SCIM Connection Setup – Azure (Microsoft Entra) | DiliTrust CLM

We understand how critical it is for your organization to automate user lifecycle management and maintain secure, scalable access control across your legal operations. With SCIM (System for Cross-domain Identity Management) support, you can automatically manage users in DiliTrust CLM directly from your Identity Provider — eliminating manual user management and reducing the risk of orphaned accounts.

By connecting Microsoft Entra (Azure AD) to DiliTrust CLM via SCIM, you can:

• ✅ Provision a user — automatically grant access when a user joins your organization
• ✅ Deprovision a user — automatically revoke access when an employee leaves
• ✅ Assign and update a user's role — Administrator, Editor, Contributor, Validator, or Reader
• ✅ Create and delete DiliTrust CLM groups
• ✅ Assign users to specific groups

? CLM Role Reference

Before getting started, here is an overview of the available roles in DiliTrust CLM:

• Administrator — Full access to the platform, including organization settings, user management, and all contract operations
• Editor — Can create, edit, and manage contracts and templates
• Contributor — Can contribute to contracts (e.g., fill in fields, add documents) with limited editing rights
• Validator — Can review and approve/reject contracts in validation workflows
• Reader — Read-only access — can view contracts and their status but cannot make changes

✅ Prerequisites

Before getting started, ensure:

• You have Administrator rights on your DiliTrust CLM organization
• You have access to the Microsoft Entra admin center with permissions to manage Enterprise Applications

⚙️ Part 1 — Prepare Your DiliTrust CLM SCIM Credentials

Step 1 – Create a Dedicated Technical Account

The SCIM Bearer token is a JWT token tied to a user account in your CLM tenant. We strongly recommend creating a dedicated technical/service account specifically for SCIM provisioning — do not use a personal user account. This ensures the integration remains stable even if an individual user's access changes.

• Log in to DiliTrust CLM as an Administrator
• Create a new user account dedicated to SCIM (e.g., scim-provisioning@yourcompany.com)
• Assign it Administrator rights to ensure it can manage users and groups

Step 2 – Generate a Bearer Token

• Log in to DiliTrust CLM as an Administrator
• Go to Configuration > Token Management
• Click Create New Token
• Associate the token with your dedicated technical account
• Copy and securely store the generated token — it will only be displayed once

? Keep your Bearer Token confidential. It grants full provisioning access to your DiliTrust CLM organization. If compromised, return to Configuration > Token Management to revoke it and generate a new one.

Step 3 – Retrieve Your Role UUIDs

Role UUIDs are unique to your CLM organization and are not visible in the UI. You need to retrieve them by calling the DiliTrust SCIM API with your Bearer token.

Make the following API call:

• Method: GET
• URL: https://api.dilitrust.com/api/scim/v2/Schemas
• Header: Authorization: Bearer <your_token>

The response will include the CLM schema with the UUID for each role. Note down the UUID for each of the 5 roles: Administrator, Editor, Contributor, Validator, Reader.

? Alternatively, if users already exist in your CLM organization, you can retrieve their current role UUID by calling GET https://api.dilitrust.com/api/scim/v2/Users. Each user record will include their assigned roleId value.

You now have everything needed to proceed:

• ? SCIM API Endpoint: https://api.dilitrust.com/api/scim/v2/
• ? Bearer Token: Generated in Configuration > Token Management
• ? Role UUIDs: Retrieved via GET /api/scim/v2/Schemas

☁️ Part 2 — Configure SCIM in Microsoft Entra (Azure AD)

Step 4 – Create an Enterprise Application in Azure

✅ If you already have a DiliTrust CLM application configured in Azure for SSO (OIDC), you can reuse it and skip directly to Step 5.

• Go to the Microsoft Entra admin center → Enterprise Applications
• Click + New application
• Click Create your own application
• Name it (e.g., DiliTrust CLM)
• Select "Integrate any other application you don't find in the gallery"
• Click Create

Step 5 – Configure Provisioning Settings

• Inside your DiliTrust CLM app, click Provisioning in the left sidebar
• Set Provisioning Mode to Automatic
• Under Admin Credentials, enter:
  • Tenant URL: https://api.dilitrust.com/api/scim/v2/
  • Secret Token: paste the Bearer Token generated in Step 2
• Click Test Connection — wait for a success confirmation
• Click Save

A Mappings section will now appear — proceed to Step 6.

Step 6 – Configure Attribute Mappings

Navigate to Mappings → Provision Azure Active Directory Users.

