Managing users with Active Directory SAML & SCIM
Omni can be integrated with Active Directory for user authentication via the SAML protocol and user and group provisioning via the SCIM protocol.
SAML
Omni supports SP-initiated SAML authentication with Microsoft Active Directory and other SAML 2.0-compatible identity providers. To setup Active Directory, follow these instructions:
- In the Microsoft Entra admin panel, navigate to Applications > Enterprise Applications.
- If you haven't already created an application for Omni, create one:
- Click New application and then Create your own application
- Name the application
Omni
, select the radio button for "Integrate any other application you don't find in the gallery (Non-gallery)", and pressCreate
.
- Select the Omni application, then navigate to the Manage > Single sign-on configuration section.
- Select the SAML sign-on method.
- Edit the Basic SAML Configuration:
- Set the Identifier (Entity ID) to the full hostname of your Omni instance - e.g.
myorg.omniapp.co
. Do NOT includehttps://
in the Identifier. - Set the Reply URL (Assertion Consumer Service URL) to the value of the Single sign-on URL from the Omni Authentication settings page
- Set the Identifier (Entity ID) to the full hostname of your Omni instance - e.g.
- Edit the Attributes & Claims:
- Edit the Unique User Identifier (Name ID) claim:
- Name identifier format: Email address
- Source: Attribute
- Source attribute:
user.mail
- Note: if you use a different attribute for user email address, use that instead.
- You should have two Additional claims (remove others that are populated by default):
- Name:
first_name
, Namespace: (blank), Source: Attribute, Source attribute:user.givenname
- Name:
last_name
, Namespace: (blank), Source: Attribute, Source attribute:user.surname
- Name:
- Edit the Unique User Identifier (Name ID) claim:
- Download the
Certificate (Base64)
from Step 3 and make note of theLogin URL
andMicrosoft Entra ID Identifier
values from Step 4 - Note: the Test button in Microsoft Entra will not work, even the SAML integration is properly configured.
- In the Omni authentication settings form:
- Copy the
Login URL
value from the step above into the SSO (Sign on) URL form input
- Copy the
SCIM
You can integrate Active Directory's provisioning capability with Omni to create accounts for your users and synchronize Omni groups with groups in Active Directory.
The integration between Active Directory and Omni that enables this is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management).
To setup Active Directory provisioning with SCIM, an Omni organization admin can follow these steps:
- In Omni:
- Navigate to Admin > API Keys.
- Generate a new API key named 'Active Directory SCIM' or similar, and leave the generated key visible for the next step.
- In the Microsoft Entra admin panel, in a new browser window:
- Navigate to Manage > Enterprise Applications
- If you haven't already created an application for Omni, create one:
- Click New application and then Create your own application
- Name the application
Omni
, select the radio button for "Integrate any other application you don't find in the gallery (Non-gallery)", and pressCreate
.
- Select the Omni application, then navigate to the Manage > Provisioning section.
- Click Get Started
- Complete the form:
- Select the Automatic Provisioning Mode
- In the Admin Credentials section enter the following values:
- Tenant URL:
https://myorg.omniapp.co/api/scim/v2
wherehttps://myorg.omniapp.co
is the URL you use to login to Omni - Secret Token: enter the API key you generated in Omni in the first step of this guide.
- Press Test Connection and confirm it succeeds
- Tenant URL:
- In the Mappings section:
- Click on Provision Microsoft Entra ID Groups, remove all Attribute Mappings except
displayName
andmembers
. Then press Save and then press your browser's back button. - Click on Provision Microsoft Entra ID Users, remove all Attribute Mappings except
userName
,active
, anddisplayName
. Then press Save and then press your browser's back button. - Press Save
- Return to the Provisioning section for the Omni application in the Entra admin panel.
- Navigate to Manage > Users and Groups
- Assign the relevant Users and Groups to be provisioned in Omni.
To setup mapping between Active Directory attributes and Omni User Attributes, an Omni organization admin can follow these steps:
- In Omni:
- Create User Attributes by following this guide, noting each attribute's Reference and Type.
- In the Microsoft Entra admin panel:
- Navigate to Manage > Enterprise Applications
- Select the Omni application, then navigate to the Manage > Provisioning section.
- Navigate from the Provisioning Overview to the Manage > Provisioning section section again.
- Open the Mappings section and click Provision Microsoft Entra ID Users.
- At the bottom of the page, select Show advanced options, and then click Edit attribute list for customappsso
- For each Omni User Attribute you created, add a new Attribute in the Entra Attribute editor as follows:
- Set the Name to the Reference of the Omni User Attributed prefixed with
urn:omni:params:1.0:UserAttribute:
. For example, if the Reference of your Omni User Attribute isdepartment
, enterurn:omni:params:1.0:UserAttribute:department
as the Name in the Entra User Attribute editor. - Set the Type to the Type of the Omni User Attribute (note: only
String
andInteger
are currently supported) - Select Multi-Value? if the Omni User Attribute is configured to support Multiple Values.
- Configure the remaining fields as appropriate for your Entra configuration.
- Set the Name to the Reference of the Omni User Attributed prefixed with
- Save the changes to the User Attribute List.
- In the Attribute Mapping configuration, click Add New Mapping, select the Attribute you just created at the Target attribute, and configure the remaining fields to map the appropriate value to that attribute.
- Press OK, and then press Save to save the changes to the Omni app in Entra.