Follow

How to provision users from Entra ID in Jostle

Table of contents

  1. User Provisioning
  2. About Jostle/Entra ID integration
  3. Setup Part 1: Jostle
  4. Setup Part 2: Microsoft Entra ID
  5. Setup Part 2 (alternate approach): Entra ID Integration - Custom application

User Provisioning

Currently, Jostle User Provisioning can only be used for integration with Entra ID or Okta. For more information about the User Provisioning API, please see this article

About Jostle/Entra ID integration

Configuration

  • Requires a two-part setup: Jostle, then Entra ID
  • Once configured, user provisioning is one-way: Entra ID to Jostle

Supported provisions

  • Push New Users
    • New users created in Entra ID will be created in Jostle.
  • Push Profile Updates
    • Updates made to a user’s profile in Entra ID will be pushed to Jostle.
  • Push User Deactivation
    • Deactivating a user in Entra ID will deactivate them in Jostle.
  • Push User Reactivation
    • Reactivating a user in Entra ID will reactivate them in Jostle.

Note: Entra ID pushes its changes out in intervals, so it may take up to 40 minutes for a change to be reflected (alternatively, Entra ID has a Provision on-demand option that can be used to immediately push changes for a selected user).

Setup Part 1: Jostle

Automation account

Before you begin, a Jostle System Admin will need to create an Automation user in your Jostle platform. This will be the account used to configure with Entra ID. Automation users can be created in Admin Settings > User Accounts and Data > Manage Automation Users. For more details on Automation users and how to create one, see this article.

Once created, the Automation user account must be activated (i.e. logged in to your platform at least once) before it can be used to configure Entra ID.

Manage user provisioning

All Jostle account subscriptions include SSO/User provisioning features. If they are not appearing on your account, you can contact your Customer Success Manager and they can assist you in getting them added.

The next step is to obtain the API URL and API key from Jostle, which a System Admin can do in Admin Settings > User Data To/From Other Systems > Manage User Provisioning (again, if you do not see "Manage user provisioning" here, contact your Customer Success Manager to have this page enabled in your Admin Settings).

Note: this page also includes a User Account Settings section where you can automatically invite and/or disable/suspend users:

To obtain the API URL and API key:

  1. On the Manage User Provisioning page, scroll down to the User Provisioning API Details section.

  2.  Locate the Your Base URL field and click the Copy button to its right (and save the URL somewhere you can easily access it later).                                                                                                                                             

  3. Next, click the "Add a new key..." button

  4. On the following screen, go to the Automation User field and use the drop-down menu to select your Automation user account.                                                         

    02_SelectIntegrationAccount.jpg

  5. In the Provisioning API key description field give your key a name (i.e. “Entra ID”) and then click the Add button.                                                                                                                                                           

    03_CopyAPIKey.jpg
  6. Once your key is generated, make sure to copy it right away and save it where you saved your URL (since this will be the only time your key will appear).                                                                    

Next, you’ll use the API URL and API key to configure the integration in Entra ID.

Setup Part 2: Microsoft Entra ID - Jostle App

Before you begin this part of set up, consider which attributes you want to sync. If you're interested in more attributes, you may prefer to follow alternate approach (Entra ID Integration - Custom application)

Provisioning

  1. Log in to portal.azure.com and go to Microsoft Entra ID
  2. From the left menu, select "Enterprise applications"
  3. In the top menu, click on "+ New application"
  4. In Search application enter "Jostle"
  5. Select the Jostle application from the results and then click "Create"
  6. From the left menu, select Provisioning and click "Get Started"

  7. On the Provisioning screen, go to the Provisioning Mode field and set it to Automatic

    provisioning.png

  8. Scroll down and click on Admin Credentials. In the Tenant URL field, enter Your Base URL (that you copied when you were creating your API key in Jostle). In the Secret Token field, enter the API key you created and copied.                                                                                                         

    adminCred.png
  9. After you've entered the URL and API key, click Test Connection. There should be a message in the top right part of the window which says "The supplied credentials are authorized to enable provisioning".
  10. Go to the top of the screen and click "Save" to save the settings so far.
  11. Scroll back down and click on Mappings to open the next section.

