Configuring User Provisioning

Workteam supports user provisioning and de-provisioning using SCIM, a System for Cross-domain Identity Management. If your organization uses an identity provider that supports SCIM, such as Okta or Microsoft Azure Active Directory, then you can configure Workteam to automatically provision and de-provision users by synchronising accounts from the identity provider down to Workteam.

SCIM Support for Okta

Workteam supports the following features:

Type Description
Create Users New or existing users in Okta will be pushed to Workteam as new users.
Update User Attributes Updates to user profiles in Okta will be pushed to Workteam.
Deactivate Users Users deactivated in Okta will be automatically deactivated in Workteam. Deactivated users can also be re-assigned from Okta to reactivate them in Workteam.
Import Users Users may be importyed from Workteam into Okta
Sync Password The Workteam password may be set by Okta

The following attributes are synchronized between Okta and Workteam:

Type Description
email The user’s primary email address
givenName The user’s first name
familyName The user’s surname
displayName The display name for the user.
title The user’s job title
nickname The user’s preferred name
department The department the user belongs to
managerValue The Workteam id of the person that manages the user

Configuration

To configure Workteam for Okta SCIM support, the account must be a paid account. Go to Organization Settings in Workteam and in the Single Sign On & User Provisioning pane, press the settings button at the top right corner of the SCIM User Provisioning box. The SCIM Settings dialog box is shown. Press the Generate Bearer Token button, select the Enabled button and make a note of the Base URL and the Bearer token, prior to pressing OK.

  1. In Okta, login as an administrator and go to the applications menu and click on the Workteam application.
  2. Click on the Provisioning tab and choose API Integration from the Settings menu.
  3. Press the EDIT button next to API Integration and enter the Base URL (from the Workteam User Provisioning Settings) into the Scim 2.0 Base URL field. Then copy the Bearer token from the Workteam User Provisioning Settings and enter it into the OAuth Bearer Token field.
  4. Press the Test API Credentials to ensure that details were entered correctly. Then press the SAVE button.
  5. Select the Assignments tab, press the Assign drop down button and choose Assign to People. Then in the Assign Workteam SCIM To People dialog box, assign the relevant people to Workteam.

Known issues / Troubleshooting

It is not currently possible to update the email / username of the user in Okta and have this reflected in Workteam.

SCIM Support for Microsoft Azure AD

To configure Microsoft Azure to provision users to Workteam, first create a new enterprise application in the Azure portal and choose Non-gallery application.

Note that in order to proceed you must have a Premium P2 Azure subscription, which supports SCIM.

Enter a name for the application (e.g. Workteam) and press the Add button. Select the Provisioning menu item from the left-hand tab of the enterprise application and choose “Automatic” from the Provisioning Mode drop down list.

In the Admin Credentials, you must enter a Tenant URL and a Secret token. You can get both of these pieces of information by selecting the Settings tab of Organization Settings in Workteam and clicking on the cog icon in the SCIM User Provisioning integration in the Integrations panel.

You should copy the Base URL field and enter it into the Tenant URL in the Azure portal. Then press the Generate Bearer Token button in Workteam SCIM Settings dialog and paste the value that is generated into the Secret token field in the Azure portal.

Press OK on the SCIM Settings dialog in Workteam and ensure that you turn on the SCIM User Provisioning integration by clicking at the bottom of the integration.

To test that you have configured Workteam and Azure correctly, press the Test Connection button in Azure and ensure that a successful test is completed.

Azure will then start synchronising the users from Azure into Workteam. If you want to replicate the organization structure that is defined in Azure then you must make a change to the mappings in Azure. Click on Synchronize Azure Active Directory Users to customappsso in the Azure portal and press Show Advanced Options at the bottom of the page that appears.

Click “Edit attribute list for customappsso”. Check to see if an entry in teh Edit Attribute List exists with a name “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager”. If it does not exist then at the bottom of the list, enter “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager” into the leftmost Name field. In the adjacent Type field, select Reference and then in the last field (Referenced Object), select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.id .

Press Save and then back in the Attribute Mapping screen, press Add New Mapping at the bottom of the list. In the source attribute drop down, select manager. In the Target attribute drop down, select urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager. Leave all other settings unchanged and press Save.

If a synchronisation has already occured, instruct Azure to restart the synchronisation from scratch by selecting the “Clear current state and restart synchronisation” checkbox and pressing Save. Azure will synchronize users within the next hour.