Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Configuring SCIM 2.0 user provisioning with Microsoft Entra ID

By irene
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

IT Administrators responsible for system configuration.

Administrator permissions are required.

This article explains how to connect Microsoft Entra ID (Azure AD) to Ideagen Quality Management's SCIM 2.0 endpoint so that users are provisioned automatically.

SCIM provisioning

Once configured, Entra will create, update, and re-enable Ideagen Quality Management user accounts on its provisioning schedule. SCIM provisioning runs on a cycle - typically around 40 minutes. To provision a single user immediately, use Provision on Demand in Entra rather than waiting for the next cycle.

Important

Disabling or unassigning a user in Entra does not automatically disable their Ideagen Quality Management account. An Ideagen Quality Management administrator must disable the account manually. See Deprovisioning at the bottom of this page.

Preparing for configuration

Complete these before starting:

  • SAML SSO with Entra ID is already configured and working in Ideagen Quality Management. If not, complete Configuring Single Sign-On (SSO) providers first
  • You have access to the Ideagen Quality Management database (to generate the SCIM bearer token in Part A)
  • You have admin access to your Entra ID enterprise application

Setting up the Ideagen Quality Management database

Confirming SAML SSO configuration

SCIM uses your existing SAML provider to automatically wire new users to SSO on provisioning. Confirm your Entra SAML provider is active in Ideagen Quality Management before proceeding.

To retrieve the provider's ID:

  1. Run the following query against your Ideagen Quality Management database.
SELECT Id, Name, Enabled
FROM SY_IdentityProviders
WHERE Name = 'EntraSAML'   -- replace with your actual provider name
  AND Enabled = 1;
  1. Copy the Id (GUID) from the result.

Generating SCIM bearer token

To create the SCIM token:

  1. Run the following query against your Ideagen Quality Management database.
INSERT INTO UG_AuthorizationTokens (UserId, ApplicationName, AuthorizationToken, SamlProviderId)
VALUES (1, 'SCIM', NEWID(), '{SY_IdentityProviders.Id}');
SELECT UserId, ApplicationName, AuthorizationToken, SamlProviderId
FROM UG_AuthorizationTokens
WHERE ApplicationName = 'SCIM';
  1. Replace {SY_IdentityProviders.Id} with the GUID from the previous step.
  2. Replace 1 with the UserId of a dedicated service account user in Ideagen Quality Management.
  3. Copy the AuthorizationToken GUID from the result - this is the secret token you will enter in Entra.

Note

Connecting more than one Entra tenant to the same Ideagen Quality Management? Each connection requires its own bearer token and its own dedicated service account user. Do not share one token across multiple Entra tenants.

Configuring Entra ID

Opening Provisioning in your Entra enterprise application

To access provisioning settings:

  1. In the Entra portal, open your Ideagen Quality Management enterprise application.
  2. Select Provisioning from the left menu.

Connecting your application

To configure the connection:

  1. Select Connect your application.
  2. Enter the following connection settings:
  • Authentication method: Bearer authentication
  • Tenant URL: https://{your-iqmc-host}/scim/v2
  • Secret Token: The AuthorizationToken GUID from the database setup

Testing the connection

To verify the connection:

  1. Click Test Connection.
  2. Confirm you see a success message.

Note

If the test fails, verify the Tenant URL and token are correct.

Configuring attribute mappings

To set up attribute mappings:

  1. Go to Provisioning.
  2. Select Mappings.
  3. Select Provision Azure Active Directory Users.
  4. Configure the following mappings:
  • userName: Source attribute = mail, Precedence = 2 (maps the user's email address as their Ideagen Quality Management login name)
  • externalId: Source attribute = objectId, Precedence = 1 (Match objects using this attribute - used to uniquely identify and match users between Entra and Ideagen Quality Management)
  1. Click Save.
  2. Confirm with Yes.

Assigning users

Only users assigned to the Entra enterprise application will be provisioned to Ideagen Quality Management.

To assign users:

  1. In Entra, go to Users and groups.
  2. Assign the relevant users or groups to the application.

Verifying provisioning

Testing provisioning

Before enabling full provisioning, test with a single user.

To test provisioning:

  1. Go to Provisioning.
  2. Select Provision on Demand.
  3. Search for the user.
  4. Click Provision.
  5. Confirm you see a success result.

Verifying the user in Ideagen Quality Management

To confirm the user account was created:

  1. Sign in to Ideagen Quality Management as an administrator.
  2. Go to Administration.
  3. Select Users.
  4. Confirm the provisioned user account has been created.
  5. Verify the user's login name matches their email address and their account is active.

Testing SSO login

To verify SSO is working:

  1. Have the provisioned user sign in to Ideagen Quality Management via Entra SSO using their email address.
  2. Confirm they are signed in directly and land on the Inbox without needing to set a password.

Enabling ongoing provisioning

Once your test is successful, enable automatic provisioning.

To enable provisioning:

  1. Go back to Provisioning in Entra.
  2. Set the provisioning status to On.

Entra will now sync users automatically on its provisioning cycle.

Migrating existing users

If user accounts already exist in Ideagen Quality Management before SCIM is enabled, the provisioning cycle will match and update existing accounts rather than creating duplicates.

Scenario What happens
New Entra user with no existing Ideagen Quality Management account A new account is created
Existing Ideagen Quality Management user whose login name or email matches The existing account is updated and linked to Entra. Future syncs use the Entra object ID for matching.
Already linked user (previously provisioned via SCIM) Account is updated using the Entra object ID - no re-matching needed
Two Ideagen Quality Management accounts share the same email address Provisioning fails with a conflict error. Resolve the duplicate accounts in Ideagen Quality Management before re-triggering provisioning.

Deprovisioning users

Deprovisioning does not automatically disable users in Ideagen Quality Management. When a user is disabled or unassigned in Entra, Ideagen Quality Management acknowledges the request but does not disable the account. An Ideagen Quality Management administrator must disable the account manually in the Administration module.

Re-enabling a user in Entra is automatic - Ideagen Quality Management will re-enable their account and reclaim a licence seat on the next provisioning cycle.

Further reading

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page