Skip to content
English
More support
Contact us
  • There are no suggestions because the search field is empty.

🔐 Single Sign‑On & Provisioning: SAML, OAuth/OIDC and SCIM

This article explains how to set up Single Sign‑On (SSO) using SAML or OAuth / OIDC, and how to integrate SCIM for automated user provisioning. The goal is to ensure technical teams and customers understand and configure the same prerequisites correctly.

Contents

  • Overview: SAML vs. OAuth/OIDC vs. SCIM

  • Requirements & Terminology

  • Set up SSO with SAML

  • Set up SSO with OAuth / OIDC

  • Configure SCIM (User Provisioning)

  • Common Issues & Notes

  • FAQ

ℹ️ Note: Some steps (e.g. SCIM secret token, technical activation) require coordination with ValueStreamer Support:

👉 Help Desk Portal – Submit a ticket
📧 Alternatively: support@valuestreamer.de

Overview: SAML vs. OAuth / OIDC vs. SCIM

Technology Purpose Benefit / Use Case
SAML SSO (Authentication, Login) Enterprise standard with broad IdP support
OAuth / OIDC Authentication / Authorization Mobile-friendly, API-capable
SCIM User Provisioning (automated) Syncs user accounts directly from IdP

ℹ️ Note: OAuth requires OIDC to deliver identity information such as email and name.

Requirements & Terminology

Familiarize yourself with the following components:

  • IdP: Identity Provider (e.g., Azure AD, Auth0)

  • SP: Service Provider (e.g., ValueStreamer)

  • Entity ID / Issuer: Unique identifier of a system

  • ACS (SAML): Target URL for authentication response

  • Redirect URI (OAuth/OIDC): Callback URL after login

  • Provisioning Endpoint (SCIM): API endpoint for user sync

Tip: Centrally document all URLs, secrets and mappings in the project or customer documentation.

🛠️ Set up SSO with SAML

  1. Provide SP URL
    The customer must register this URL in their IdP:

     
    https://api-<tenant>.valuestreamer.de/saml/SSO

    ⚠️ Warning: This URL must be exact. Even small deviations (e.g. missing slash) will cause errors.

  2. Provide SP Entity ID
    Required for configuration in the IdP.

  3. Request IdP Metadata from the customer
    For example: Azure “App Federation Metadata URL”

  4. Configure in ValueStreamer

    • Import the IdP metadata URL

    • Map attributes: NameID, Email, First Name, Last Name

  5. Test login and check logs

Tip: Use a test user before enabling SSO for all users.

🛠️ Set up SSO with OAuth / OIDC

Example: Azure Active Directory

  1. Register app in Azure

    • Portal: Azure AD → App Registrations → New

    • Redirect URI:

       
      https://<company>.valuestreamer.de

    • Result: Client ID, Tenant ID, Secret

  2. Define Scopes

     
    openid, profile, email

  3. Configure in ValueStreamer

    • Auth URL:

       
      https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize

    • Token URL, Client ID, Client Secret, Scopes

⚠️ Warning: Ensure redirect URIs match exactly. A mismatch will result in rejection by the IdP.

Example: Auth0

  • Maintain Auth0 domain, client ID, and callback URLs in the dashboard

  • Frontend URL:

     
    https://<company>.valuestreamer.de

  • Configuration is similar to Azure

🛠️ Configure SCIM (User Provisioning)

  • Enterprise Application in Azure Entra ID
    Use an existing app for ValueStreamer or create a new one

  • Enable provisioning

    • Tenant URL:

       
      https://api-<tenant>.valuestreamer.de/scim/v2/

    • Request secret token from ValueStreamer

    • Test connection

📸 Screenshot: Successful test connection (green status message)

 

  • Configure Attribute Mapping

    • Users:

       
      objectId → externalId, mail, givenName, surname

    • Groups: Disable (turn off Create/Update/Delete)

⚠️ Warning: Remove any undefined attributes. Additional fields will cause sync errors.
⚠️ Warning: For user mapping, only use defined fields. Group mapping must be disabled.

  • Perform test synchronization

    • Create a test user in Azure

    • Start provisioning and check the logs

❗ Common Issues & Notes

  • ⚠️ Missing attribute mappings (e.g. externalId not defined)

  • ⚠️ Incorrect URLs (Redirect / ACS): cause login interruptions

  • ⚠️ Unsupported SCIM fields: remove extra attributes

  • ⚠️ Token expired / incorrect: provisioning fails

  • Tip: Ensure system clocks are synchronized (NTP time mismatch can break tokens)

❓ FAQ

What is the difference between OAuth and OIDC?
OIDC is an identity layer for OAuth that delivers login information (e.g., email, name).

Can I configure multiple SSO methods in parallel?
Yes, e.g., SAML for internal users, OAuth/OIDC for external apps.

Are groups synchronized via SCIM?
ValueStreamer does not support group sync. Group provisioning must be disabled.

What happens if a user is deleted in the IdP?
If SCIM is active, the user will also be removed or deactivated in ValueStreamer.

How often does Azure Entra ID sync?
The default interval is approx. 40 minutes.