Using the SCIM specification, you can automatically import users from your Identity Provider (such as Active Directory) in to EvaluAgent.
Table of contents
- Get Started
- Setting Up On EvaluAgent
- Setting Up On Azure Active Directory
- Creating The Application
- Group Creation
- Attribute Mapping
To allow you to set up user management from a third party in EvaluAgent you will need to have a role that includes the permission, Manage security settings.
To provision users to EvaluAgent, you must be using one of the supported third-party user management solutions that we support. This can be found below.
Currently Supported Solutions
- Azure Active Directory
If the solution you are using is supported then proceed through this guide to get set up and allow users to be synchronised.
You may see a spinning icon for a few seconds while we are processing your request.
Upon completion, you will be shown two fields SCIM Provision URL & SCIM Secret. It's very important to note that SCIM Secret will only be shown once and thereafter only the URL will be visible when you revisit the page. This is an intentional feature and is for the purposes of security.
Take a note of the URL and the Secret displayed here as it will be required later on when setting up your application in Azure Active Directory.
In terms of setting up on EvaluAgent, that's it! Next, we will look at what you need to do in Azure.
Setting up on Azure Active Directory
Firstly, you must ensure that you have relevant permissions on Azure to be able to manage users, groups and other enterprise applications.
Creating the application(temporary)
This part of the process is temporary whilst our application is pending review from Microsoft.
You will need to click on Enterprise Applications located on the sidebar on the left and then click New Application.
This will then open the application creation dialogue.
You will need to select Create your own application on the row of controls along the top. Upon doing this the Create your own application details panel will slide out from the right.
Provide the application name i.e EvaluAgent and select the bottom radio button option that reads Integrate any other application you don't find in the gallery. Once done, click Create.
This may take a moment to finalise and once it does you will be taken to the newly created application management screen.
Next, we will want to navigate to the Group Creation screen and create an EvaluAgent access group. This name can be anything you like as well as the description but ideally, it would be something identifiable with EvaluAgent in the title to make it more easily identifiable.
Ensure that the Group Type is set to Security and the Membership Type is set to Assigned. Lastly, assign an owner to the group and click Create.
Once your group has been created, click Enterprise applications which can be found on the sidebar to the left in Azure and select the EvaluAgent application.
Click on the Users and Groups option under Manage. You will need to add the group you previously created here. This group is the one that will be assigned only to users that need to be sent to EvaluAgent.
You can add as many groups as you like, however, it's important to note that this will not filter down to nested groups, as such they would need to be added individually.
Next, we will set up the connection details so that Azure knows how to connect with EvaluAgent and where to send the data.
In the left-hand sidebar, click Provisioning and from then click Get Started. In the Provisioning Mode dropdown, you will want to select the Automatic option. When you do, the rest of the user interface will display.
You should see an accordion with the name Admin Credentials. You will need the details you created earlier in EvaluAgent for this part of the process. In the Tenant URL you need to copy the SCIM Provision URL and in the Secret Token input you will need to copy the SCIM Secret. Once that is done, click test connection and Azure will verify that it can establish a secure connection with EvaluAgent. Once this has confirmed the connection has been successful, click save before we continue.
Next, there are some of the default Azure mappings that we need to change. The accordion below Admin Credentials should be Mappings. Open that and click on Provision Azure Active Directory Users.
In the mappings interface, you should see a field as highlighted below.
Click on the row and the Edit attribute panel will slide out from the right. From there, select yes on the dropdown labelled Match objects using this attribute and set the value in the field Matching precedence to have a value of 2 and ensure that Apply this mapping is selected as Always.
Your mappings should now look the same as below.
Once the mappings are completed, save them and navigate back to the Provisioning tab and you need to click Start Provisioning to Azure to start sending data to EvaluAgent.
Please Note: the initial cycle can take up to 40 minutes to provide data to EvaluAgent.
Only users that are assigned to the group we assigned to the application will be considered applicable by Azure for provisioning, if they aren't in a group assigned to the application, Azure will skip over them.
Handling third party users in EvaluAgent
Once users are being sent from Azure to EvaluAgent, they will be placed into a "Pending" state and action will be required to activate them, similar to how manual user creation would work.
If there are pending users that need to be actioned, there will be a count in the Pending Users tab to allow you to see at a glance if there are any users waiting.
When a third party user management solution is being used on a contract, we disable manual user creation in EvaluAgent as this should be done via the third party.
When a user is pending, you can click on the Pending status button and the edit modal will open, you will see that the forename, surname, email and username fields are locked and unable to be edited. Only fields specific to EvaluAgent will be open for editing.
Why are certain users being skipped from provisioning?
This could occur for two reasons.
- The user is not in an assigned group that is assigned to the EvaluAgent group and therefor is not seen by Azure as being eligible for provisioning out of Active Directory.
- The user has a missing attribute that is has a matching precedent such as a username or email address.
Why does Azure say that the provisioning cycle has been quarantined?
This typically occurs when there has been an error in one of the attempts to communicate with EvaluAgent. Azure will provide details of what happened if you look in the Provisioning Logs. When a cycle is in quarantine, it will reattempt it in a later cycle which is typically pushed back in time.
Please sign in to leave a comment.