This guide should be followed after completing the base Single Sign On configuration > (SSO Config). See Configuring SAML Single Sign On between Azure AD and Cerberus FTP Server
System for Cross-domain Identity Management (SCIM) is an open standard that enables automating user provisioning. Cerberus uses SCIM to receive user and group data from Azure AD; this allows Administrators to easily see provisioned users and create mappings to native groups. All user and group data is maintained in Azure AD.
While SCIM is not required, permissions will be limited to Default Mapping Configuration if SCIM is not configured; Setting user-to-group and group-to-group mappings is not possible without SCIM provisioning. We anticipate that all enterprise customers will need to complete these steps to control access rights and permissions for their SSO users.
Before We Begin
We will assume that you have already created a custom Azure AD enterprise app and completed the Single Sign On configuration > (SSO Config). See Configuring SAML Single Sign On between Azure AD and Cerberus FTP Server.
For your convenience, it is recommended that you have the following screens open at the same time:
- Cerberus FTP Server admin console
- Azure AD directory console
Settings will be copied from Cerberus to Azure AD.
Note: A valid certificate obtained from a Certificate Authority is required for successful SCIM provisioning. This includes having a valid intermediary certificate (input into the CA Certificate Path).
The first few steps configure Cerberus FTP Server. Following that, we replicate important values to Azure AD. Then we cover optimizing what data Azure AD will send to Cerberus FTP Server. Finally, we configure users and groups and begin provisioning from Azure AD to Cerberus FTP Server.
- Configure Cerberus FTP Server SCIM Provisioning
- Combined Configuration of the Enterprise App and SSO Config
- Optimize Azure AD Provisioning
- Azure AD Provisioning
- Known Issues
Configure Cerberus FTP Server SCIM Provisioning
- In the Cerberus Admin Console, click the SSO Users item from the left navigation bar:
Admin Console: SSO Users
- Select the SSO Configuration you created in the Single Sign On configuration:
Select SSO Configuration
- Click the SCIM Provisioning tab. This displays configuration options that must be synchronized from Cerberus SSO Config to the Azure AD Enterprise App:
Combined Configuration of the Enterprise App and SSO Config
The following configurations must be changed in both the Enterprise App and the SSO Config:
The Tenant URL is the externally-accessible path used by Azure AD to provision user and group objects to Cerberus FTP Server. It consists of several parts and must be built properly.
Build Tenant URL
To build the URL:
- Select a Fully Qualified Domain Name (FQDN) from the dropdown list (populated from your HTTP/S Public Domain Name and Client Domain Allow List).
- Enter the Listener port number.
- Click the green plus (+) button to build the URL (highlighted in yellow above).
Once these steps are complete, the Tenant URL field will be populated with the necessary information.
If your desired FQDN does not appear in the list (for example if you have a load balancer, proxy or firewall inspection), select any entry, build, then manually edit the Tenant URL FQDN while keeping the path unchanged.
The Secret Token is a long-lived bearer token that Azure AD will use to authorize access to Cerberus’ SCIM implementation. This token must be known to both Azure AD and Cerberus.
You can adjust how long the token is by using the password generator control; when satisfied, click the Refresh icon to generate the password.
Generate Secret Token
In order for Cerberus to accept SCIM connections from Azure AD, provisioning must be enabled. Click Enable Provisioning so that the button goes into the green On position as shown in the screenshot below.
Enable Provisioning and Save SSO Configuration
Save the SSO Configuration
Finally, the Save button commits the settings to Cerberus FTP Server. The Save button is located in the top right-hand corner of the console as shown in the screenshot above.
When you save, if the changes you have made need to be replicated to Azure AD, you will receive a warning message. This is normal and should just remind you to update your configuration there too as shown in the screenshot below.
Warning to replicate changes to Azure AD
Replicate to Azure
In Azure AD, open the Enterprise App you created earlier and in the Getting Started section, select “Provision User Accounts” as shown in the screenshot below.
Azure AD Enterprise applications: Provision User Accounts
Next click “Get Started”.
Azure AD Provisioning: Get started
In the Provisioning Mode dropdown, select “Automatic” as shown in the screenshot below.
Azure AD Provisioning Mode & Admin Credentials
Once the mode is set to automatic, the Admin Credentials section appears. You can now switch back to the Cerberus Admin Console and click the Copy to Clipboard icon on the far right of Tenant URL. Then switch back to the Azure AD directory console and paste into the Tenant URL as highlighted in the screenshot above. Repeat these steps to copy and paste the Secret Token.
You can now click the Test Connection button, a notification will appear on the right hand side of the console showing the test status. If the notification does not appear or hides after a while, you can show it by clicking the Notifications icon in the top blue bar.
When the test finishes, you will see a notification telling you whether the connection succeeded or not. Example success and failure Notifications are shown in the screenshots below.
In the case of failure, check that Enable Provisioning is On in the Cerberus Admin Console and that you have saved any changes to the SSO Configuration. Then make sure that the Tenant URL and Secret Token pasted properly into Azure AD. You can also see the SCIM Known Issues document.
Once you have a successful test, click “Save” as shown in the screenshot below.
Save the Azure AD Provisioning configuration
Once saved, two new sections will appear for configuration: “Mappings” and “Settings”.
