Configuración SCIM para Azure Active Directory

No hay clasificaciones

Este artículo concierne a todos los clientes con una licencia de TeamViewer Tensor.

General

Con SCIM (System for Cross-domain Identity Management), es posible sincronizar usuarios de Azure AD con TeamViewer. Esto requiere una suscripción a la licencia Azure Premium. Esta licencia permite a los administradores crear, actualizar y eliminar usuarios dentro de Azure AD y mantener las cuentas de TeamViewer actualizadas automáticamente en cuestión de segundos.

Prerrequisitos

Para poder utilizar esta función, debe cumplir los siguientes requisitos:

  • a valid Tensor license for TeamViewer
  • Azure Premium license subscription
  • follow manual below to setup SCIM

Manual

Create TeamViewer Script Token

  • Login to TeamViewer: https://login.teamviewer.com
  • Select Edit Profile and navigate to the Script Tokens section
  • Add a new script token with the rights "View, create and edit users" (optionally also admins)

Setup Azure AD Enterprise Application

The following steps are closely based on the official documentation provided by Microsoft:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-...

  • Open the Azure portal: https://portal.azure.com
  • Navigate to the Azure Active Directory section
    Select Enterprise Applications in the navigation menu on the left side.
    Press the New Application button on the top
  • Select Non-gallery application.
    Specify a name for the application. For example "TeamViewer User Provisioning"
001_SCIM_AzureAD_AddApplication.png
  • After the application has been created, navigate to the Provisioning section and switch the Provisioning Mode to Automatic
  • Set the Tenant URL to https://webapi.teamviewer.com/scim/v2
  • Enter the TeamViewer Script token that has been created before in the Secret Token field
  • Press Test Connection to test that the token and endpoint are valid
  • Press Save
002_SCIM_AzureAD_Endpoint.png

 

Configure Attribute Mappings

The user attribute mappings need to be configured before activating the user provisioning application.
Details about how TeamViewer maps SCIM attributes to TeamViewer users can be found in the SCIM API Documentation.

  • In the Provisioning section of the Azure AD application, select Synchronize Azure Active Directory Users to customappsso
  • De-select the checkbox Delete under Target Object Actions, as (this operation is not supported by the TeamViewer SCIM API)
  • Modify the Attribute Mappings entries such that it includes:
    • userName
    • displayName
    • active
    • emails
    • name
    • preferredLanguage
  • All other entries can be removed

The screenshot below shows an example configuration where userPrincipalName holds the email address of the user. Here, also attributes like "mail" can be used. 003_SCIM_AzureAD_Mappings1.png

  • Edit the userName attribute mapping
  • Set Match objects using this attribute to Yes
  • Set the Matching precedence to 1
004_SCIM_AzureAD_Mappings2.png

 

Optional Single Sign-On Attribute Mapping

  • On the Attribute Mappings dialog check the Show advanced options box and click on Edit attribute list for customappsso
  • Add a new attribute
    • Mapping type: Constant
    • Constant value: Your generated TeamViewer customer identifier
    • Target attribute urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
    • Name: urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
    • Type: String
    • </ul border=0 spacing=0>
    • Press Save
    • Add a new entry to the Attribute Mappings table.

005_SCIM_AzureAD_Mapping3.png

Historial de versiones
Revisión n.º
2 de 4
Última actualización:
‎07 may 2019, 10:24 AM
Actualizado por:
 
Colaboradores