Read this article in ChineseJapanese | Spanish


This article applies to TeamViewer customers with a Tensor license.

General

With SCIM (System for Cross-domain Identity Management), it is possible to synchronize users from Azure AD to TeamViewer. This requires an Azure Premium license subscription. It allows administrators to create, update and delete users within Azure AD and keep their TeamViewer accounts automatically updated within 1h (the current Azure update interval).

Prerequisite

To be able to use this feature, you must meet the following requirements:

  • a valid Tensor license for TeamViewer
  • Azure Premium license subscription
  • follow manual below to setup SCIM

Manual

Create TeamViewer Script Token

  • Login to TeamViewer: https://login.teamviewer.com
  • Select Edit Profile and navigate to the Script Tokens section
  • Add a new script token with the rights "View, create and edit users" (optionally also admins)

Setup Azure AD Enterprise Application

The following steps are closely based on the official documentation provided by Microsoft:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-...

  • Open the Azure portal: https://portal.azure.com
  • Navigate to the Azure Active Directory section
    Select Enterprise Applications in the navigation menu on the left side.
    Press the New Application button on the top
  • Select Non-gallery application.
    Specify a name for the application. For example "TeamViewer User Provisioning"
001_SCIM_AzureAD_AddApplication.png
  • After the application has been created, navigate to the Provisioning section and switch the Provisioning Mode to Automatic
  • Set the Tenant URL to https://webapi.teamviewer.com/scim/v2
  • Enter the TeamViewer Script token that has been created before in the Secret Token field
  • Press Test Connection to test that the token and endpoint are valid
  • Press Save
002_SCIM_AzureAD_Endpoint.png

 

Configure Attribute Mappings

The user attribute mappings need to be configured before activating the user provisioning application.
Details about how TeamViewer maps SCIM attributes to TeamViewer users can be found in the SCIM API Documentation.

  • In the Provisioning section of the Azure AD application, select Synchronize Azure Active Directory Users to customappsso
  • De-select the checkbox Delete under Target Object Actions, as (this operation is not supported by the TeamViewer SCIM API)
  • Modify the Attribute Mappings entries such that it includes:
    • userName
    • displayName
    • active
    • emails
    • name
    • preferredLanguage
  • All other entries can be removed

The screenshot below shows an example configuration where userPrincipalName holds the email address of the user. Here, also attributes like "mail" can be used. 003_SCIM_AzureAD_Mappings1.png

  • Edit the userName attribute mapping
  • Set Match objects using this attribute to Yes
  • Set the Matching precedence to 1
004_SCIM_AzureAD_Mappings2.png

 

Optional Single Sign-On Attribute Mapping

  • On the Attribute Mappings dialog check the Show advanced options box and click on Edit attribute list for customappsso
  • Add a new attribute
    • Name: urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
    • Type: String
      2019-05-15 15_20_14-Edit Attribute List - Microsoft Azure - Opera.png
    • Press Save
    • Add a new entry to the Attribute Mappings table.
      • Mapping type: Constant
      • Constant value: Your generated TeamViewer customer identifier
      • Target attribute urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
005_SCIM_AzureAD_Mapping3.png
Version history
Revision #:
9 of 9
Last update:
‎10 Jun 2019, 9:37 AM
Updated by: