question

everett-arconti15105 avatar image
everett-arconti15105 asked Paul Rarey commented

Directory Integration SCIM/Azure Active Directory

I see on the Directory Integration page that System for Cross-Domain Identity Management(SCIM) is an option. I also found that Azure Active Directory can leverage SCIM for user and group provisioning and de-provisioning. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups I'd rather go this route if possible than setup Okta and use yet another product just to get directory integration working.


Has anyone done this successfully? I'm using https://platform.devtest.ringcentral.com/scim/v2/ as the Tenant URL for my application in Azure, and my Application Client Secret for the Secret Token, but I can't even get a test connection to work.


Any suggestions other than just use Okta?

integrations
1 |1500 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

tony-li73 avatar image
tony-li73 answered everett-arconti15105 commented
Hi Everett,

Azure and RingCentral are working on an app that can do the user provisioning from Azure to RingCentral. Due to the resource constraint on the Azure side, They don't have a confirmed timeline yet.

Azure provides the ability to configure the "non app gallery" app by providing an one-time access token. However, since RingCentral access token can live for an hour, it's not really recommended to configure such an app to provision the users. 

Also, there will be some user guide doc prepared by product team when the app is ready. For example, RingCentral leverages the user's address to assign the purchased phone numbers. Azure provides the free-formed address fields. In order to have RingCentral assign the number accurately, the address attributes need to follow certain standard, such as SO 3166-2 - Country Codes, full state/county name, and correct city name, etc.
4 comments
1 |1500 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hi Everett,

Correct, the non gallery app will stop working after 1 hour due to the expiration of access token. The real app will have the OAuth flow that keeps the refresh token to obtain the access token when it expires.

We originally targeted for Q2 of this year.


1 Like 1 ·

Hi Tony,

Has there been any progress on this? I am sure the pandemic has affected things. But hopefully we can get an update?

0 Likes 0 ·

I doubt they’ve made progress. The reply is from March 2019, almost a year before the pandemic was in full effect. It was supposedly due out Q2 of 2019. Manually adding new users is annoying, but I’ve stopped holding my breath.

0 Likes 0 ·
Tony,
Thank you for the information. Am I understanding correctly that the RingCentral access token can ONLY live for 1 hour and because of that the "non gallery app" would stop functioning after that?

I know you said you don't have a confirmed timeline, but would it be possible to get a ballpark timeline? 

Thank you.
0 Likes 0 ·
tony-li73 avatar image
tony-li73 answered Paul Rarey commented

Hi @Alex Janes, Azure team is still working on the 3-legged OAuth flow to maintain the refresh/access token automatically. They had an initial release last month, but it seemed that they encountered some error and rolled it back. Hopefully, it could be fixed and released soon.

In the meanwhile, if you still want to use long-lived token approach, you can contact RingCentral support team to request one. Usually, a customized token can be valid for 3-6 months.

Again, Thanks for your patience

4 comments
1 |1500 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hi @tony-li,

I've found Azure's OAuth to be highly functional with token refreshes (auth_code and access tokens).

What I've seen in RC's OAuth flows, ClientID/ClientSecret is not a supported flow type for obtaining an auth_code then access token.

Generally, ClientID+ClientSecret are base64 encoded together, then encrypted by the issuer (in this case the issuer is RC). That string constitutes the ClientSecret value issued by the Resource Provider, which Azure.Identity expects the configuring Admin person will put into the Client Secret field for OAuth setup (tracks for AzureAD.SCIM OAuth setup as well).

Just IMO.... I'm surprised MS would consider putting an auth_code (token), access token or even a refresh token as a configured, long-lived persisted value for an OAuth setup. That's what the OAuth spec defines the ClientSecret for.






1 Like 1 ·
tony-li73 avatar image tony-li73 Paul Rarey (AA) ·

Hi @Paul Rarey (AA),

We just got the confirmation from Azure team that RingCentral App has been updated to support 3-legged OAuth. Please have a try by clicking on "Authorize" button to set it up instead of using a long lived access token.

Thanks,
Tony

1615620028672.png

0 Likes 0 ·
1615620028672.png (115.9 KiB)

@tony-li73 I'll test this out tomorrow. Appreciate the notice !!

0 Likes 0 ·
Show more comments

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys