Home Content Services Core Share Core Share Enterprise Single Sign On

Single Sign On - Microsoft Azure AD and OpenText Directory Services (OTDS) Integration

Provisioning users from Azure AD to OTDS using SCIM.
This ensures synchronization between your Azure tenant users and groups into OTDS and allow them to sign on to OpenText Core Share.


  • Prerequisites:

    • An Azure AD Premium subscription is required in order to be able to add non-gallery applications to the Azure AD tenant and consequently for SCIM support

    OTDS Configuration:

    • Contact OpenText Core Share Support team and provide your Azure AD tenant GUID:

        OpenText will create an OAuth confidential client to represent your Azure SCIM client. The name of this client MUST be AZURE_SCIM_<AZURETENANTGUID> where <AZURETENANTGUID> is your Azure AD tenant GUID

    Azure AD Configuration:

    • Add a new Enterprise Application to the directory
    o Add an application from the gallery -> Custom
    Note: If you cannot choose this option, you do not have an Azure AD Premium subscription.

    • Configure the Provisioning tab to have Azure AD sync to OTDS using SCIM.

        Make sure you are using https on OTDS. It is absolutely insecure to use plain http over the Internet with OAuth bearer tokens. Any ‘man in the middle’ would be able to intercept the traffic, steal the token, and create/delete users and groups.

    o Do NOT specify a Secret Token. Azure will send its own token that OTDS verifies with Azure AD.

    • Configure the users/groups to synchronize, or synchronize all.

    NOTE: Azure AD synchronizes periodically on an interval of about 20 minutes in the background. You may have to wait this interval in order for users/groups to start showing up in OTDS. Check the sync status in Azure AD. This frequency is not under OTDS’ control.
    More details about SCIM provisioning by Azure AD can be found here:

    Details on the authentication of SCIM requests from Azure

    AzureAD SCIM synchronization will send an Azure AD-generated token in the SCIM requests it makes to OTDS. OTDS does the following to authenticate an SCIM request:
    • Check if the token is an Azure AD token
    o If it is not, normal OTDS token validation applies
    • Verify the token’s signature (using Azure AD’s published certificates)
    • Verify the token’s expiry date. Consequently, it is required that the date be correct on your OTDS server
    • Verify the token is issued specifically to the ‘Azure AD Cloud Sync’ entity in Azure
    • Verify there is an OAuth client with the Azure AD tenant GUID identified in the token

    If the above all check, the request is performed as the configured OAuth client.

  • I used a MSDN subscription to do Content server integration testing and part of your instruction, it says I need: Azure AD Premium subscription, anyone know if MSDN subcription has that?
  • PramodMohandasPramodMohandas OpenText Developer
    If you already have an active Azure Subscription, then Azure AD needs to be separately subscribed to via the same subscription. For testing purposes, you can also opt for the free one month trial here. It is part of the Azure subscription's SaaS model.
  • Why make thing simple when they can complicated! I'm sure it is Microsoft moto!!! What does it means: "Azure AD needs to be separately subscribed to via the same subscription ? anyone having a normal MSDN subscription could tell me if we can do this and how?
  • So this solution makes the on-prem installation of OTDS and Enterprise Dir Sync for Core Share Enterprise obsolete? that is what the customer reads from this solution.

    can we drop OTDS for Core Share after the implementation of this solution?

Sign In or Register to comment.