Account Management



Learn how you can create, update, and deactivate user accounts on Workplace.
!
Following the industry trend of migration towards cloud IdP solutions, we have decided to sunset the ADSync solution on August 5, 2021, after which our team will no longer provide support or software updates. Starting today, you will no longer be able to deploy ADSync solution to new Workplace communities. Due to security reasons, we will sunset the current (v15) and all previous versions of the ADSync support software on December 31, 2020.
?
Which cloud IdP solutions does Workplace integrate with?
Workplace integrates many IdP solutions, including Microsoft Azure AD, Okta, Harbor, G Suite, OneLogin, and Connect by Azuronaut. We encourage you to visit our Integration Directory for a full list of IdP solutions we partner with. We recommend Microsoft Azure AD as a viable alternative to the current ADSync solution. And you may follow steps as described here to complete the migration.

What if I’m not ready to migrate to a cloud provider?
Should you prefer not to migrate to a cloud provider at this moment, we would encourage you to update your ADSync support software to the newly released version (v16) as described, which will continue to function till August 5, 2021.
Overview

Overview

Since the Workplace Active Directory Sync (also called AD Sync hereafter) product is being deprecated, we've worked together with the Microsoft team to present this guide to help you migrate to Microsoft Azure Active Directory.

Architecture Overview

Architecture Overview

Scenarios

Scenarios

There are two main scenarios you may encounter when integrating Workplace with Azure Active Directory:

Follow these steps if you are not sure:

Integrate your On-Premises Active Directory with Azure Active Directory

Integrate your On-Premises Active Directory with Azure Active Directory

If your organization does not have an Azure Tenant you will need to create one.
More information: Quickstart: Set up a tenant

Azure AD Connect

It's a Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:

  • Password hash synchronization - A sign-in method that synchronizes a hash of users on-premises AD password with Azure AD.
  • Pass-through authentication - A sign-in method that allows Azure AD users to authenticate against your on-premises Active Directory, but doesn't require the additional infrastructure of a federated environment.
  • Federated authentication - Federation management is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
  • Synchronization - Responsible for creating users, groups, and other objects, as well as making sure identity information for your on-premises users and groups is consistent between on-premises Active Directory and Azure AD. This synchronization can also includes password hashes.
  • Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Azure AD Connect

The Azure Active Directory Connect synchronization services (Azure AD Connect sync) is a main component of Azure AD Connect. It takes care of all the operations that are related to synchronizing identity data between your on-premises environment and Azure AD. Azure AD Connect sync is the successor of DirSync, Azure AD Sync, and Forefront Identity Manager with the Azure Active Directory Connector configured.

Azure AD Connect Cloud Provisioning

Azure AD Connect cloud provisioning is a new Microsoft agent designed to meet and accomplish your hybrid identity goals for synchronization of users, groups and contacts to Azure AD. It can be used alongside Azure AD Connect sync or alone.

How are they different?

With Azure AD Connect cloud provisioning, provisioning from on-premises Active Directory to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises and IaaS-hosted environment, a lightweight agent that acts as a bridge between Azure AD and on-premises Active Directory. The provisioning configuration is stored in Azure AD and managed as part of the service.

More information:

Integrate Azure Active Directory Automatic Provisioning with Workplace

Integrate Azure Active Directory Automatic Provisioning with Workplace

If your organization does not possess either Azure Active Directory Premium P1 or P2 licensing for all users who will be provisioned, we recommend using attribute-based scoping rather than group-based assignment.

Group-based assignment of users

If you don't already have applicable groups, you can use Azure Active Directory's Dynamic Groups feature to create a group where only users meeting specified conditions are added as members. Dynamic group membership reduces the administrative overhead of adding and removing users.

More information: Dynamic membership rules for groups in Azure Active Directory

Whether with an existing group or an Azure AD Dynamic Group, assigning a group of users to the Azure AD Enterprise Application is as simple as:

  • Go to the Workplace Enterprise Application in the Azure portal, click "Users and Groups" and add the group(s)
  • After adding Workplace administrator credentials, on the provisioning blade of the Workplace Enterprise Application, ensure that the "Sync only assigned users and groups" option is set under Scope.

Attribute-based scoping of users

Instead of group-based assignment of users to the Workplace Enterprise App, the other option which does not require Azure AD Premium licensing is to use "Sync all users and groups" in combination with attribute-based scoping filters.

A scoping filter allows the Azure Active Directory provisioning service to include or exclude any users who have attribute values matching one or more specified conditions. For example, when provisioning users from Azure AD to a SaaS application (i.e. Workplace) used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.

Scoping filters can be configured in the Enterprise Application's Provisioning tab in the Mappings section. Scoping filters can be used as your only method of controlling which users are provisioned into Workplace, or in combination with the group-based assignment feature detailed above.

More information: Attribute-based application provisioning with scoping filters

Sample steps to setup Attribute-based application provisioning with scoping filters:

Important: If you are using "Attribute-based scoping of users" for provisioning make sure you also go to the Properties Panel of the later SSO configuration and use the toggle to set the "User assignment required?" to No.

If this option is set to no, then any users who navigate to the application deep-link URL or application URL directly will be granted access.

If this option is set to yes, then users must first be assigned to this application before being able to access. This could only be achieved by having either all users assigned or by using group-based filtering for assignment or manually adding the users.

Creating and Configuring the Enterprise Application/Third Party Integration

You will need System Administrator credentials from Workplace and either Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator roles in Azure.

More information: Tutorial: Configure Workplace by Facebook for automatic user provisioning

Follow these sample steps to setup user provisioning:

1

2

3

Note:
After testing and saving your Workplace System Administrator credentials in the Enterprise App's Provisioning configuration, you will need to navigate away from the Enterprise Application or reload the page in your browser before you try to start the provisioning, else the start of the provisioning process will fail.
After some time, you are going to see the following screen:

Extra: Configure the SSO using Azure as Identity Provider

Extra: Configure the SSO using Azure as Identity Provider

Using the same Enterprise Application in Azure you can also set up SSO.

Step by step setup of SSO on both AzureAD and Workplace:

1

2

3

4

SSO URLs correspondence:

Azure

Workplace

Identifier (Entity URL)

Audience URL

Reply URL (Assertion Cast Service)

ACS URL

Sign On URL

https://{your-subdomain}.workplace.com

Single Sign-On (SSO) Setup in Workplace

Workplace

Azure

Name of the SSO Provider

Your custom name for the Setup

SAML URL

Login URL

SAML Issuer URL

Azure AD Identifier

SAML Logout URL (Optional)

Logout URL

Make sure you add the corresponding domains to the SSO. This domains must be verified in Workplace.:

Once the SSO is configured, you need to define the authentication method for your users. This can be only SSO or you can have a mix of authentication methods (have some users to login with password and other with SSO).

More information:

Reference

Reference