All Collections
Cloud Maker Enterprise Server
CMES SCIM Configuration
CMES SCIM Configuration

Configure SCIM for Enterprise SSO to Cloud Maker Enterprise Server

Nick Smith avatar
Written by Nick Smith
Updated over a week ago

Cloud Maker Enterprise server uses System for Cross-Domain Identity Management (SCIM) to sync users and groups from Azure Active Directory to the Cloud Maker appliance.

To set up SCIM please do the following:

  1. Create a SCIM token in Cloud Maker by going to Your Organisation Name > Manage Your Organisation (in the top right corner of Cloud Maker when on the workspace screen).

  2. On the Manage Your Organisation screen, select the SCIM configuration menu item.

  3. Generate a SCIM token and note this down for use later.

  4. Next, sign in to the Azure portal.

  5. Browse to Azure Active Directory > Enterprise applications.

  6. Select + New application > + Create your own application.

  7. Enter a name for your application, choose the option integrate any other application you don't find in the gallery and select Create to create an app object.

  8. The new app is added to the list of enterprise applications and opens to its app management screen.

  9. In the app management screen, select Provisioning in the left panel.

  10. Under Manage on the left panel select Provisioning.

  11. Once on the provisioning screen, set Provisioning Mode: Automatic.

  12. Under Admin Credentials, set the Tenant URL as your CMES URL (e.g. for a custom domain: https://cmes.yourdomain.com) with /api/scim on the end i.e. https://cmes.yourdomain.com/api/scim.

  13. Enter the SCIM token (created in Cloud Maker in step 3 above) into the Secret Token field.

  14. Optionally click the Test Connection button to test connectivity.



  15. Click Save to reveal the Mappings section.

  16. Expand the Mappings section.

  17. Under the Mappings section, select Provision Azure Active Directory Groups.

  18. Edit Azure Active Directory Attribute: objectId.

    1. Change the Match objects using this attribute to Yes.

    2. click OK

  19. Edit Azure Active Directory Attribute: displayName.

    1. Change the Match objects using this attribute to No.

    2. click OK


  20. Click Save and navigate back to Provisioning using the breadcrumb link at the top of the page.

  21. Under the Mappings section, select Provision Azure Active Directory Users.

  22. Under Attribute Mappings, delete all Azure Active Directory Attribute mappings except:

    1. UserPrincipalName.

    2. mailNickname.

    3. displayName.

    4. Switch...

  23. Edit the Azure Active Directory Attribute: mailNickname.

    1. Change the source attribute to objectId.

    2. Set match objects using this attribute to Yes.

    3. Click OK.

  24. Edit Azure Active Directory Attribute: userPrincipalName.

    1. Set Match objects using this attribute to No.

    2. Click OK.


  25. Click Save and navigate back to Provisioning using the breadcrumb link at the top of the page.

  26. Expand the Settings section and under Scope ensure Sync only assigned users and groups is selected from the drop-down menu.

    NB: The Azure Portal has a rendering bug that that means Scope is not always rendered. To resolve this, please navigate to Overview on the left panel and back to Manage > Provisioning and expand the Settings section.

  27. Set Provisioning Status to On.

  28. Click Save to complete the SCIM setup.

  29. Navigate back to the Provisioning Overview screen where you then select Provision on demand to immediately provision a user or group in CM, or you can go to Users and Groups and assign them to be picked up in the next round of provisioning.


    NB: If provisioning a Group of users, ensure you select the Group first and then ALL of the required users within the group.

Did this answer your question?