Versions Compared

Old Version 3

changes.mady.by.user Mikko Kerava

Saved on

compared with

New Version 4

changes.mady.by.user Mikko Kerava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleWhat different sync options there are?

Thre are three different syncs:

  • User Sync (BenePortal)

  • Directory sync of existing users

  • Directory sync of directory entries

User Sync is used for managing users in BenePortal.

Directory sync of existing users is used for keeping directory information of users up to date. User is someone having Benemen services.

Directory sync of directory entries is used for creating, updating and removing directory entries in Benemen directory. A directory entry is just an object in the Benemen directory and does not have any Benemen services.

Expand
titleWhat is needed to configure AzureAD syncs?

For all Syncs:

  • App registration must be added to customers AzureAD tenant.

For User sync following must be defined:

  • AzureAD group of which members will be synced

  • Attribute mappings

  • Removal policy

  • Email address for syn sync reports

Directory sync of existing users:

  • Attribute mappings

Directory sync of directory-entries:

  • AzureAD group of which members will be synced as directory-entires

  • Attribute mappings

...

Expand
titleWhich aBenePortal fields can be mapped

Following BenePortal fields are mandatory

  • UserEmail

  • FirstName

  • LastName

  • ContractName

  • BillingContractName

  • CostCenter

Following BenePortal fields are optional

  • AltEmail (Alternative email to send password recovery emails etc.)

  • UserCountry

  • UserRegion (TZ-format (Europe/Helsinki etc.))

  • UserLanguage (RFC 1766 format (fi-FI, en-GB etc.))        

  • ExtAuthUserName

  • ExtAuthDomain

Expand
titleCan there be constant values or should all fields be mapped to AzureAD attributes?

BenePortal fields can have a constant value, an attribute mapping or both.

If constant value is set and but no attribute mapping, the constant value will always be used for all users.

If there are both constant value and mapping, . value for fields is first tried to get from the mapped attribute. If it’s attiribute is not set for a user, the constant value will be used.

Expand
titleCan there be multiple sync configurations?

If its needed there is need to have different configurations for different groups of users, multiple sync jobs can be configured.

For example, If there are users in two counties, and some values values should be set to BenePortal which are not found from AzureAD-attributes, we can set up two different sync-jobs with a different configuration.

There must be then own separate AzureAD group for each User Sync user sync job, and users to be synced must be a member of only one of these groups!

Expand
titleThere are already existing users configured, how UserSync module user sync deals with them?

WhenSyncModule runs the User sync , it gets all users from three sources:

  • Local database

, BenePortal and users from AzureAD.

  • (Sync-job specific)

  • BenePortal

  • AzureAD

If there are users that are found from both from BenePortal and AzureAD (username in BenePortal match UPN in Azure), they are added to the local database and updated to BenePortal if needed. User is now included in the sync, and future changes will be handled similarly as for users created by SyncModule.

If there are users in BenePortal which are not found from AzureAD (username in BenePortal does not match any user received from AzureAD), they are left as is.

Expand
titleHow user removal is done?

There are two options for user removals:

  • Inform only (default)

  • Automatic termination

By default removed user is users are only added to the user sync report and actual removal must be done manually. There is an option for automatic removals, in this case,

If automatic termination is used, user and users services are terminated immediately. This option should be used only if there is no number porting needs or other similar cases requiring more controlled termination.

Expand
titleHow username changes are handled?

In Benemen systems email is used as a username, and changing it requires manual work by Benemen support.

Sync module keeps a local database of synced user objects, having AzureAD objectId as a primary key. If the user's Email/UPN is changed in Azure, this is reported in sync-report for manual change.

...