Help CenterBeginning with Portal version 3.7, ThreatLocker offers SCIM integration, which can be used to provision administrators from user groups in your Identity Provider (IdP).
How to Configure the SCIM Integration
Navigate to the Integrations page. Start typing 'SC' in the search bar to find SCIM.
SCIM Settings
Select SCIM Integration to open the 'Create SCIM Integration for ThreatLocker Administrator Accounts' sidebar.
At the top is the API Url. You will need the API Url and an API token to configure user provisioning from your IdP.
Select the 'Generate API Token' button to generate a new token.
Once it is generated, the token will only be visible once.
Copy and store the token securely. If a new API token is generated, it will invalidate the previous token, breaking the integration if it has already been configured.
At the top, you will see that an Enabled toggle has populated. If at any time you wish to disable the synchronization between the IdP and ThreatLocker, you can toggle this off. Please ensure the 'Enabled' button is toggled on to allow the IdP to connect to ThreatLocker.
Click the 'Save' button after generating and copying the token.
The Admin Login Settings section is where you will select how users will obtain the ability to log into the ThreatLocker portal once they are provisioned from the IdP.
You can choose to either create a SAML-enabled account for the provisioned users or to send an email invitation to newly provisioned users so they can set up their own login for the ThreatLocker portal. The option to create a SAML-enabled account requires that the SAML integration be configured first. See the associated article here: SAML Integration | ThreatLocker Help Center
Group Mapping
The 'Group Mapping' tab is where you will map user groups from the IdP to ThreatLocker User Roles.
Synchronization with the IdP could take up to an hour initially, and any time changes are made.
Select the desired group from the "Identity Provider Group' dropdown. Once a group has been selected and mapped to ThreatLocker User Roles it will no longer be available in the Identity Provider Group dropdown.
In the ThreatLocker User Role dropdown, select the User Role or Roles that you wish to apply to the selected group.
Don't forget to click the '+' button to add the mapping to the list below.
When all mapping has been completed, select the 'Save' button to apply the settings.
Once users have been provisioned from the IdP groups, additional non-mapped ThreatLocker User Roles cannot be added to the users, but individual permissions can be applied if needed.
API History
The API History tab will display api logs for the integration.
Setting Up User and Group Provisioning in the Entra ID Portal
In the Entra ID portal, you will need to create a new Enterprise app to allow ThreatLocker to connect to Entra.
Navigate to Enterprise apps.
Select New Application.
- Select 'Create your own application'. located at the top of the screen.
- Provide a name for the application.
- Select 'Integrate any other application you don't find in the gallery'.
- Click 'Create'.
Once the app has finished creating, navigate down to 'Provisioning'.
In the Overview window, select 'Connect your application'.
In the New provisioning configuration window, leave the authentication method as Bearer authentication.
Insert the Tenant URL and the Secret token from the ThreatLocker portal sidebar.
Select the 'Test Connection' button in Entra to verify the API Url and Token were inserted correctly.
If the Enabled button was not toggled on in the ThreatLocker portal, the connection test will fail. Please ensure the Enabled button is toggled on.
Click the 'Create' button to create your Enterprise app.
Next, navigate to 'Attribute' mapping.
No adjustments are needed on the Groups.
Select Provision Microsoft Entra ID Users to adjust the user attributes that will be sent to ThreatLocker.
Scroll down to the list of Attribute Mapping.
Here, you can remove all attributes that are not necessary for ThreatLocker user provisioning. Select the 'Delete' button next to all attributes except userName, name.givenName, and name.familyName. Any attributes received by ThreatLocker that are not one of the three listed above will be disregarded.
Once you have deleted the unnecessary attributes, click the 'Save' button in the top left.
Please note: The userName must be an email and it must be unique (meaning there are no other users in the ThreatLocker portal with an identical name).
Once the attribute mapping is complete, next you will assign users and groups to the application.
Navigate to Users and groups.
Select 'Add user/group'.
Select 'None Selected' to open the Users and groups list.
In the list that populates, select the check box next to the users and/or groups you wish to have provisioned from Entra to ThreatLocker. When selecting an entire group, all users contained in that group will be included in the provisioning.
Please Note: Selecting individual users will create the user with no permissions or roles applied in the ThreatLocker portal. It will be necessary to navigate to the Users page in the ThreatLocker portal and open the user sidebar to apply individual permissions. Roles are not able to be added to SCIM provisioned users.
Once all selections have been made, click the blue 'Select' button.
Next, select the "Assign' button.
Select 'Provisioning'.
Slide the toggle to Provisioning Status 'On'. Then click Save at the top.
On the Overview page, scroll to the bottom step.
Click 'Start provisioning' to start the synchronization process. This is what will populate groups in the Group Mapping dropdown in ThreatLocker. This initial provisioning could take up to an hour.
All settings are now complete in Entra ID. Users and Groups that are added in Entra will automatically be added in Threatlocker.
Removing Users and Groups
Once user provisioning has been established, users and/or groups that are removed in Entra will be disabled and removed from the ThreatLocker portal.