Mapping

  1. Select Provision Azure Active Directory Users.

  2. Ensure that Enabled is set to "Yes"                                                  

    AP03.jpg
  3. Optional: if you want to specify filtering on which users you want to sync to Jostle then configure the Scope Object Scope.
  4. Once you are done specifying scope (optional), ensure that under Target Object Actions, the boxes next to Create, Update and Delete are all checked.
  5. The default mapping has Entra ID Attribute ‘mail’ mapped to SCIM work email. Since for Jostle, work email is required, make sure you map this to a field where there will always be a value.

  6. Now add the mappings for the additional fields as desired by selecting Add New Mapping for each attribute. This will bring up a dialog on the right part of the screen. For the following Jostle attributes enter the following mappings values where for the Source attribute you specify the desired attribute from your Entra ID attributes (i.e. an attribute that makes sense to map to that field - if you don't have anything suitable for a field, then just leave it out of the mapping):                                                                                   

    Jostle attribute Mapping Type Target Attribute
    Personal Email Direct emails[type eq "personal"].value
    Alternate Email 1 Direct emails[type eq "alternate1"].value
    Alternate Email 2 Direct emails[type eq "alternate2"].value
    Alternate Email 1 Label Direct urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail1Label
    Alternate Email 2 Label Direct urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail2Label
  7. Click Save and then Yes on the confirmation dialog.

  8. After the edits, the mapping will look something like this but with the Entra ID Attribute being the ones you chose for the mapping from your Entra ID:                                                                                                  

    AP05b.jpg
  9. Click the X in the top right corner (under your name/avatar) to go back to Provisioning.
  10. In the Settings section, select the desired setting for Scope to sync only users assigned to this application or all users.
  11. In the Notification Email field, enter the email address where you want to receive alerts and then check the box next to "Send an email notification when a failure occurs" (NOTE—Jostle will also send provisioning failure notifications, so this is optional).
  12. Turn on provisioning by changing Provisioning Status to On and then click Save (you can click Refresh to update status)

Notes:

  • Some stats are available on the right: View provisioning details and View technical information
  • Audit and provisioning details can be viewed by going to View audit logs and View provisioning logs, respectively.

Setup Part 2 (alternate approach): Entra ID Integration - Custom application

Jostle’s Entra Provisioning app supports a limited group of attributes. If you wish to provision additional attributes, this can be done by creating a custom application.

  1. Log in to portal.azure.com and go to Azure Active Directory
  2. From the left menu, select Enterprise applications
  3. In the top menu, click on + New application
  4. In the top menu, click on + Create your own application
  5. Input an application name, select “Integrate any other application you don't find in the gallery (Non-gallery)”, and click Create
  6. From the left menu, select Provisioning and click Get Started

  7. On the Provisioning screen, go to the Provisioning Mode field and set it to "Automatic".                    

    AP01.jpg

  8. Scroll down and click on Admin Credentials. In the Tenant URL field, enter Your Base URL (that you copied when you were creating your API key in Jostle). In the Secret Token field, enter the API key you created and copied.                                                                                                                                                                   

                                                                                                                                      

  9. After you've entered the URL and API key, click Test Connection. There should be a message in the top right part of the window which says "The supplied credentials are authorized to enable provisioning".
  10. Go to the top of the screen and click "Save" to save the settings so far.
  11. Scroll down and click on Mappings to open the next section.
  12. Click Provision Microsoft Entra ID Groups

  13. Set Enabled to “No” and click "Save".

  14. Click the X at the top right of the screen to get back to the Provisioning page
  15. Click "Provision Microsoft Entra ID Users"
  16. Verify that the Target Object Actions (Create, Update, and Delete) are all checked

