Skip to content

Commit 2ead7d6

Browse files
jeevansdjeevandesardaCopilot
authored
Update WIF provisioning article screenshots (#151)
* Add Workload Identity Federation for SCIM Provisioning documentation Add comprehensive markdown guide covering: - WIF overview and JWT Bearer Assertion flow (RFC 7523) - 3-step admin configuration flow for Entra Portal - JWT claims reference with example token payload - ISV requirements for JWKS validation and token issuance - SAP SuccessFactors integration example - FAQ for key caching, rotation, and fallback - Security considerations and legacy vs WIF comparison Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Rename Workflow to Workload in identity federation doc filename Fixed typo in filename: Workflow -> Workload Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update WIF provisioning article screenshots Add Entra Workload Identity Federation configuration flow screenshots and guidance for ISV setup. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Jeevan Desarda <jeevansd@gmail.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent c651f03 commit 2ead7d6

7 files changed

Lines changed: 18 additions & 2 deletions

Workload-Identity-Federation-for-SCIM-Provisioning.md

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Workload Identity Federation: A New Authentication Method for SCIM Provisioning
22

3-
**Date:** 9th June 2026
3+
**Date:** 25th June 2026
44

55
---
66

@@ -62,6 +62,8 @@ This is a fundamental shift from the traditional model where admins had to:
6262

6363
The administrator must perform **3 steps** to set up the integration for their app. The administrator must have at least the **Application Administrator** role on the customer's tenant.
6464

65+
![Workload Identity Federation configuration flow](media/workload-identity-federation/wif-configuration-flow.png)
66+
6567
### Step 1: Configure ISV App and Workload Identity in Entra Portal
6668

6769
In the Entra App Gallery, the administrator:
@@ -70,6 +72,16 @@ In the Entra App Gallery, the administrator:
7072
2. On the Connectivity Page, picks **"Workload Identity Federation"** as the auth method
7173
3. Clicks **"Select Workload Identity"** — customers can register a new Workload Identity App or reuse an existing one they have already used to set up with the ISV
7274

75+
The Connectivity page exposes **Workload Identity Federation** as an authentication method alongside the existing authentication options.
76+
77+
![Select Workload Identity Federation as the provisioning authentication method](media/workload-identity-federation/select-workload-identity-federation-auth-method.jpg)
78+
79+
After selecting **Workload Identity Federation**, the administrator chooses **Select Workload Identity**. From there, they can either register a new workload identity app or select an existing workload identity that has already been configured with the ISV.
80+
81+
| Register a new workload identity | Select an existing workload identity |
82+
|---|---|
83+
| ![Register a new workload identity in Entra](media/workload-identity-federation/register-new-workload-identity.jpg) | ![Select an existing workload identity in Entra](media/workload-identity-federation/select-existing-workload-identity.jpg) |
84+
7385
After the access app is configured, the UX displays the following values to be **copied to the ISV Portal**:
7486

7587
| Value | Format |
@@ -79,6 +91,8 @@ After the access app is configured, the UX displays the following values to be *
7991
| **Subject (sub)** | `<Sync Fabric Workload Identity 1P app object ID>` |
8092
| **Audience (aud)** | `api://{WorkloadIdentity_appid}/.default` |
8193

94+
![Copy WIF claims and JWKS URL from Entra to the ISV portal](media/workload-identity-federation/copy-wif-claims-to-isv.png)
95+
8296
### Step 2: Set up SCIM Client with JWKS in ISV Portal
8397

8498
In the ISV portal, the administrator sets up a client for the ISV's SCIM endpoint. As part of setting up the auth integration, the administrator copies the values from Step 1 (issuer, JWKS URL, subject, audience) into the ISV portal.
@@ -99,6 +113,8 @@ Back in the Entra App Gallery:
99113
2. Click **"Test Connection"** — this invokes the backend to perform all the token exchange steps and validate the integration
100114
3. **Save** the configuration — the app is now ready to configure provisioning
101115

116+
![Complete Workload Identity Federation connectivity settings in Entra](media/workload-identity-federation/complete-entra-connectivity-settings.png)
117+
102118
---
103119

104120
## How the JWT Bearer Assertion Flow Works
@@ -402,4 +418,4 @@ If the JWKS endpoint is temporarily unavailable:
402418
| Microsoft Identity Platform OIDC Metadata | `https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration`|
403419
---
404420

405-
*Last updated: June 9, 2026*
421+
*Last updated: June 25, 2026*
47.2 KB
Loading
26.2 KB
Loading
15.6 KB
Loading
16.5 KB
Loading
18 KB
Loading
69.9 KB
Loading

0 commit comments

Comments
 (0)