Azure authorization for SCIM

Collibra supports only basic and bearer token authentication with JWT.

The following table summarizes acquiring and using JWT in Collibra REST API requests.

Process	Steps
Initial setup	Create a client credential account with a secret in your IdP. Determine the JSON Web Key Set (JWKS) endpoint URL for your IdP. Register the JWKS endpoint with Collibra. Create a user in Collibra for your client application account. Provide a meaningful first and last name to identify that this is a service account.
When your application starts	Authenticate your client application with your IdP. Save the returned access token for use in REST API calls.
When your application calls the Collibra REST APIs	Include the JWT token in the authorization HTTP header as a bearer token. If the API call responds with unauthorized, the access token or JWKS credentials may have expired. Re-authenticate and retry the request.

Obtain the client secret

Sign in to your Azure portal.
Search for and select Azure Active Directory.
In the Manage section of the Directory page, select App registrations → New registration.
On the Register an application page, enter the required information:
- Name: The name of your application.
- Supported account types: Select Accounts in this organizational directory only (Single tenant).
Click Register.
In the Manage section of your application page, select Certificates & secrets → Client secrets.
Click New client secret.
In the Add a client secret dialog box, enter the required information:
- Description: The description of your client secret.
- Expires: Select an expiry period.
Click Add.
Your new secret is generated and added to the Client secrets list.
Copy the Value of your secret for future use.

Obtain the client and tenant IDs

Sign in to your Azure portal.
Search for and select Azure Active Directory.
In the Manage section of the Directory page, select App registrations → your application.
In the Overview section, copy the Application (client) ID and Directory (tenant) ID values for future use.

Obtain the jwks_uri parameter

Request a verbose output from https://login.microsoftonline.com/<tenant_id>/.well-known/openid-configuration.
From the JSON response, copy the jwks_uri value for future use.

Obtain the typ, iss, sub, and aud parameters

Send a POST request to the https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token endpoint using your tenant ID, client ID, and client secret:

Windows, Postman, Powershell
Linux, Mac

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
  -d 'client_id=<client_id>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d/.default' \
  -d 'client_secret=<client_secret>'

curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
  https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token \
  -d 'client_id=<client_id>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d%2F.default' \
  -d 'client_secret=<client_secret>'

From the response, copy the access token.
Decode the JWT with an application such as JWT.io.
Copy the typ, iss, sub, and aud parameters for future use.

Register the JWKS endpoint with Collibra

Follow the instructions to Register the JWKS endpoint with Collibra and use the following values:

Collibra Console field	Value
JSON Web Key Set URL	The jwks_uri from the verbose output.
JWT Token Types	The typ parameter from the decoded JWT.
JWT Issuer	The iss parameter from the decoded JWT.
JWT Audience	The aud parameter from the decoded JWT.

Create a user in Collibra

Follow the instructions to Create a user in Collibra for your client application account:

User details	Value
Username	The sub parameter from the decoded JWT.
User groups	Assign the user to a group that has elevated permissions such as Sysadmin or one that has similar permissions.

Create a SCIM application

Create a new SCIM application and authenticate with Collibra:

Sign in to your Azure portal.
Search for and select Azure Active Directory.
In the Manage section of the Directory page, select Enterprise applications → New registration.
Click on “Create your own application” button and provide the application name in the input field, then click on “Create” button
On the Browse Azure AD Gallery page, click Create your own application and enter the required information:
- What's the name of your app?: The name of your application.
- What are you looking to do with your application?: Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Your newly created application appears in the list of Enterprise applications.
From the list of applications, select your new application → Provisioning.
On the Provisioning page, in the Manage provisioning section, select Update credentials.
On the Provisioning details page, enter the require information:
- Provisioning mode: Automatic
- Admin credentials:
  - Tenant URL: The endpoint of the CollibraSCIM API, for example https://<your_collibra_url>/rest/scim/v2.
  - Secret Token: Your JSON Web Token.
Click Test Connection.
If your credentials are successfully verified, Azure displays a confirmation message.
Click Save to complete the process.

Map SCIM app attributes

Sign in to your Azure portal.
Search for and select Azure Active Directory.
In the Manage section of the Directory page, select Enterprise applications → your application → Provisioning.
On the Provisioning page, in the Manage provisioning section, select Edit attribute mappings.
On the Provisioning details page, in the Mappings section, click Provision Azure Active Directory Users.

On the Attribute Mapping page, edit or add your desired mappings.

Collibra supports a limited number of SCIM attributes.

Azure Active Directory Attribute	customappsso Attribute
`userPrincipalName`	`userName`
`Switch([IsSoftDeleted],,"False" "True","True","False")`	`active`
`Coalesce([mail], [userPrincipalName])`	`emails[type eq "work"].value`
`givenName`	`name.givenName`
`surname`	`name.familyName`
`streetAddress`	`addresses[type eq "work"].streetAddress`
`city`	`addresses[type eq "work"].locality`
`state`	`addresses[type eq "work"].region`
`postalCode`	`addresses[type eq "work"].postalCode`
`country`	`addresses[type eq "work"].country`
`telephoneNumber`	`phoneNumbers[type eq "work"].value`
`mobile`	`phoneNumbers[type eq "mobile"].value`
`facsimileTelephoneNumber`	`phoneNumbers[type eq "fax"].value`
`otherMails`	`emails[type eq "other"].value`
`preferredLanguage`	`locale`

Click Save to complete the process.

You cannot assign roles to users via SCIM. However, you can manage groups and group membership in your IdP and disable the Groups DGC managed Console configuration option. Following the initial provisioning, your IdP groups are available in Collibra and you can start assigning roles to them.

Start and stop a provisioning job

Azure access tokens are valid only for one hour and cannot be refreshed due to the Azure AD limitations on token refresh. The workaround to achieve users and groups provisioning and deprovisioning is to start and stop the provisioning job based on your need:

Generate a new client secret.
In the Manage section of the Directory page, select Enterprise applications → your application → Provisioning.
On the Provisioning page, in the Manage provisioning section, select Update credentials.
Click Test Connection.
If your credentials are successfully verified, Azure displays a confirmation message.
Click Save to complete the process.
Return to the Provisioning page and click Start provisioning to perform the initial synchronization of Collibra users.
Wait for the process to complete and validate the results in Collibra.
Click Stop provisioning.
Generate a new client secret and update the credentials.
Start the provisioning again when you need to perform another synchronization of users and groups.