Using the SCIM specification, you can automatically import users from your Identity Provider (such as Active Directory) into evaluagent.
Prerequisites
To set up user management from a third-party in evaluagent, you will need a role that includes the Manage security settings permission.
To provision users to evaluagent, you must be using one of the supported third-party user management solutions listed below.
Currently Supported Solutions
Azure Active Directory / EntraID
OKTA
If the solution you are using is supported, proceed through this guide to get set up and allow users to be synchronized.
Getting Started
Navigation Prompt
Go to SETTINGS > click SECURITY SETTINGS > click the tab, SCIM PROVISIONING > click the button, GENERATE
You may see a spinning icon for a few seconds while the request is being processed.
Upon completion, you will see two fields:
SCIM Provision URL
SCIM Secret
Please Note
The SCIM Secret will only be shown once, and thereafter, only the URL will be visible when you revisit the page. This is an intentional security feature.
Take note of the URL and the Secret displayed here, as they will be required later when setting up your application in Azure Active Directory/EntraID.
In terms of setting up on evaluagent, that is it. Next, we will look at what you need to do in Azure.
Setting up on Azure Active Directory/EntraID
First, you must ensure you have the relevant permissions in Azure to manage users, groups, and other enterprise applications.
Creating the application
This part of the process is temporary while our application is pending review from Microsoft.
Click on Enterprise Applications located on the sidebar on the left and then click New Application.
Select Create your own application on the row of controls along the top. The Create your own application details panel will slide out from the right.
Provide the application name (e.g., evaluagent) and select the bottom radio button option that reads Integrate any other application you don't find in the gallery. Once done, click Create.
Group Creation
Next, navigate to the Group Creation screen and create an evaluagent access group. This name can be anything you like, but ideally it would include "evaluagent" in the title to make it easily identifiable.
Ensure that the Group Type is set to Security and the Membership Type is set to Assigned. Assign an owner to the group and click Create.
Once your group has been created, click Enterprise applications on the sidebar and select the evaluagent application.
You can add as many groups as you like. However, it is important to note that this will not filter down to nested groups -- they would need to be added individually.
Next, set up the connection details so that Azure knows how to connect with evaluagent and where to send the data.
In the left-hand sidebar, click Provisioning and then click Get Started. In the Provisioning Mode dropdown, select the Automatic option. When you do, the rest of the user interface will display.
Attribute Mapping
Next, there are some default Azure mappings that need to be changed. The accordion below Admin Credentials should be Mappings. Open that and click on Provision Azure Active Directory Users.
Click on the row, and the Edit attribute panel will slide out from the right. From there, select yes on the dropdown labelled Match objects using this attribute and set the value in the field Matching precedence to 2. Ensure that Apply this mapping is selected as Always.
Provisioning
Once the mappings are completed, save them and navigate back to the Provisioning tab. Click Start Provisioning so Azure starts sending data to evaluagent.
Please Note
The initial cycle can take up to 40 minutes to provide data to evaluagent.
Only users who are assigned to the group we assigned to the application will be considered applicable by Azure for provisioning. If they are not in a group assigned to the application, Azure will skip over them.
Handling third-party users in evaluagent
Once users are being sent from Azure to evaluagent, they will be placed into a "Pending" state and action will be required to activate them, similar to how manual user creation works.
Navigation Prompt
Go to USER MANAGEMENT > click ADD & EDIT USERS > review users with the label, PENDING
If there are pending users that need to be actioned, a count in the Pending Users tab shows at a glance whether any users are waiting.
When a third-party user management solution is used on a contract, manual user creation is disabled in evaluagent, as user management should be handled through the third-party platform.
FAQs
Why are certain users being skipped from provisioning?
This could occur for two reasons:
The user is not in an assigned group that is assigned to the evaluagent application and therefore is not seen by Azure as being eligible for provisioning out of Active Directory.
The user has a missing attribute that has a matching precedent, such as a username or email address.
Why does Azure say that the provisioning cycle has been quarantined?
This typically occurs when there has been an error in one of the attempts to communicate with evaluagent. Azure will provide details of what happened if you look in the Provisioning Logs. When a cycle is in quarantine, it will reattempt it in a later cycle which is typically pushed back in time.