Optimize Azure AD Provisioning
- Edit default user Mappings
- Review default group Mappings
- Selecting Users and Groups for Provisioning
- Start Provisioning
Note that sometimes the Mapping and Settings options take a few minutes for Azure AD to show as they are dynamically enabled. Be patient and they should appear.
Click on the Mappings section to expand the group and show the mappings for groups (Provision Azure Active Directory Groups) and users (Provision Azure Active Directory Users) as shown in the screenshot below.
Azure AD Mappings
Edit default user Mappings
Click on Provision Azure Active Directory Users to open the Attribute Mapping panel as shown in the screenshot below.
Default “Provision Azure Active Directory Users” Mappings
While Cerberus will work with the default Azure AD settings, it does not need all the values that Azure AD provides by default. Removing unused values reduces network bandwidth and processing requirements. For each of the entries highlighted in the screenshot above, click the Delete button.
There is one more optimization that should be made here. Azure currently has four types of users (Azure UserTypes) which are handled differently in SCIM and SAML. In order for a deactivated/deleted user to automatically be signed out of Cerberus, it’s necessary to make sure all user types are handled the same way. This handling can be achieved by clicking on the top entry which says userPrincipalName and has the grayed out Delete button as shown in the screenshot below.
Final “Provision Azure Active Directory Users” Mappings
This will bring up the Edit Attribute panel. In the Source attribute field, select “originalUserPrincipalName” as shown in the screenshot below and click Ok.
When done, click the “Save” button again.
Azure AD will present a message asking you to confirm:
Saving your changes will result in all assigned users and groups being resynchronized. This may take a long time depending on the size of your directory.
Click “Yes” as we haven’t started provisioning, this won’t be an issue.
The final list should look like the screenshot below.
Final “Provision Azure Active Directory Users” Mappings
Click the “X” in the top-right corner when done.
Review default group Mappings
Click on Provision Azure Active Directory Groups to open the Attribute Mapping panel. Verify that the entries look the same as shown in the screenshot below.
Final “Provision Azure Active Directory Groups” Mappings
Click the “X” in the top-right corner when done.
Click on the Settings section to expand the notification settings as shown in the screenshot below.
If you would like to be notified by email if Provisioning enters a quarantine state, click the “Send an email notification when a failure occurs” and enter the email address in the “Notification Email” field.
Click the “Prevent accidental deletion” checkbox if you want to prevent users and groups from being accidentally disabled or deleted. You can then enter a threshold in the “Accidental deletion threshold” field; if the number of disabled/deleted users or groups reaches the threshold, Provisioning is placed in quarantine and you have return to the app in Azure AD and allow Provisioning to continue (or cancel the run).
If you exceed the threshold and have provided a Notification Email, Microsoft will send you a notification as shown in the screenshot below.
Example Quarantine Notification email
The “Scope” field determines whether Provisioning runs on all users and groups in Azure AD or just the ones you have specifically selected. Typically, Cerberus FTP Server users will be assigned to a specific group and only users in that group will be Provisioned. For this scenario, select “Sync only assigned users and groups” in the dropdown.
A completed Settings section may look something like the screenshot below.
Example Updated Settings
When done, click the “Save” button again and then click the “X” in the top-right corner.
You should now see the Overview screen which will be similar to the screenshot below.
Completed Provisioning Configuration
Azure AD Provisioning
It’s now time to select who will have access to Cerberus FTP Server via Single Sign On.
Selecting Users and Groups for Provisioning
If you selected “Sync all users and groups” for the Settings : Scope field above, you can skip this step. Otherwise, the “Sync only assigned users and groups” setting needs to know who to Provision.
For the steps below, we will assume that you have already configured a group in your Azure AD that you would like to use for users. You can also individually add users, but having a group in AD makes management easier and more scalable.
As shown in the screenshot above, click on Users and groups, you should see a screen similar to the screenshot below.
Adding Users and Groups
Click the Add user/group button as highlighted in the screenshot above. This will open a mostly empty window titled Add Assignment. On the left-hand side under Users and groups, click None Selected. This will open a panel on the right-hand side as shown in the screenshot below.
Users and groups: Add Assignment
In the search bar highlighted on the right-hand side in the screenshot above, you can enter a partial search string (here we’ve used the text “ftp”); pause a moment and matching users and groups will display below. When you see the user or group you want, click on it and it will be added to the Selected items section in the lower half of the panel. When you have selected all the users and groups, click the Select button at the bottom of the panel.
The main page will now be updated showing counts of the Users and groups you’ve selected. Note: be aware that Azure AD only adds users who are direct members of a group, it does not handle sub-groups.
When satisfied click the Assign button as shown in the screenshot below.
Assign Users and groups to Provisioning
You should now see something similar to the screenshot below. You can now click the X in the top-right corner to close this panel.
Completed Users and group assignment
With Cerberus FTP Server running in your environment, you’re now ready for the final step to Start provisioning in Azure AD. As shown in the screenshot below, click the start Provisioning button. You may view the logs in both Azure AD and Cerberus. Note: it can take as long as an hour for Azure AD to begin sending data to Cerberus.
Ready to Start provisioning
If you wish to filter the logs in Cerberus, use the term “SCIM” and you’ll see the logs that apply to Azure’s provisioning process.