SCIM Provisioning - Refresh your Long-lived Bearer Token for Azure Entra ID

James Ressler
James Ressler
  • Updated

Author: James Ressler

Date: April 8, 2024

Audience: Everyone

Issue

Azure Entra ID requires a Secret Token (or Long-lived Bearer Token) in order to utilize System for Cross-domain Identity Management (SCIM) provisioning with Jama Connect. This token is set to expire every six (6) months and needs to be manually updated by an Azure Administrator to ensure the continued functionality of SCIM provisioning.

If the token is not updated before expiration, provisioning will fail. If SCIM provisioning suddenly stops working, the first and most likely solution to try is to regenerate the Long-lived Bearer Token.

Solution

The process to generate a new Long-lived Bearer Token is the same as the steps outlined in Jama Connect® SCIM configuration with Okta and Microsoft Azure AD during the initial setup of SCIM provisioning. A tailored version of the instructions is laid out below.

Retrieving a new Long-lived Bearer Token

Make the following request to retrieve a new Long-lived Bearer Token, authenticating as a Jama Organization Admin per your organization's authentication model (see API - Authentication - Generating an OAuth Bearer Token for Making API Calls if SSO is enabled on your instance).

GET /rest/token?revokeExistingToken=true

 If you receive a status code 400 and the following response:

{
"meta": {
"status": "Bad Request",
"timestamp": "2024-04-08T17:29:02.737+0000",
"message": "Error retrieving API key, signing keys do not exist."
}
}

Then this indicates that your API key pair was never generated. You can generate your API key pair by making the following request.

POST /rest/token/apiKeygen

And finally, you can retrieve your Long-lived Bearer Token with the request:

GET /rest/token

 If, while generating your API key pair, you receive a status code 400 and the following response:

{
"meta": {
"status": "Bad Request",
"timestamp": "2024-04-08T17:29:02.737+0000",
"message": "Expired signing key"
}
}

This indicates your existing API key pair is expired. You can confirm expiration with the following request:

GET rest/token/signingKeyExpiration

If the date is past, then you will need to delete the existing key pair.

DELETE /rest/token/deleteKey

After removing the expired key pair, the API key pair can be generated in the usual way.

POST /rest/token/apiKeygen

And finally, you can retrieve your Long-lived Bearer Token with the request:

GET /rest/token

One last note: if you receive a status code 409 and the following response:

{
"meta": {
"status": "Conflict",
"timestamp": "2024-04-08T17:29:02.737+0000",
"message": "User already has token defined, must explicitly revoke existing token."
}
}

Then you must make the token request with the additional parameter:

GET /rest/token?revokeExistingToken=true

Updating Your Secret Token in Azure Entra ID

After generating the new Long-lived Bearer Token, you will need to add it to your Azure Entra ID Enterprise App for Jama Connect under the "provisioning" blade, as shown in the screenshots below.
 

Related Articles

 

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.