Step 6.1 – Update Existing Attribute Mappings

userName

• Open the userName row
• Set Source attribute to: mail
• Click OK

externalId

• Open the externalId row
• Set Source attribute to: objectId
• Click OK

Step 6.2 – Map DiliTrust CLM Roles via roleId

DiliTrust CLM uses a custom SCIM attribute roleId to assign roles. Each role corresponds to a unique UUID retrieved in Step 3.

• Click Add New Mapping
• Set Target attribute to: urn:ietf:params:scim:schemas:core:2.0:User:roleId
• Set Source attribute to a dedicated Azure custom extension attribute (e.g., extension_dilitrustCLMRoleId)
• Click OK and Save

Then set the following UUID values on your Azure users or groups:

• Administrator → UUID retrieved in Step 3
• Editor → UUID retrieved in Step 3
• Contributor → UUID retrieved in Step 3
• Validator → UUID retrieved in Step 3
• Reader → UUID retrieved in Step 3

? You can set the UUID directly on a user's Azure profile, or use an Expression mapping to derive it dynamically from an existing attribute (e.g., jobTitle or department).

Step 6.3 – Remove Unnecessary Attribute Mappings

Keep only the following attributes and delete all others using the Delete button:

• ✅ userName
• ✅ active
• ✅ name.givenName
• ✅ name.familyName
• ✅ externalId
• ✅ urn:ietf:params:scim:schemas:core:2.0:User:roleId

Click Save at the top of the page.

Step 7 – Enable Automatic Provisioning

• Navigate back to the Provisioning overview
• Toggle Provisioning Status to On
• Click Save

Step 8 – Assign Users and Groups to Provision

• Go to Users and Groups in the left sidebar
• Click + Add user/group
• Click None selected under Users and Groups
• Select the users or groups to provision into DiliTrust CLM
• Click Select, then Assign

? SCIM is now active for DiliTrust CLM! All assigned users and groups will be automatically provisioned. If provisioning is done via a group, the group will be created in DiliTrust CLM with its members included.

? Best Practices & Recommendations

• Always start with a test user before rolling out SCIM to your entire organization. This lets you validate the configuration end-to-end with no risk.
• Use a dedicated technical account for SCIM — never tie the integration to a personal user account. This prevents disruptions if that user's access is modified or revoked.
• Separate "access" groups from "role" groups:
  • Access groups (e.g., DiliTrust-CLM-LegalTeam-FR) → grant access to specific folders or templates
  • Role groups (e.g., DiliTrust-CLM-Editors, DiliTrust-CLM-Validators) → drive the roleId UUID value
• Build your group structure in Azure first. Groups created directly in DiliTrust CLM cannot be pushed back to Azure. Starting from Azure ensures your IdP is the single source of truth.
• Leverage Azure's expression-based mappings for complex scenarios — for example, assigning the Validator role to users from a specific department. Refer to  Microsoft's attribute mapping documentation for details.

❓ Frequently Asked Questions

Can I use SCIM alongside SSO on DiliTrust CLM?

Absolutely. SCIM and SSO are complementary, not exclusive. SCIM handles user lifecycle (provisioning, deprovisioning, role assignment), while SSO (OIDC) handles authentication (how users log in). Both can be configured on the same Azure Enterprise Application.

How do I get my Role UUIDs?

Role UUIDs are unique to your CLM organization and can be retrieved by calling GET https://api.dilitrust.com/api/scim/v2/Schemas with your Bearer token. See Step 3 for the full instructions.

Can a user have multiple roles simultaneously?

No. Each user is assigned a single role in DiliTrust CLM. If you need a user to have broader permissions, assign them the higher-level role (e.g., Editor instead of Contributor).

How quickly does provisioning take effect?

Microsoft Entra runs a synchronization cycle approximately every 40 minutes. For immediate provisioning, you can trigger an on-demand sync directly from the Azure provisioning page.

Can I still manage users manually in DiliTrust CLM once SCIM is active?

Yes. SCIM provisioning and manual user management can coexist. However, we recommend managing users exclusively through your IdP to maintain consistency and avoid conflicts.

What happens to a user's data when they are deprovisioned?

Their account is deactivated and they lose access to DiliTrust CLM. Ongoing contracts remain intact and can be managed by other users with the appropriate permissions.

What if a user already exists in DiliTrust CLM before SCIM is enabled?

Azure will match existing users via externalId (mapped to objectId) and userName (mapped to mail). Matched users will be linked to their Azure identity automatically — no duplicates will be created.

Who should I contact for help?

Reach out to the DiliTrust Support team at support@dilitrust.com or via your customer portal.