Set Up Enterprise SSO and SCIM
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

Your organization uses Microsoft Entra ID. You want users to log in with their corporate credentials and have Entra ID automatically manage which users exist in Aritma.

Approach: Configure Azure AD SSO for authentication, then enable SCIM so Entra ID manages the full user lifecycle — creating and deprovisioning users in Aritma as they are assigned or removed in the directory.

Prerequisites

An access token with IAM admin permissions
A configured tenant
Access to the Azure portal to configure Entra ID

Step 1: Register an Azure AD SSO provider

curl -i -X POST \
  https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/sso/azuread \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "scheme": "string",
    "displayName": "string",
    "enabled": true,
    "type": "oidc",
    "properties": {
      "loginEnabled": true,
      "visible": true,
      "delegationEnabled": false,
      "autoProvisioningEnabled": true,
      "clientId": "my-client-id",
      "clientSecret": "my-client-secret",
      "usePkce": true,
      "authority": "https://login.microsoftonline.com/{TenantId}/v2.0",
      "responseType": "code",
      "scope": "openid profile email"
    }
  }'

Note the scheme you chose — you will use it in the next step.

Auto-provisioning

autoProvisioningEnabled controls just-in-time user creation at login time. With SCIM configured, users are pre-created by Entra ID before they ever log in, so autoProvisioningEnabled is not required for this setup. Enable it only if you also want to support logins from users not yet provisioned via SCIM.

Step 2: Create a SCIM token linked to the provider

curl -i -X POST \
  https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/scim \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "provider": "string",
    "providerDisplayName": "string"
  }'

The provider field must match the scheme you chose for the SSO provider above. Store the returned token value securely — it is only shown once.

Step 3: Configure Entra ID

In the Azure portal, go to Entra ID → Enterprise Applications and create a new application. Under Provisioning, set:

Tenant URL — your Aritma SCIM endpoint
Secret Token — the token from step 2

Once saved, Entra ID will begin provisioning users assigned to the application. And users can log in using Entra ID.

Next steps

To update the SSO provider configuration later, see SSO Setup
To manage SCIM tokens, see SCIM Provisioning
To verify your domain, see Domains

Set Up Enterprise SSO and SCIMCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude