The Folio supports provisioning of new users using Microsoft Entra ID (formerly Azure Active Directory). This feature is available with Enterprise 1000 and above user licenses.
Entra ID based user provisioning will enable you to:
- Create new Full Users or Lite Users in Folio from Entra ID.
- Apply a User Profile (for access rights) to Full Users from Entra ID
- When user is set inactive in Entra ID or removed from the enterprise app in Entra ID, they will be suspended in Folio. You will need to retire these suspended users and transfer their responsibilities directly in the Folio not via Entra ID.
- Once provisioned, Users will be able to Single Sign On (SSO) to Folio. SSO is where the user logins to Folio with their Entra ID credentials rather than having to use a Folio only password.
Before you Start
Please ensure that you note the following steps before you start:
- Business Units in Folio must match the Entra ID attribute called Departments. Folio will not provision users with Business Units that do not exist in Folio.
- Locations in Folio must match the Entra ID attribute called Office Locations. Folio will not provision users with Locations that do not exist in Folio.
- Before start, if you have previously created a Folio enterprise application via ‘App Registrations’ this will need to be removed.
- Make sure you are in the correct directory in Azure
Sandbox & Production
- We recommend that you only have Entra ID based user provisioning on your production Folio instance.
- You can test Entra ID based provisioning in Sandbox and when you are ready to activate user provisioning in production you must follow these steps:
- Delete the Sandbox enterprise app.
- Create a new Production enterprise app.
- You must NOT change the Tenant URL in the Entra ID provisioning setup on the sandbox enterprise app to the Folio production URL or vice versa as this will not work.
- While we recommend that you only have user provisioning on your production instance, you can have Single Sign On (SSO) on both Sandbox and Production. (The set up steps below accomodate for SSO on both Sandbox and Production.)
- Note: Folio will not stop you from setting up user provisioning on both Sandbox and Production. However it is vital to note that if the production database is copied to sandbox or vice versa (typically in the implementation phase), you must delete the 'old' enterprise app and set up the enterprise app again in the instance that has been copied over. This must be done to avoid the risk of User ID mismatches.
Setting up Azure Single Sign on to Folio
To enable Provisioning with Entra ID you will first need to set up Folio in Enterprise Application.
- In Azure Portal click on Microsoft Entra ID
- Click on Enterprise Applications under Manage
- Click on New Application
- Click on ‘Create your own application’
- Use the Following to setup the new app
What's the name of your app Folio |
|
What are you looking to do with your application Integrate any other application you don’t find in the gallery (Non-gallery) |
Click Create at the bottom to create the app
- On the sidebar click on Single sign-on under Manage
-
Click on SAML
-
In the Basic SAML Configuration box click on edit
-
Click on Add identifier under Identifier (Entity ID)
-
Enter your Folio production URL into the field and tick Default
- Click on Add reply URL under Reply URL
- Then Enter your production URL as shown below
https://{{$fol_name}}.foliogrc.com/d/users/auth/saml/callback - This one should be marked as default
Note : If you are wanting to use Single Sign on in your sandbox but will not be setting up user provisioning to sandbox you can click Add reply URL again and add in the url below for sandbox
https://{{$fol_name}}.sandbox.usefolio.com/d/users/auth/saml/callback
-
Click Save ontop of the Basic SAML Configuration screen.
-
Then click close with the x on the right of the screen
You should now open a notepad or word doc as you will need to keep some URL's that Azure will give you handy for later use in Folio
Issuer/ Identifier(Entity ID) |
https://{{$folio_name}}.foliogrc.com |
Reply URL (Assertion Consumer Service URL) |
https://{{$folio_name}}.foliogrc.com/d/users/auth/saml/callback |
https://{{$folio_name}}.sandbox.usefolio.com/d/users/auth/saml/callback | |
App Federation Metadata URL | STEP 15 |
Login URL | STEP 16 |
-
In ‘SAML Certificates’ section copy ‘App Federation Metadata Url’ into the Reference table above
-
In ‘Set up Folio’ section, copy ‘Login URL’ into the Reference table above
-
Now you will setup the user profiles you are using for EntraID
Note: These User Profiles should already exist in Folio, in Entra you will be adding a user to an Profile and then Folio will add the user to the matching folio User Profile. You can also make a profile called Lite User that when assigned to an user will make the user an Lite User.
