Azure SCIM

Azure SCIM provisioning is a paid feature.

Feedback
Configure Azure SAML for Hanzo KMS

In Hanzo KMS, head to the Single Sign-On (SSO) page and select the Provisioning tab. Under SCIM Configuration, press the Enable SCIM provisioning toggle to allow Azure to provision/deprovision users for your organization.

Next, press Manage SCIM Tokens and then Create to generate a SCIM token for Azure.

Next, copy the SCIM URL and New SCIM Token to use when configuring SCIM in Azure.

In Azure, navigate to Enterprise Application > Users and Groups. Add any users and/or groups to your application that you would like to be provisioned over to Hanzo KMS.

In Azure, head to your Enterprise Application > Provisioning > Overview and press Get started.

Next, set the following fields:

• Provisioning Mode: Select Automatic.
• Tenant URL: Input SCIM URL from Step 1.
• Secret Token: Input the New SCIM Token from Step 1.

Afterwards, click Enable SCIM and press the Test Connection button to check that SCIM is configured properly.

After you hit Save, select Provision Microsoft Entra ID Users under the Mappings subsection.

Next, adjust the mappings so you have them configured as below:

Finally, head to your Enterprise Application > Provisioning and set the Provisioning Status to On.

Alternatively, you can go to Overview and press Start provisioning to have Azure start provisioning/deprovisioning users to Hanzo KMS.

Now Azure can provision/deprovision users to/from your organization in Hanzo KMS.

Hanzo KMS's SCIM implmentation accounts for retaining the end-to-end encrypted architecture of Hanzo KMS because we decouple the authentication and decryption steps in the platform.

For this reason, SCIM-provisioned users are initialized but must finish setting up their account when logging in the first time by creating a master encryption/decryption key. With this implementation, IdPs and SCIM providers cannot and will not have access to the decryption key needed to decrypt your secrets.