Noah ES SCIM Integration Using Microsoft Entra ID

Integration via SCIM is currently available in Noah ES Production and QA

Main Features

Once the integration is set up with a Noah ES account and EntraID, an EntraID administrator can define (in EntraID) the users/groups and associated Noah ES Users levels for automated provisioning and deprovisioning of users.

Q: If I have a Noah ES account that already has a number of users set up, can I use this integration for those users?

A: Yes, the users will be linked to Azure AD as if it was a new user.

Q: Do all of my users need to use EntraID for authentication once this is enabled?

A: No. It is assumed that most organizations will want users to utilize EntraID, but it is possible to still manage users using the Noah ES provided Local user management and authentication system.

Precondition

Before setting up SCIM features, it is mandatory that your Noah ES account is configured with an Entra ID Enterprise App to support SSO with Entra ID. Please follow the directions located at Using Microsoft Entra ID (Azure Active Directory) for Single Sign-on (SSO) - Noah ES Support Portal

The result will be that you too will have Entra ID Enterprise Apps set up. One provides your users with the ability to authenticate to Noah ES using Entra ID. The other App will provide SCIM features. If you met the above precondition, please proceed to Step 1.

Please ensure to meet the precondition before continuing

Step 1 - Enable SCIM in the Noah ES Portal portal

Log into the Noah ES portal and navigate to Settings->Single Sign-on.
Click on Configure SCIM

Select “Update” button to generate a client for accessing the SCIM API.
- Select the Generate Long-Lived Token " button on the next page.
  - Do not choose Generate Client Secret as this is not supported by Entra ID
- The generated token is used in the next steps for setting up SCIM in Microsoft Entra ID. Keep it safe.
- Make sure to select “Enabled”
- Click on Save

You may wish to copy the Base URL as you will need it later.

Default Location and Patient Group

If your Noah ES account uses Locations or Patient Groups, select the default that all users are assigned to at first. The user can later be managed via the Noah ES portal.

For more information, please see https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/3103162395

Noah ES Business Systems that integrate with the Noah ES API can also manage the assignment of locations/groups.

Step 2 - Create an EntraID Enterprise Application

Log in to the Entra ID (Azure AD) portal.
In the left-hand menu, select Applications > Enterprise apps.
Click + New application at the top.
Click Create your own application
Enter a descriptive name for your app, and then select Integrate any other application you don’t find in the gallery (Non-gallery).
Select Create

Step 3 - Configure User Provisioning

Once the application is added, select Provisioning (under the Manage Menu)
Under Provisioning Mode, choose Automatic.
Tenant URL: The SCIM endpoint URL can be viewed on Noah ES Portal SCIM configuration page.
Secret Token: The SCIM authentication token generated when configuring SCIM.

Step 4 - Test SCIM Connection

Click Test Connection to verify that Entra ID can successfully connect to the SCIM service.
If the Test Connection passes, make sure to SAVE the provisioning
Close this Window (X in upper right)

Step 5 - Create Noah ES roles

Go to the Users and groups tab.
Select the application registration link.
Click + Create app role at the top in the App roles tab.
Create the following Security Groups. Note: it is critical that the entries in the “Value” field be exactly as listed below.

Display Name	Description	Value (must be exact)

Display Name	Description	Value (must be exact)
Technical Administration	Technical Administration	TechnicalAdministration
Administrative Support	Administrative Support	AdministrativeSupport
Level 1	Level 1	Level1
Level 2	Level 2	Level2

Disable and Delete “User” role

The “User” App role shoudl be disabled and deleted