From the SAML page click on
-
-
Click Home on the top bread crumbs
-
- 2. Click Microsoft Entra ID on the left sidebar
- 3. Click App Registrations on the left sidebar
- 4. Then Click The All Applications tab
- 5. And then Click on the Folio application you created earlier
- Click on App Roles on the sidebar under Manage, and then click Create App Role
- You will now set up all of the user profiles you are going to use with Entra from Folio, Clicking Create App Role - filling in the fields as below, clicking apply and then starting again until all the roles are there.
Azure Field |
What to put into it |
Display Name |
Copy the name of the user profile exactly |
Allowed Member Types |
User/Groups |
Value |
Copy the name of the user profile but replacing spaces with ‘_’ |
Description |
The description of what the user profile allows an user to do |
Do you want to enable this app role? |
Tick |
- Return to the Folio Application and go to the Users and Groups screen
- Click Home on the top bread crumbs
- 2. Click Microsoft Entra ID on the left sidebar
- 3. Click Enterprise Registrations on the left sidebar
- 5. And then Click on the Folio application you created earlier
- 6. Click on Users and groups
- Click on
21. Click Add user/group
- Click on None Selected under users
- then select all the users you would like to add to the role (user profile) you created and finally click Select
- Click on None Selected under Select a Role
- Select the Role (User Profile) you created earlier that you would like all of the users you have selected to have in Folio and click Select once you've selected it.
- Click Assign
- Now open Folio and go to the admin screen
- Sign On and Security on the admin screen
- Then click Edit
- Check ‘Single Sign On through SAML’ and referring to the reference table on step 16 enter the corresponding values into the corresponding fields, then click update
Now when you log into Folio you will see that you can login using Azure Single Sign on
Setting up Azure Provisioning
Note: For the Provisioning you will need to ensure that the Business Units (departments in entra), Locations and User Profiles you are going to assign to users are setup in Folio
-
On sign on and security page click edit and tick the Scim enabled checkbox for your azure setup and click update
-
The view screen will now have Scim URL and Scim Token which will both be used in a step 5
-
On azure’s homepage go to
- 1. Click Microsoft Entra ID on the left sidebar
- 2. Click Enterprise Registrations on the left sidebar
- 3. And then Click on the Folio application you created earl
- 4. Click on Provisioning
- 5. Click on the Get Started button
4. Set the following
Entra Field |
What Value to put into it |
Provisioning Mode |
Automatic |
Tenant URL | The SCIM Url folio gave you |
Secrete Token | The Scim Token folio gave you |
5. Click on Mappings to expand the mappings section,
- then click on Provision Microsoft Entra ID Groups
- Set the Azure field 'Enabled' to No
- then click on Provision Microsoft Entra ID Users
9. Set the following
Azure Field |
Value |
Enabled |
Yes |
Source Object Scope | All Records |
Target Object Actions | Create, Update, Delete |
10. Scroll down to the Attribute Mappings table and click on show advanced options,
11. Click Edit attribute list for customappsso
12. You will need to add the three attributes to the Attribute list
Name | Type | Referenced Object Attribute |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:officeLocation |
String | |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:appRole | String | |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:escalationUser | Reference | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User |
Then click save to return to the Attribute mapping screen
13. You will need to add the three mappings below to have the integration work,
Mapping Type |
Microsoft Entra ID Attribute (Source Attribute) |
Customappsso Attribute (Target Attribute) |
Matching precedence |
Mapped to Folio User (info only, these don't need to be put into the mapping) |
displayName | displayName | Name | ||
Expression | Expression:SingleAppRoleAssignment([appRoleAssignments]) |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:appRole |
User Profile (one only) | |
department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department |
Business Unit |
You can also add the following rows if you would like to have these additional fields come through to Folio
Mapping Type |
Microsoft Entra ID Attribute (Source Attribute) |
Customappsso Attribute (Target Attribute) |
Matching precedence |
Mapped to Folio User (info only, these don't need to be put into the mapping) |
jobTitle | title | Job Title | ||
Expression | mobile |
phoneNumbers[type eq "mobile"].value |
Mobile | |
objectId |
externalId |
external_id (unique) |
||
Direct | manager |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:escalationUser |
Escalation User |
|
Direct | physicalDeliveryOfficeName |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:officeLocation |
Location |
Once you have setup everything you want to come through to Folio click save on the top
14. Click Start Provisioning and the users you have setup will start to be brought into folio