SCIM and identity provider configuration

Use the SCIM to automatically:

• Provision & Deprovision Users
  • View, Create, and Delete users
  • Remove users (deactivate SCIM identity)
  • Re-add users (reactivate SCIM identity)

When SCIM is enabled for Tealium, user memberships are synced between Tealium and an identity provider.

The internal Tealium group SCIM API implements part of the RFC7644 protocol.

Prerequisites

• Single sign-on must be configured.
• Account admin or user admin permissions.
• Long-lived bearer token: Contact Tealium Support to request a long-lived bearer token.

Configure an identity provider

You can configure the following identity provider:

• Microsoft Entra ID (formerly Azure Active Directory)

Other providers may work with Tealium, but they have not been tested and are not supported. For assistance, contact your identity provider. Contact Tealium support to confirm compatibility.

Configure Microsoft Entra ID

The SAML application created for Azure Active Directory during SSO setup must be configured for SCIM.

You must configure SCIM provisioning exactly as detailed in the following instructions. If misconfigured, you will encounter issues with user provisioning and sign in. If you have any trouble or questions with any step, contact Tealium support.

To configure Microsoft Entra ID for SCIM:

Add Tealium to Microsoft Entra ID

1. Go to the Azure Portal.
2. Go to Microsoft Entra ID > Enterprise applications.
3. Click + New application and then click Create your own application.
4. Enter a Name (for example, Tealium), and choose Integrate any other application you don’t find in the gallery.
5. Click Create.

Configure SCIM provisioning

1. In your app, click the Provisioning tab and click Get started.
2. Set Provisioning Mode to Automatic.
3. Under Admin Credentials, enter the following values:
   • In the Tenant URL field, enter the SCIM API endpoint URL from Tealium: https://api.tealiumiq.com/scim/v2
   • In the Secret Token field, enter your SCIM bearer token from Tealium.
4. Click Test Connection. A success message will appear.
5. Click Save.

Configure user assignments

SCIM group provisioning is not currently supported in Early Access.

1. Click Provisioning.
2. Ensure that the Enabled toggle is set to Yes.
3. Ensure that all Target Object Actions are enabled.
4. Click Attribute mapping and configure the attribute mapping between Microsoft Entra ID and Tealium. For more information, see Microsoft: Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.

The following table lists required attribute mappings for Tealium to authenticate to Microsoft Entra ID through SCIM:

Microsoft Entra ID source attribute	customappsso target attribute	Matching precedence
userPrincipalName	userName	1
Switch([IsSoftDeleted], , "False", "True", "True", "False") *	active
displayName	displayName
givenName	name.GivenName
surname	name.familyName
mailNickname	externalId

* This is an expression type, not a direct mapping. Select Expression from the Mapping type list.

While Microsoft transitions from Azure Active Directory to Entra ID naming schemes, you might notice inconsistencies in your user interface. If you’re having trouble, contact Tealium Support.

Each attribute mapping contains the following:

• A customappsso attribute, which corresponds to a target attribute.
• A Microsoft Entra ID attribute, which corresponds to a source attribute.

For each attribute, use the following steps:

1. Edit the existing attribute or add a new attribute.
2. Select the required source and target attribute mappings from the lists.
3. Click Ok.
4. Click Save.

If your SAML configuration differs from the recommended SAML settings, select the mapping attributes and modify them accordingly. The source attribute that you map to the externalId target attribute must match the attribute used for the SAML mailNickname.

If a mapping is not listed in the table, use the Microsoft Entra ID defaults. For a list of required attributes, see Microsoft: Develop and plan provisioning for a SCIM endpoint in Microsoft Entra ID.

Assign users

1. Go to Users and groups.
2. Click + Add user/group.
3. Select the users or groups you want to sync.
4. Click Assign.

Configure final settings and start provisioning

Configure the following settings:

1. (Optional) Select the Send an email notification when a failure occurs checkbox.
2. (Optional) Select the Prevent accidental deletion checkbox.
3. Click Save to ensure all changes are saved.
4. Go to Provisioning and click Start provisioning.

Provisioning usually starts within a few minutes, but may take up to 40 minutes for the first sync.

Remove access

Remove or deactivate a user on the identity provider to remove their access.

After the identity provider performs a sync based on its configured schedule, the user’s membership is revoked and they lose access.

Removing or deactivating a user on the identity provider does not delete the Tealium user account. The Tealium user account will be deactivated, and it can be reactivated by re-adding the user to the identity provider.

Reactivate access

After a user is removed or deactivated through SCIM, reactivate that user by adding them to the SCIM identity provider.

After the identity provider performs a sync based on its configured schedule, the user’s SCIM identity is reactivated.