Note: Microsoft has paused the review and publishing of new and updated apps supporting SCIM user provisioning in the Entra ID Gallery. The below are steps to configure a non-gallery app for SCIM user provisioning for SendSafely. If you do not wish to use SCIM, you may continue to use our existing Entra ID app here for SAML SSO only. 

SendSafely now supports user provisioning via SCIM for Entra ID. The following automated functions are available: 

• Create Users - Users assigned to the SendSafely application in Entra ID will be automatically created and registered in your SendSafely enterprise portal. 
• Update User Attributes - Updates made to the user's First Name and Last Name within Entra ID will automatically be applied to the user’s SendSafely profile. 
• Deactivate Users - Deactivating the user or disabling the user's access to the SendSafely application through Entra ID will deactivate the user’s account in SendSafely. Deactivating a user results in removal of the SendSafely user's profile data and deletion of all files and messages from their history.

Configuration Instructions

Below are the instructions for configuring SendSafely as a non-gallery app that supports both SSO SAML and SCIM provisioning. (The current SendSafely App in the Entra Gallery does not yet support provisioning, therefore it is necessary to configure SendSafely as a non-gallery application for both SSO SAML and SCIM provisioning.)

Create new application

From the Enterprise applications directory navigate to:

• Enterprise application > All applications >  + New application

• Click ‘+ Create your own application’
  • Do not search for or use the existing SendSafely Entra ID app, as it does not yet support provisioning
• Enter a name for your app, e.g. “SendSafelySCIM”
• Choose the third bullet option ‘Integrate any other application you don't find in the gallery (Non-gallery)’
• Click ‘Create’

Setup single sign-on

Now that the SendSafelySCIM app is created, we will set up Single sign-on. 

Choose Single sign-on from the left hand menu, and then the SAML method.

Complete each of  the following sections:

1. Basic SAML configuration
   • Click Edit, then enter https://[your sendsafely Hostname]/auth/saml2/ into each of the three fields below:
     • Identifier  
     • Reply URL 
     • Relay State

2. Attributes & Claims

• Under this section you only need the following attributes
  • emailaddress
  • Unique User Identifier

• Click edit and delete all unnecessary attributes

3. SAML Certificates

• Click edit and:
  • Update signing option using dropdown to “Sign SAML response and assertion”
  • Confirm Signing Algorithm is SHA-256

4. Set up App

• In a new tab, log into your SendSafely web portal and navigate to the  Enterprise Console > Configuration > Authentication Providers section
• In Entra, Download the Certificate (Base64) and paste into the Public Key Certificate in SendSafely

• Copy the Login URL from Entra and paste it into the Sign-in URL in Sendsafely
• Copy the Logout URL from Entra and paste it into the Sign-out URL in SendSafely

5. Test single sign-on 

• Click ‘Test’ to confirm the set up works

The single sign-on with SAML portion is now set up - next we will configure user provisioning using SCIM for the SendSafelySCIM app.

Setup Provisioning

To set up SCIM provisioning, Click ‘Provisioning’ in the left hand menu for the new App

Part 1: Connecting App

On the Overview (Preview) tab in the left hand menu, under Create configuration, click “Connect your application”

On the next screen ‘New provisioning configuration’ enter the Tenant URL and Secret Token following the instructions below:

• Tenant URL: 
  • Enter https://[your sendsafely Hostname]/scim/v2/entra/
  • 
• Secret Token: 
  • The Secret Token is a SCIM-specific SendSafely API Key that a SendSafely Admin can configure in the SendSafely web portal. 
  • In a new tab, log into your SendSafely web portal as a Sendsafely Admin, navigate to the  Enterprise Console > Users and follow the steps below:
    • Step 1: Configure account
      • We recommend you configure a no-login service account to own the API key for your SCIM connection. Follow the set up instructions here. 
      • In order to generate a SCIM API Key, the service account must be granted admin privileges from the user list in the Enterprise console 
    • Step 2: Generate API Key
      • Impersonate the account created in step 1 above (three dot menu > profile > API Keys tab) to generate an API Key owned by that account (as described in this article.)
      • From the API Keys screen, click the ‘Generate New Key’ button and then click ‘Click here if you want to use this as a SCIM key’
        • If you do not see the option to generate a SCIM key, confirm the no-login service account has Admin rights
    • Step 3: Create bearer token
      • Entra utilizes a bearer token, which is a combination of the SendSafely API Username and SCIM API Password, so prior to pasting into Entra you must concatenate both values, separated by a colon in a text editor : e.g: scim-admin@sendsafely.com:3qQYa8TNisU84ii1NvdmYQ02PBKUXFMPPr2U1q1IXLTcU_fRnP4JATgJN3p18bk 
      • Paste the concatenated token into the Entra ‘Secret token’ field

• Test connection and Create
  • Test your connection by clicking the ‘Test connection’ button
  • If the test connection is successful, click the blue ‘Create button’

Part 2: Attribute mapping

Once the app is connected, we now map the required attributes by performing the following:

In the left hand menu, click ‘Attribute mapping (Preview) and then choose ‘Provision Microsoft Entra ID Users’

Provision Entra ID users

The only attributes required by SendSafely are below:

• Username
• Active
• Given Name
• Family Name

Use the ‘Delete’ button to remove all other attributes.

Set the userName attribute as immutable by selecting the “show advanced options” checkbox and clicking the “Review your schema here” link

Scroll down to the userName configuration settings (which should be line 2357). Change the Mutability option to “Immutable”

Then click the “Save” button

Navigate back to the Attribute mapping (Preview) tab and then choose ‘Provision Microsoft Entra ID Groups’

Toggle “Enabled” to No then click save

Confirm the changes took effect

Note: This only disables the group object itself from being sent over to SendSafely, which isn’t currently supported. You can still add and remove groups from the SendSafely app, and users within that group will be automatically provisioned and de-provisioned within SendSafely. 

Part 3: Add Users (Final Test)

To test the above set up is working correctly run through a test to add, remove and edit a user.

Test cases:

• Assign a user to the SendSafely App in Entra - confirm the user is provisioned in SendSafely
• Edit the user’s first and last name in Entra - confirm the name fields are updated in SendSafely
• Remove the user in Entra - confirm the user is deactivated in SendSafely

Note: as Entra provisions users every 40 min by default, for efficient testing leverage the Entra “On demand” provisioning option for instant results.