How to Configure SCIM Provisioning with Microsoft Entra ID for SAS Viya 4
This guide walks through configuring automatic user and group provisioning between Microsoft Entra ID and SAS Viya using SCIM.
After completing this guide, you will be able to enable SCIM in SAS Viya, generate a SCIM access token, configure Microsoft Entra ID provisioning, test synchronization, and troubleshoot common provisioning issues.
Applies To
- SAS Viya 4 (Latest LTS)
- Microsoft Entra ID
- SCIM 2.0
- Kubernetes / OpenShift
What You'll Learn
This guide walks through configuring automatic user and group provisioning between Microsoft Entra ID and SAS Viya using SCIM.
After completing this guide, you will be able to:
- Enable SCIM in SAS Viya
- Generate a SCIM access token
- Configure Microsoft Entra ID provisioning
- Test synchronization
- Troubleshoot common provisioning issues
Before You Begin
Ensure the following prerequisites are met:
- SAS Viya is deployed and accessible.
- Microsoft Entra ID tenant administrator access.
- SCIM is licensed and enabled in SAS Viya.
- HTTPS is configured with a trusted certificate.
- Microsoft Entra Enterprise Application has been created.
Step 1 – Create a SCIM Access Token
Microsoft Entra ID authenticates to SAS Viya using a SCIM access token.
Log in as a SAS Viya administrator. Generate the token using the SAS Viya CLI.
viya auth loginCreate a personal access token.
viya auth token create \
--description "Microsoft Entra SCIM"Example output:
Access Token
eyJhbGciOiJSUzI1NiIs...Save this token securely. It will be entered into Microsoft Entra ID during provisioning.
Step 2 – Identify the SCIM Endpoint
The SCIM base URL is typically:
https://viya.company.com/scim/v2Verify connectivity.
curl -k \
https://viya.company.com/scim/v2/UsersExpected:
HTTP/1.1 401 UnauthorizedThis is expected without authentication and confirms the endpoint is reachable.
If you receive:
404 Not FoundVerify the ingress, reverse proxy, URL, and SCIM configuration.
Step 3 – Configure Microsoft Entra ID
Open Microsoft Entra Admin Center and navigate to Enterprise Applications, then your SAS Viya application, and then Provisioning.
| Setting | Value |
|---|---|
| Provisioning Mode | Automatic |
| Tenant URL | https://viya.company.com/scim/v2 |
| Secret Token | SCIM Access Token |
Select Test Connection. The expected result isConnection Successful.
If the connection fails, verify HTTPS, certificates, token, and firewall rules.
Step 4 – Configure User Mapping
Microsoft provides default mappings. Verify these attributes.
| Microsoft Entra | SAS Viya |
|---|---|
| userPrincipalName | userName |
| givenName | givenName |
| surname | familyName |
| emails | |
| displayName | displayName |
Avoid changing mappings unless required by your organization.
Step 5 – Configure Group Mapping
Groups simplify authorization inside SAS Viya.
Enable Provision Microsoft Entra Groups.
Typical mapping:
| Microsoft Entra | SAS Viya |
|---|---|
| displayName | displayName |
| objectId | externalId |
Groups should appear automatically inside SAS Viya after synchronization.
Enable provisioning, set the provisioning status to ON, and select Save. Microsoft Entra immediately begins synchronization, although the first synchronization may take several minutes.
Step 7 – Verify Synchronization
Log into SAS Viya and navigate to Environment Manager, then Users.
Verify users created, groups created, and email addresses populated. Also verify from the Viya CLI.
viya identities users listExample:
jsmith
John Smith
EnabledList groups.
viya identities groups listExample:
Finance
Administrators
AnalystsVerify Using the REST API
The Identities service provides a quick validation. Retrieve users.
curl -sk \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
https://viya.company.com/identities/usersExpected:
{
"items": [
{
"id": "...",
"name": "John Smith"
}
]
}Retrieve groups.
curl -sk \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
https://viya.company.com/identities/groupsSuccessful responses confirm SCIM synchronization, the Identities Service, authentication, and authorization are functioning correctly.
Automate Verification with Bash
Save the following script as verify_scim.sh.
#!/bin/bash
HOST="https://viya.company.com"
TOKEN="<ACCESS_TOKEN>"
echo
echo "Checking Users"
curl -sk \
-H "Authorization: Bearer $TOKEN" \
$HOST/identities/users
echo
echo "Checking Groups"
curl -sk \
-H "Authorization: Bearer $TOKEN" \
$HOST/identities/groups
echo
echo "SCIM verification completed."Make the script executable and run it.
chmod +x verify_scim.sh
./verify_scim.shKubernetes Validation
Confirm the identity-related workloads are healthy.
kubectl get pods -n sas-viyaLook for services similar to the following:
sas-identities
sas-logon
sas-consul
sas-configIf a pod is restarting, review the logs for startup failures, certificate issues, and configuration errors.
kubectl logs <pod-name> -n sas-viyaCommon Troubleshooting
Test Connection Fails
Verify the SCIM URL, HTTPS certificate, firewall, and ingress.
HTTP 401
Usually indicates an expired token, invalid token, or a token copied incorrectly. Generate a new token.
HTTP 403
Verify administrator permissions and SCIM authorization.
Users Not Appearing
Review Microsoft Entra Provisioning Logs for skipped users, filtered users, and attribute mapping errors.
Groups Missing
Verify group provisioning is enabled, the correct group assignments exist, and synchronization has completed.
Common Pitfalls
Avoid these common mistakes:
- Using an expired SCIM token.
- Incorrect SCIM endpoint URL.
- Forgetting to enable provisioning.
- Assigning users but not groups.
- Modifying default attribute mappings unnecessarily.
- Ignoring Microsoft Entra provisioning logs.
- Testing before the initial synchronization completes.
Best Practices
- Create a dedicated SCIM administrator account.
- Rotate SCIM tokens periodically.
- Use Microsoft Entra groups for authorization instead of individual users.
- Restrict Enterprise Application assignments to required users.
- Review provisioning logs after every configuration change.
- Validate synchronization after SAS Viya upgrades.
References
- SAS Viya Administration Documentation
- SAS Viya Identity Management Documentation
- Microsoft Entra ID SCIM Provisioning Documentation
- SCIM 2.0 Specification (RFC 7643 & RFC 7644)
Next Steps
Once SCIM provisioning is working successfully, consider validating single sign-on, group-based authorization rules, automatic de-provisioning of disabled users, privileged administrator group synchronization, and scheduled provisioning health checks.
Correctly configured SCIM provisioning eliminates manual user administration, improves security, and ensures Microsoft Entra ID remains the authoritative identity source for SAS Viya. A one-time investment in proper configuration and validation significantly reduces administrative effort while improving consistency across enterprise environments.