In the Create your own application dialog box, enter the required information:
    • What's the name of your app?: The name of your application.
    • What are you looking to do with your application?: Select Integrate any other application you don't find in the gallery (Non-gallery).
  5. Click Create.

Your newly created application appears in the list of Enterprise applications.

Authorize your SCIM application

  1. From the list of applications, select your new application → Provisioning.
  2. Select New configuration.
  3. Enter the require information:
    • Provisioning mode: Automatic
    • Admin credentials:
      • Authentication Method: Select OAuth2 Client Credentials Grant.
      • Tenant URL: The endpoint of the CollibraSCIM API, including the Entra ID optimization flag, for example https://<your_collibra_url>/rest/scim/v2?aadOptscim062020.
      • Token Endpoint: The token endpoint of the Collibra OAuth 2.0 Authorization API: https://<your_collibra_url>/rest/oauth/v2/token.
      • Client Identifier: The URL encoded value of the Client ID of your registered application in Collibra, for example urn%3Asys%3Aenv%3A4a1261cc-5bc0-44c0-9b85-fc4942ae7c58%3Ai%3Aq2724e.
      • Client Secret: The secret that provided by Collibra during the application registration process.
  4. Click Test Connection.

    If your credentials are successfully verified, Microsoft Entra ID displays a confirmation message.

  5. Click Save to complete the process.

Map SCIM app attributes

  1. Sign in to your Microsoft Entra admin center.
  2. Search for and select Entra IDEnterprise applications → your application → Provisioning.
  3. Select MappingsProvision API:Users.
  4. On the Attribute Mapping page, edit or add your desired mappings.

    Collibra supports a limited number of SCIM attributes.

    • User attribute mapping
      Microsoft Entra ID AttributeAPI Attribute
      userPrincipalNameuserName
      Switch([IsSoftDeleted],,"False" "True","True","False")active
      Coalesce([mail], [userPrincipalName])emails[type eq "work"].value
      givenNamename.givenName
      surnamename.familyName
      streetAddressaddresses[type eq "work"].streetAddress
      cityaddresses[type eq "work"].locality
      stateaddresses[type eq "work"].region
      postalCodeaddresses[type eq "work"].postalCode
      countryaddresses[type eq "work"].country
      telephoneNumberphoneNumbers[type eq "work"].value
      mobilephoneNumbers[type eq "mobile"].value
      facsimileTelephoneNumberphoneNumbers[type eq "fax"].value
      otherMailsemails[type eq "other"].value
      preferredLanguagelocale
    • Group attribute mapping
      Microsoft Entra ID AttributeAPI Attribute
      displayNamedisplayName
      membersmembers

      You cannot assign roles to users via SCIM. However, you can manage groups and group membership in your IdP and disable the Groups DGC managed Console configuration option. Following the initial provisioning, your IdP groups are available in Collibra and you can start assigning roles to them.

  5. Click Save to complete the process.

Additional resources