The support for integrating Open ID providers with the Thinkwise Platform is great, but also a very common functionality in modern applications. With support for the Microsoft Common tenant around the corner, another important improvement is delivered on the topic of Single Sign-On capabilities.
As already referred to by Vincent in this blog from almost 1,5 years ago, the next step is User Provisioning (sometimes called Application Provisioning or Identity Provisioning). That feature helps streamline and automate the creation of new users within an organization, including a pre-defined set of Roles & Rights.
For the Thinkwise Platform User Provisioning would entail both the creation of a User and the assigning of applicable User Groups.
Not a new Idea, since it's already on the Indicium backlog, but by raising it as Idea and putting it up for a vote I hope we'll manage to move it higher up the agenda!
Hi Arie,
This one is planned for the 2022.2 release in June. Support for the Microsoft ‘common' tenant will be available in a few weeks.
Great stuff, we plan on using it pretty soon!
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
We got it up and running today very easily. In addition to the Docs, we had to add the following Claims to IAM manually for setting up Azure AD User Provisioning:
On the Azure AD side we simply had to go the already existing App registration > Token configuration > Add groups claim
After recycling Indicium it worked as expected!
Great stuff, we plan on using it pretty soon!
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
Hi Arie,
I would very much like to do that, but I don't expect we'll get around to that anytime soon unfortunately.
The failed one has the following entry in the Log field:
The successful one has the following entry in the Log field:
We got it up and running today very easily. In addition to the Docs, we had to add the following Claims to IAM manually for setting up Azure AD User Provisioning:
On the Azure AD side we simply had to go the already existing App registration > Token configuration > Add groups claim
After recycling Indicium it worked as expected!
Hi Arie,
These valuable additions are now documented in topics:
Hello Arie,
I think that these two points share the same underlying issue. There has been a small misunderstanding between IAM and Indicium which we did not catch ourselves because in our test environment, the pool user does have usr_admin rights in IAM. With that said, I would not recommend this configuration for you. The ideal scenario is that the pool user does not exist as a user in IAM. I will make sure that this issue is resolved in the upcoming 2022.2.15 release of Indicium.
Can you elaborate on this? Do you mean that you would like this user data to be provisioned when the user does not exist but not be updated when the user does exist? If so, then I would recommend creating an Idea for this. More granular control over what is and is not updated would have to be added as a new platform feature.
You can set extension attributes which can be emitted as optional claims, but this does not seem to be a very useful solution. It looks like these extension attributes need to be set for every user. Sadly, there doesn’t seem to be a great way to achieve this. Calling the Graph API yourself might be your best bet.
I hope this helps.
Well, let's take Gender as example here. I can add a Default value in the User template (f.e. Unknown). But for most of the Users I know their Gender, so we have set this previously or could update this manually on Users that exist in the IAM database. If the User provisioning would then update it back to Unknown the next time they login, that'd be unwanted. But how would the logic deal with this if we would set the Gender in the User Provisioning - User template to null? It is a mandatory field on the usr_general table. Will it use the Default set on that table if mapped as null in the User template and would it leave the Gender be for existing Users? That would suffice at this stage I suppose.
I suppose you're talking about this feature? https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-schema-extensions
It does sound as if it might work to add some additional fields, but then the possibility to map these values in the User template in IAM is missing. So in order to map f.e. CompanyName / Phone no / Employee ID, changes in IAM User Template functionality would be needed too.
Hello Arie,
Yes.
I understand what you mean. From a quick glance at the stored procedure that is called, it appears to me that it disregards any current value of the gender column in usr_general and updates the gender according to this priority:
So yes, if the claim is not mapped or the Identity Provider does not return it, it will always be updated to Unknown, even if you don't have a default value in the user template. I see how this can be an issue.
Yes, I'm talking about that feature. I have never tried it myself, but at face value it seemed very cumbersome to use, but perhaps it’s not that bad. For fields like Company name and and Employee identifier, you are correct, changes to IAM would be required and I would recommend creating an Idea for this. The Phone number field, however, is included in the template. So if you can get Azure AD to emit a phone number claim, then you can simply add this claim manually (assuming it cannot be discovered through the task that parses the metadata) and map it in the template.
I hope this helps.
There is currently indeed no way to prevent certain user fields from being updated in the same manner as they would be set when the user would be provisioned.
The following fields will always be updated:
There are some exceptions for fields that have functional impact in the application - they will be provisioned once but they will not be automatically updated.
Furthermore, the default allowed user preferences settings will be applied but will not b updated.
While a default value for mandatory fields will be necessary for provisioning, having the ability to explicitly override the provisioned value at the user record or explicitly excluding a field from future updates in the user mapping sounds like a valuable addition to the current mechanism.
Please feel free to create a ticket for this.
Hello Arie,
One more update regarding this:
Upon further investigation we have decided that this needs to be fixed in IAM and not in Indicium. So there won’t be a fix in Indicium version 2022.2.15, but we will release a hotfix for IAM as soon as possible.
Hello Arie,
The mentioned hotfix for IAM has been released.
The mentioned hotfix for IAM has been released.
I intend to hold off from applying this on our PROD environment pending a fix for TCP 4905S though.