OpenID User Provisioning

Related products: Indicium Service Tier

The support for integrating Open ID providers with the Thinkwise Platform is great, but also a very common functionality in modern applications. With support for the Microsoft Common tenant around the corner, another important improvement is delivered on the topic of Single Sign-On capabilities.

As already referred to by Vincent in this blog from almost 1,5 years ago, the next step is User Provisioning (sometimes called Application Provisioning or Identity Provisioning). That feature helps streamline and automate the creation of new users within an organization, including a pre-defined set of Roles & Rights.

For the Thinkwise Platform User Provisioning would entail both the creation of a User and the assigning of applicable User Groups.

Not a new Idea, since it's already on the Indicium backlog, but by raising it as Idea and putting it up for a vote I hope we'll manage to move it higher up the agenda!

Hi Arie,

This one is planned for the 2022.2 release in June. Support for the Microsoft ‘common' tenant will be available in a few weeks. 


Updated idea statusNewPlanned

Updated idea statusPlannedWorking on it!

Updated idea statusWorking on it!Next release

Updated idea statusNext releaseCompleted

Great stuff, we plan on using it pretty soon!

@Jasper Out of curiosity: are you planning to register Thinkwise as a Gallery app at Azure AD? Might make it even simpler for your customers to setup SSO and User Provisioning.

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing 


We got it up and running today very easily. In addition to the Docs, we had to add the following Claims to IAM manually for setting up Azure AD User Provisioning:

  • given_name → to map to First name in the IAM User Template
  • family_name → to map to Surname in the IAM User Template
  • groups → to map to User Group in the IAM User Group Template
    • Note that a Cloud-based Azure AD Group (not inherited from a local AD) only provides the Group ID, not a sAMAccountName

On the Azure AD side we simply had to go the already existing App registration > Token configuration > Add groups claim

After recycling Indicium it worked as expected!


Great stuff, we plan on using it pretty soon!

@Jasper Out of curiosity: are you planning to register Thinkwise as a Gallery app at Azure AD? Might make it even simpler for your customers to setup SSO and User Provisioning.

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing 

Hi Arie,

I would very much like to do that, but I don't expect we'll get around to that anytime soon unfortunately.