  17. Delete all of the default mappings except for the following six:
     

  18. Click "Save"
  19. Click Show advanced options at the bottom of the page and select Edit attribute list for customappsso

  20. Delete most of the unmapped attributes (we’ll keep a few to reuse in a later step). In the end, your list of attributes should look like this:

  21. Now, it’s time to add our additional attributes. You can add as many or as few as you’d like, depending on which attributes you want provisioned for Jostle. Below is the list of attributes you can add:
Target Attribute Jostle Attribute
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:personalPronouns Personal Pronouns
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:birthDate Birth Date
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:joinDate Join Date
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:jobTitle Job Title
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:jobCategory Job Category
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:customBadge Custom Badge
emails[type eq "personal"].value Personal Email
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail1Label Alternate Email Label 1
emails[type eq "alternate1"].value Alternate Email 1
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail2Label Alternate Email Label 2
emails[type eq "alternate2"].value Alternate Email 2
phoneNumbers[type eq "workofficephone" ].value Work Office Phone
phoneNumbers[type eq "homephone" ].value Home Phone
phoneNumbers[type eq "workmobilephone"].value Work Mobile Phone
phoneNumbers[type eq "personalmobilephone"].value Personal Mobile Phone
addresses[type eq "address1"].streetAddress Street Address 1
addresses[type eq "address1"].locality Address 1 Locality
addresses[type eq "address1"].region Address 1 Region
addresses[type eq "address1"].country Address 1 Country
addresses[type eq "address1"].postalCode Address 1 Postal Code
addresses[type eq "address2"].streetAddress Street Address 2 
addresses[type eq "address2"].locality Address Locality 2
addresses[type eq "address2"].region Address Region 2
addresses[type eq "address2"].country Address Country 2
addresses[type eq "address2"].postalCode Address Postal Code 2
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:customFilterCategoryStr Custom Filter
urn:ietf:params:scim:schemas:extension:jostle:2.0:User:customProfile Custom Profile

In the end, your attributes list should look something like this (depending on which Jostle attributes you choose to add):

  1. Click Save and click the X at the top right corner. You should be taken back to the Attribute Mapping page.
  2. Now, it’s time to add mappings from existing Azure attributes to the Jostle attributes you just added. To do so, click Add New Mapping

  3. Set the Mapping type (most will be Direct), select a Source attribute, select a Target attribute, set Match objects using this attribute to No, and set Apply this mapping to Always. Below are a couple examples:

    • Note: If an attribute is left unmapped, the value in Entra ID will be ignored and it will not be provisioned to Jostle.
  4. Click OK.

  5. Repeat this step for every attribute that you’d like to map. In the end, your list of mappings should look something like this:


    The exact mappings you choose are completely up to you, as long as the format of the Azure attribute matches the format of the Jostle attribute (String → String, DateTime → DateTime, etc.)

  6. When all of the desired mappings are added, click Save and then X to return to the Provisioning page
  7. In the Settings section, select the desired setting for Scope to sync only users assigned to this application or all users.
  8. In the Notification Email field, enter the email address where you want to receive alerts and then check the box next to "Send an email notification when a failure occurs" (NOTE—Jostle will also send provisioning failure notifications, so this is optional).
  9. Turn on provisioning by changing Provisioning Status to On and then click Save (you can click Refresh to update status)

Notes:

  • If you are already using our Entra ID Jostle app for User Provisioning and want to set up a new app with custom attributes (as described above), do not remove users from the old app, as this will disable/suspend the users in Jostle. Instead, turn off provisioning for the old app and then assign the users to the new app.
  • If you would like to use SSO, you can follow the instructions here to set up SSO with your new app. If you already have SSO set up with our Entra ID Jostle app and wish to continue using the old app for SSO, you can do so by assigning your users to both your old Jostle app and your new custom app.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.