🔍 Table of Contents
-
Overview: SAML vs. OAuth/OIDC vs. SCIM
-
Requirements & Terminology
-
Configure SSO with SAML
-
Configure SSO with OAuth / OIDC
-
Configure SCIM (User Provisioning)
-
Troubleshooting & Tips
-
FAQ
ℹ️ Note: Some steps (e.g. SCIM secret token, technical enablement) require contacting the ValueStreamer support team:
👉 Help Desk Portal
Overview: SAML vs. OAuth/OIDC vs. SCIM
| Technology | Purpose | Benefit / Use Case |
|---|---|---|
| SAML | Authentication, Login | Enterprise standard, widely supported by IdPs |
| OAuth/OIDC | Authentication & Authorization | Suitable for mobile apps and APIs |
| SCIM | User provisioning | Automated user sync from IdP |
Requirements & Terminology
-
IdP: Identity Provider (e.g. Azure AD, Auth0)
-
SP: Service Provider – in this case, ValueStreamer
-
Entity ID: Unique system identifier
-
ACS URL (SAML): Assertion Consumer Service endpoint for SAML responses
-
Redirect URI (OIDC): URL to return users after login
-
Provisioning Endpoint (SCIM): API endpoint for syncing users
✨ Tip: Document all relevant URLs, tokens, and attributes centrally in the project.
🛠️ Configure SSO with SAML
🔄 Role-based overview: Who provides what?
🔹 Provided by ValueStreamer:
-
ACS URL (Assertion Consumer Service URL):
https://api-<tenant>.valuestreamer.de/saml/SSO -
SP Entity ID: Generated per tenant by ValueStreamer
These values must be entered in the customer's IdP so that successful logins are redirected back to ValueStreamer.
🔸 Provided by the Customer:
-
Metadata URL of the Identity Provider
-
Azure label: App Federation Metadata URL
-
Example:
https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml
-
📸 Screenshot: Azure example with color codes – Green = provided by ValueStreamer, Yellow = provided by customer-png.png?width=670&height=617&name=grafik-20240126-085302%20(2)-png.png)
🛠️ ValueStreamer Configuration
-
Import metadata (via provided URL)
-
Map attributes:
-
NameID -
user.mail -
user.givenname -
user.surname
-
-
Test login with a test user
✨ Tip: Always use test users before going live
✨ Tip: Use color codes in documentation (green = SP, yellow = IdP) to clarify responsibility
🛠️ Configure SSO with OAuth / OIDC
🗂️ Setup with Azure AD
Required values:
-
Azure Authentication URL:
https://login.microsoftonline.com/<tenant-id> -
Client ID: Generated during app registration
-
Redirect URI:
https://<company>.valuestreamer.de
Step-by-step:
-
Register application
-
Go to Azure AD → App registrations → New registration
-
📸 Screenshot: App registration UI
-
-
Configure redirect URI
-
Navigate to Authentication → Add redirect URI under "Single-page application"
-
📸 Screenshot: Redirect URI settings
-
-
Copy client ID
-
Found under App overview
-
📸 Screenshot: Application (Client) ID
-
-
Define scopes
-
openid,profile,email
-
-
Enter into ValueStreamer
-
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize -
Plus Token URL, Client ID, Secret, Scopes
-
⚠️ Redirect URI must match exactly
🗂️ Setup with Auth0
Required values:
-
Auth0 Domain: e.g.
mycompany.auth0.com -
Client ID: Generated during registration
-
Allowed Callback URLs:
https://<company>.valuestreamer.de -
Allowed Logout URLs: Optional
-
Allowed Web Origins: Optional
🛠️ Configure SCIM (User Provisioning)
1. Prepare the Enterprise Application
✨ Tip: If no app exists yet, go to Microsoft Entra ID → Enterprise Applications and create a new application.
📸 Screenshot: Create your own application – Enter a name and select "Non-gallery"
2. Enable Automatic Provisioning
-
Open the Enterprise Application → Provisioning → Set Mode to: “Automatic”
📸 Screenshot: Set provisioning mode to “Automatic”, fill in the required fields
Fill in the following values:
-
Tenant URL:
https://api-<tenant>.valuestreamer.de/scim/v2/ -
Secret Token:
Request this from ValueStreamer Support.
Test the connection
📸 Screenshot: Successful test connection (green status message)
3. Map User Attributes
-
Navigate to:
Edit Attribute Mappings → Provision Azure Active Directory Users
📸 Screenshot: Open attribute mapping overview
📸 Screenshot: Map externalId → objectId + other relevant attributes-png.png?width=670&height=482&name=grafik-20240523-124434%20(1)-png.png)
| Target Attribute | Azure Attribute |
|---|---|
externalId |
objectId |
mail |
mail |
givenName |
givenName |
surname |
surname |
⚠️ Warning: Only use defined attributes – additional ones may cause errors.
✨ Tip: The email in the IdP (type: “work”) must match the ValueStreamer email address.
4. Disable Group Mapping
-
Go to:
Edit Attribute Mappings → Provision Azure Active Directory Groups
📸 Screenshot: Open group mapping-png.png?width=670&height=301&name=grafik-20240116-123509%20(1)-png.png)
Disable the following:
📸 Screenshot: Disable checkbox for “Provision Azure Active Directory Groups”
⚠️ Important: ValueStreamer does not support group provisioning.
❗ Common Issues & Troubleshooting
-
Missing attributes (e.g.
externalIdnot mapped) -
Unsupported extra fields
-
Incorrect redirect or ACS URLs
-
Expired / invalid tokens
⚠️ Microsoft Entra ID does not support nested groups – only directly assigned users are synced
📸 Screenshot: Microsoft documentation warning about nested groups
✨ Keep system clocks between IdP and ValueStreamer synchronized
❓ FAQ
What is the difference between OAuth and OIDC?
-
OIDC adds identity layer on top of OAuth to deliver user info like name and email.
Can I use multiple SSO methods in parallel?
-
Yes. E.g. SAML for internal users, OAuth/OIDC for external apps.
Does ValueStreamer support SCIM group sync?
-
No. Group provisioning must be turned off.
What happens if a user is deleted in the IdP?
-
If SCIM is active, the user will be deactivated or deleted in ValueStreamer as well.
How often does Azure Entra ID sync users?
-
Every ~40 minutes by default.