This guide provides instructions for integrating Locktera with Entra ID (formerly Azure Active Directory) to enable Single Sign-On (SSO) and user synchronization. By integrating Locktera with Entra ID, organizations can manage user authentication and provisioning efficiently using their existing Entra ID infrastructure.

Table of Contents

1. Prerequisites

2. Integration Overview

3. Step-by-Step Integration Process

   1. Step 1: Register Locktera in Entra ID

   2. Step 2: Configure SSO for Locktera in Entra ID

   3. Step 3: Enable SCIM Provisioning in Locktera

   4. Step 4: Configure User Synchronization in Entra ID

4. Testing the Integration

5. Troubleshooting

6. FAQs

Prerequisites

Before starting the integration, ensure the following prerequisites are met:

• You have an Entra ID (Azure AD) tenant with administrator privileges.

• A Locktera account with administrative access to configure integrations.

• SCIM provisioning is supported in your Locktera subscription plan.

• Optional: If using on-premise Active Directory, ensure Azure AD Connect is set up for hybrid synchronization.

Integration Overview

This integration enables the following functionalities:

1. Single Sign-On (SSO): Users can log in to Locktera using their Entra ID credentials without needing separate passwords.

2. User Provisioning (via SCIM): Entra ID can automatically provision, update, and de-provision user accounts in Locktera using the SCIM protocol, ensuring that user data is synchronized between systems.

Step-by-Step Integration Process

Step 1: Register Locktera in Entra ID

1. Log in to the Azure Portal (portal.azure.com) as an administrator.

2. Navigate to Entra ID.

3. From the left-hand navigation panel under Manage, select Enterprise Applications.

4. Click + New Application and select Create Your Own Application.

5. Name the application (e.g., “Locktera SSO”) and choose Integrate any other application you don’t find in the gallery (Non-Gallery).

6. Once the application is created, go to Single Sign-On settings.

Step 2: Configure SSO for Locktera in Entra ID

1. In the Locktera application settings within Entra ID, select SAML as the SSO method.

2. Configure the following SAML details:

   • Identifier (Entity ID): This is the unique URL for Locktera’s SAML integration, which can be found in Locktera’s admin portal (e.g., https://locktera.com/saml/metadata).

   • Reply URL (Assertion Consumer Service URL): Also available in Locktera's admin settings (e.g., https://locktera.com/saml/acs).

   • Sign-On URL: This is the URL where users will be redirected for login (e.g., https://locktera.com/login).

3. Download the Federation Metadata XML from Entra ID. You will upload this to Locktera later.

4. Under User Attributes & Claims, map the necessary attributes, such as:

   • Unique User Identifier (Name ID): Set this to user.mail or user.userprincipalname.

5. Save the configuration.

Step 3: Enable SCIM Provisioning in Locktera

1. Log in to the Locktera Admin Portal.

2. Navigate to Settings > Integrations.

3. Enable SCIM provisioning and obtain the following details:

   • SCIM Base URL: The URL Locktera uses to accept SCIM provisioning requests.

   • SCIM Bearer Token: This is the secret token used for authentication between Entra ID and Locktera.

4. Save these details, as you’ll need them in Entra ID.

Step 4: Configure User Synchronization in Entra ID

1. In the Azure Portal, return to the Locktera application.

2. Under Provisioning, click Get Started.

3. Set Provisioning Mode to Automatic.

4. In the Admin Credentials section, enter:

   • SCIM Base URL: The URL obtained from Locktera’s SCIM settings.

   • Bearer Token: The token obtained from Locktera’s SCIM settings.

5. Click Test Connection to ensure the credentials are correct.

6. Under Mappings, review the default user attribute mappings (e.g., userPrincipalName, displayName, email, etc.). You can customize these if needed.

7. Set up Provisioning Scope to define which users or groups should be synchronized with Locktera.

8. Once configured, click Save and Start Provisioning.

Testing the Integration

1. Log in to the Entra ID My Apps portal as a user that has been assigned access to Locktera.

2. Click on the Locktera SSO application icon.

3. Verify that you are successfully logged into Locktera without requiring additional credentials.

4. To test user provisioning:

   • Add a new user or group to Locktera within Entra ID.

   • Verify that the user appears in the Locktera user management section after synchronization.

   • Deactivate or delete a user in Entra ID and confirm the user is removed from Locktera.

Troubleshooting

• SSO Errors: Ensure that the SAML configuration matches exactly between Entra ID and Locktera (e.g., Identifier, Reply URL).

• SCIM Provisioning Issues: Verify that the SCIM Base URL and Bearer Token are correct. Check logs in both Entra ID and Locktera for any failed provisioning requests.

• User Sync Delays: SCIM provisioning may take a few minutes to sync user data. Check the provisioning logs in Entra ID for the sync status.

FAQs

Q: Can I sync custom attributes between Entra ID and Locktera?
A: Yes, custom attributes can be mapped in the Provisioning section under Mappings. You can add custom SCIM attributes if supported by Locktera.

Q: How often does SCIM provisioning sync user data?
A: Provisioning typically runs every 40 minutes, but you can trigger an on-demand sync from the Entra ID portal.

Q: Does Locktera support group-based provisioning?
A: Yes, Locktera supports group-based provisioning, allowing you to assign Entra ID groups to Locktera roles.

Conclusion

By following this guide, you can successfully integrate Locktera with Entra ID, enabling both SSO and automated user provisioning through SCIM. This integration simplifies user management by leveraging your existing Entra ID infrastructure while providing seamless access to Locktera for your users.