This guide should be followed after completing the base Single Sign On configuration > (SSO Config). See Configuring SAML Single Sign On between Entra ID and Cerberus FTP Server
System for Cross-domain Identity Management (SCIM) is an open standard that enables automating user provisioning. Cerberus uses SCIM to receive user and group data from Entra ID; this allows Administrators to easily see provisioned users and create mappings to native groups. All user and group data is maintained in Entra ID.
While SCIM is not required, permissions will be limited to Default Mapping Configuration if SCIM is not configured; Setting user-to-group and group-to-group mappings is not possible without SCIM provisioning. It will also not be possible to use OTP rules for SSO users without SCIM configured. We anticipate that all enterprise customers will need to complete these steps to control access rights and take advantage of the integrations Cerberus has to offer.
Before We Begin
We will assume that you have already created a custom Entra ID enterprise app and completed the Single Sign On configuration > (SSO Config). See Configuring SAML Single Sign On between Entra ID and Cerberus FTP Server.
For your convenience, it is recommended that you have the following screens open at the same time:
- Cerberus FTP Server admin console
- Entra ID directory console
Settings will be copied from Cerberus to Entra ID.
Required Prerequisites: A valid certificate obtained from a Certificate Authority is required for successful SCIM provisioning. This includes having a valid intermediary certificate (input into the CA Certificate Path). Additionally, per Microsoft, TLS 1.2 is the only acceptable protocol version allowed for SCIM. You must have TLS 1.2 enabled in Cerberus FTP Server under Security>Advanced TLS.
Process Overview
The first few steps configure Cerberus FTP Server. Following that, we replicate important values to Entra ID. Then we cover optimizing what data Entra ID will send to Cerberus FTP Server. Finally, we configure users and groups and begin provisioning from Entra ID to Cerberus FTP Server.
- Configure Cerberus FTP Server SCIM Provisioning
- Combined Configuration of the Enterprise App and SSO Config
- Optimize Entra ID Provisioning
- Entra ID Provisioning
- Known Issues
Configure Cerberus FTP Server SCIM Provisioning
- In the Cerberus Admin Console, click the SSO Users item from the left navigation bar:
Admin Console: SSO Users
- Select the SSO Configuration you created in the Single Sign On configuration:
Select SSO Configuration
- Click the SCIM Provisioning tab. This displays configuration options that must be synchronized from Cerberus SSO Config to the Entra ID Enterprise App:
SCIM Provisioning
Combined Configuration of the Enterprise App and SSO Config
The following configurations must be changed in both the Enterprise App and the SSO Config:
Tenant URL
The Tenant URL is the externally accessible path used by Entra ID to provision user and group objects to Cerberus FTP Server. It consists of several parts and must be built properly.
Build Tenant URL
To build the URL:
- Select a Fully Qualified Domain Name (FQDN) from the dropdown list (populated from your HTTP/S Public Domain Name and Client Domain Allow List).
- Enter the Listener port number.
- Click the green plus (+) button to build the URL (highlighted in yellow above).
Once these steps are complete, the Tenant URL field will be populated with the necessary information.
If your desired FQDN does not appear in the list (for example if you have a load balancer, proxy, or firewall inspection), select any entry, build, and then manually edit the Tenant URL FQDN while keeping the path unchanged.
Secret Token
The Secret Token is a long-lived bearer token that Entra ID will use to authorize access to Cerberus’ SCIM implementation. This token must be known to both Azure AD and Cerberus.
You can adjust how long the token is by using the password generator control; when satisfied, click the Refresh icon to generate the password.
Generate Secret Token
Enable Provisioning
In order for Cerberus to accept SCIM connections from Entra ID, provisioning must be enabled. Click Enable Provisioning so that the button goes into the green On position as shown in the screenshot below.
Enable Provisioning and Save SSO Configuration
Save the SSO Configuration
Finally, the Save button commits the settings to Cerberus FTP Server. The Save button is located in the top right-hand corner of the console as shown in the screenshot above.
When you save, if the changes you have made need to be replicated to Entra ID, you will receive a warning message. This is normal and should just remind you to update your configuration there too as shown in the screenshot below.
Warning to replicate changes to Entra ID
Replicate to Azure
In Entra ID, open the Enterprise App you created earlier and in the Getting Started section, select “Provision User Accounts” as shown in the screenshot below.
Entra ID Enterprise applications: Provision User Accounts
Next click “Get Started”.
Azure AD Provisioning: Get started
In the Provisioning Mode dropdown, select “Automatic” as shown in the screenshot below.
Entra ID Provisioning Mode & Admin Credentials
Once the mode is set to automatic, the Admin Credentials section appears. You can now switch back to the Cerberus Admin Console and click the Copy to Clipboard icon on the far right of Tenant URL. Then switch back to the Entra ID directory console and paste it into the Tenant URL as highlighted in the screenshot above. Repeat these steps to copy and paste the Secret Token.
You can now click the Test Connection button, a notification will appear on the right-hand side of the console showing the test status. If the notification does not appear or hides after a while, you can show it by clicking the Notifications icon in the top blue bar.
Testing Notification
When the test finishes, you will see a notification telling you whether the connection succeeded or not. Examples of success and failure Notifications are shown in the screenshots below.
Successful Notification
Failure Notification
In the case of failure, check that Enable Provisioning is On in the Cerberus Admin Console and that you have saved any changes to the SSO Configuration. Then make sure that the Tenant URL and Secret Token are pasted properly into Entra ID. You can also see the SCIM Known Issues document.
Once you have a successful test, click “Save” as shown in the screenshot below.
Save the Entra ID Provisioning configuration
Once saved, two new sections will appear for configuration: “Mappings” and “Settings”.
Optimize Entra ID Provisioning
- Edit default user Mappings
- Review default group Mappings
- Settings
- Selecting Users and Groups for Provisioning
- Start Provisioning
Note that sometimes the Mapping and Settings options take a few minutes for Entra ID to show as they are dynamically enabled. Be patient and they should appear.
Click on the Mappings section to expand the group and show the mappings for groups (Provision Azure Active Directory Groups) and users (Provision Azure Active Directory Users) as shown in the screenshot below.
Entra ID Mappings
Edit default user Mappings
Click on Provision Azure Active Directory Users to open the Attribute Mapping panel as shown in the screenshot below.
Default “Provision Azure Active Directory Users” Mappings
While Cerberus will work with the default Entra ID settings, it does not need all the values that Entra ID provides by default. Removing unused values reduces network bandwidth and processing requirements. For each of the entries highlighted in the screenshot above, click the Delete button.
There is one more optimization that should be made here. Azure currently has four types of users (Azure UserTypes) which are handled differently in SCIM and SAML. In order for a deactivated/deleted user to automatically be signed out of Cerberus, it’s necessary to make sure all user types are handled the same way. This handling can be achieved by clicking on the top entry which says userPrincipalName and has the grayed-out Delete button as shown in the screenshot below.
Final “Provision Azure Active Directory Users” Mappings
This will bring up the Edit Attribute panel. In the Source attribute field, select “originalUserPrincipalName” as shown in the screenshot below, and click OK.
Edit Attribute
When done, click the “Save” button again.
Entra ID will present a message asking you to confirm:
Saving your changes will result in all assigned users and groups being resynchronized. This may take a long time depending on the size of your directory.
Click “Yes” as we haven’t started provisioning, this won’t be an issue.
The final list should look like the screenshot below.
Final “Provision Azure Active Directory Users” Mappings
Click the “X” in the top-right corner when done.
Review default group Mappings
Click on Provision Azure Active Directory Groups to open the Attribute Mapping panel. Verify that the entries look the same as shown in the screenshot below.
Final “Provision Azure Active Directory Groups” Mappings
Click the “X” in the top-right corner when done.
Settings
Click on the Settings section to expand the notification settings as shown in the screenshot below.
Default Settings
If you would like to be notified by email if Provisioning enters a quarantine state, click the “Send an email notification when a failure occurs” and enter the email address in the “Notification Email” field.
Click the “Prevent accidental deletion” checkbox if you want to prevent users and groups from being accidentally disabled or deleted. You can then enter a threshold in the “Accidental deletion threshold” field; if the number of disabled/deleted users or groups reaches the threshold, Provisioning is placed in quarantine and you have returned to the app in Entra ID and allow Provisioning to continue (or cancel the run).
If you exceed the threshold and have provided a Notification Email, Microsoft will send you a notification as shown in the screenshot below.
Example Quarantine Notification email
The “Scope” field determines whether Provisioning runs on all users and groups in Entra ID or just the ones you have specifically selected. Typically, Cerberus FTP Server users will be assigned to a specific group and only users in that group will be Provisioned. For this scenario, select “Sync only assigned users and groups” in the dropdown.
A completed Settings section may look something like the screenshot below.
Example Updated Settings
When done, click the “Save” button again and then click the “X” in the top-right corner.
You should now see the Overview screen which will be similar to the screenshot below.
Completed Provisioning Configuration
Entra ID Provisioning
It’s now time to select who will have access to Cerberus FTP Server via Single Sign On.
Selecting Users and Groups for Provisioning
If you selected “Sync all users and groups” for the Settings : Scope field above, you can skip this step. Otherwise, the “Sync only assigned users and groups” setting needs to know who to Provision.
For the steps below, we will assume that you have already configured a group in your Entra ID that you would like to use for users. You can also individually add users, but having a group in AD makes management easier and more scalable.
As shown in the screenshot above, click on Users and groups, you should see a screen similar to the screenshot below.
Adding Users and Groups
Click the Add user/group button as highlighted in the screenshot above. This will open a mostly empty window titled Add Assignment. On the left-hand side under Users and groups, click None Selected. This will open a panel on the right-hand side as shown in the screenshot below.
Users and groups: Add Assignment
In the search bar highlighted on the right-hand side in the screenshot above, you can enter a partial search string (here we’ve used the text “ftp”); pause a moment, and matching users and groups will display below. When you see the user or group you want, click on it and it will be added to the Selected items section in the lower half of the panel. When you have selected all the users and groups, click the Select button at the bottom of the panel.
The main page will now be updated showing counts of the Users and groups you’ve selected. Note: be aware that Entra ID only adds users who are direct members of a group, it does not handle sub-groups.
When satisfied click the Assign button as shown in the screenshot below.
Assign Users and groups to Provisioning
You should now see something similar to the screenshot below. You can now click the X in the top-right corner to close this panel.
Completed Users and Group assignment
Start Provisioning
With Cerberus FTP Server running in your environment, you’re now ready for the final step to Start provisioning in Entra ID. As shown in the screenshot below, click the start Provisioning button. You may view the logs in both Entra ID and Cerberus. Note: it can take as long as an hour for Entra ID to begin sending data to Cerberus.
Ready to Start provisioning
If you wish to filter the logs in Cerberus, use the term “SCIM” and you’ll see the logs that apply to Azure’s provisioning process.
Known Issues
See SAML and Single Sign On and SCIM Known Issues
Comments
0 comments
Please sign in to leave a comment.