Versions Compared

Old Version 2

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 3

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Insert excerpt
IL:External Directory Prerequisites
IL:External Directory Prerequisites
nopaneltrue

EmpowerID Azure AD SCIM connector allows organizations to bring the user and group data in their Box system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories. Once connected, you can manage this data from EmpowerID in the following ways:

  • Account Management

    • Inventory Azure AD user accounts

    • Create, Update and Delete Azure AD user accounts

    • Enable and Disable Azure AD user accounts

    • Update passwords for Azure AD user accounts

  • Group Management

    • Inventory Azure AD groups

    • Inventory Azure AD group memberships

    • Create and Delete Azure AD groups

    • Add and Remove members to and from Azure AD groups

  • Attribute Flow
    Users in Azure AD are inventoried as accounts in EmpowerID, which are then linked EmpowerID Person objects. The below table shows the attribute mappings of Box user attributes to EmpowerID Person attributes.

Azure AD Attribute

Corresponding EmpowerID Attribute

Description

Name

Name

Name of the user

name.familyName

LastName

Last name of the user

name.givenName

FirstName

First name of the user

name.middleName

MiddleName

Middle name of the user

displayName

FriendlyName

Display Name of the user

name.honorificSuffix

GenerationalSuffix

title

Title

Title of the user

email[?(@type=='work')].value

Email

Work email address of the user

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['department']

Department

Department of the user

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['EmployeeNumber']

EmployeeID

Employee ID of the user

addresses[?(@.type=='work')].streetAddress

StreetAddress

Street address of the user

addresses[?(@.type=='work')].locality

City

City in which the user resides or works

addresses[?(@.type=='work')].region

State

State in which the user resides or works

addresses[?(@.type=='work')].country

Country

Country of the user

addresses[?(@.type=='work')].postalCode

PostalCode

Postal code of the user

phoneNumbers[?(@.type=='home')].value

HomeTelephone

Home telephone of the user

preferredLanguage

PreferredLanguage

Preferred language of the user

phoneNumbers[?(@.type=='other')].value

Telephone

Telephone number for the person

phoneNumbers[?(@.type=='fax')].value

Fax

Fax number for the person

Additionally, EmpowerID provides Provisioning policies or Resource Entitlements that allow you to automatically provision Azure AD user accounts for any person within your organization based on your policy requirements.

Note

To connect EmpowerID to Azure AD, In order to connect EmpowerID to Azure AD, the following prerequisites need to be met:

  1. Your organization must have an Azure subscription with Azure Active Directory.

  2. You need to register an application for EmpowerID in Azure Active Directory in the Registering an application for EmpowerID in Azure AD topic.

  3. You need to create an App Service in EmpowerID by following the instructions outlined in the Creating an App Service in Azure topic.

  4. You need to publish the EmpowerID SCIM Microservice to your Azure tenant by following the instructions outlined in the Publishing the EmpowerID SCIM Microservice to Azure topic.

EmpowerID “Proxy” or Connection Account Requirements

EmpowerID uses highly privileged user accounts when connecting to user directories such as Azure Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc).

To create an Azure AD SCIM account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.

    Image Added

  3. Under System Types, search for Azure AD SCIM.

  4. Click Azure AD SCIM to select the type and then click Submit.

    Image Added

  5. On the Azure AD SCIM settings page that appears, fill in the following information:

    1. Account Store Name — Enter a name for the Azure AD SCIM account store.

    2.  App Service Url — Enter the URL for the Azure App Service.

    3. Name Format — Leave blank.

    4. Friendly Name Format — Leave blank.

    5. Group Logon Name Format — Leave blank.

    6. ExternalSysSupportGetDeleted — Choose this option.

    7. ExternalSystemSupportIncrementalMember — Choose this option.

    8. Application ID — Enter the ID for the EmpowerID application you registered for EmpowerID in Azure AD.

    9. Tenant ID — Enter the ID of your Tenant.

    10. Auth Certificate Thumbprint — Enter the thumbprint of the certificate you uploaded for the application.

      Image Added

  6. When ready, click Submit to create the account store.

  7. EmpowerID creates the account store and the associated resource system. The next step is to configure attribute flow between the account store and EmpowerID.

Insert excerpt
IL:Configure Attribute Flow Rules
IL:Configure Attribute Flow Rules
nopaneltrue
Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

To configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.

    Image Added


    This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Azure AD as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.

    Image Added


    Insert excerpt
    IL:Azure Account Store Settings
    IL:Azure Account Store Settings
    nopaneltrue

Now that everything is configured, you can enable the Account Inbox Permanent Workflow and monitor inventory. Be sure inventory is enabled on the account store settings page.

Insert excerpt
IL:Enable Account Inbox PW
IL:Enable Account Inbox PW
nopaneltrue

Insert excerpt
IL:Monitor Inventory
IL:Monitor Inventory
nopaneltrue

Div
stylefloat: left; position: fixed;padding: 5px;

Live Search
sizelarge
labels2020

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone