Follow

User Provisioning: Azure Integration

 

*BETA RELEASE VERSION*

 

User Provisioning

Currently Jostle's User Provisioning API can only be used for integration with Azure AD or Okta. For more information about the User Provisioning API, please see this article

 

About Jostle/Azure integration

Configuration

  • Requires a two-part setup: Jostle, then Azure
  • Once configured, user provisioning is one-way: Azure to Jostle

Supported provisions

  • Push New Users
    • New users created in Azure will be created in Jostle.
  • Push Profile Updates
    • Updates made to a user’s profile in Azure will be pushed to Jostle.
  • Push User Deactivation
    • Deactivating a user in Azure will deactivate them in Jostle.
  • Push User Reactivation
    • Reactivating a user in Azure will reactivate them in Jostle.

NOTE—Azure pushes its changes out in intervals, so it may take up to 40 minutes for a change to be reflected (alternatively, Azure has a Provision on demand option that can be used to immediately push changes for a selected user).

 

Setup Part 1: Jostle

Automation account

Before you begin, you’ll need to create an Automation user in your Jostle intranet. This will be the account you’ll use to configure with Azure. Automation users can be created in Admin Settings > User accounts and data > Manage Automation users.

For more details on Automation users and how to create one, see this article.

Once created, the Automation user account must be activated (i.e. logged in to your intranet at least once) before it can be used to configure Azure.

 

Manage user provisioning

Before you begin, ensure that your account subscription includes SSO/user provisioning features. If it doesn't, you can contact your Customer Success Manager and they can assist you in adding it to your account.

The next step is to obtain the API URL and API key from Jostle:

  1. Go to the Main Navigation and click Admin Settings.
  2. Under User data to/from other systems click Manage user provisioning (NOTE—if you do not see "Manage user provisioning" here and have verified that your account includes SSO/user provisioning, contact Support to have this page enabled in your Admin Settings).
  3. In the User Provisioning API details section, go to Your Base URL field, click the Copy button and save the URL somewhere you can easily access it later.                                                                                                                                                                                                                                          01_manageUserProvisioning.jpg                                                                                                                                                     
  4. Next, click the Add a new key... button
  5. On the following screen, go to the Automation User field and use the drop-down menu to select your Automation user account.                                                                                                                                                                                                                                                                                        02_SelectIntegrationAccount.jpg                                                                                                                                         
  6. In the Provisioning API key description field give your key a name (i.e. “Azure”) and then click the Add button.                                                                                                                                                                                                                                                                                                              03_CopyAPIKey.jpg                                                                                                                                                               
  7. Once your key is generated, make sure to copy it right away and save it where you saved your URL (since this will be the only time your key will appear).                                                                    

Next, you’ll use the API URL and API key to configure the integration in Azure.

 

Setup Part 2: Azure

For the Azure part of this setup, we'll be setting up Azure Provisioning as a Non-gallery application (which, fair warning, is a bit of a lengthy process).

 

Provisioning

  1. Log in to portal.azure.com and go to Azure Active Directory
  2. From the left menu, select Enterprise applications
  3. In the top menu, click on + New application
  4. Select Non-gallery application
  5. Enter a name of your choosing (e.g. "Jostle User Provisioning") and then click Add
  6. From the left menu, select Provisioning
  7. On the Provisioning screen, go to the Provisioning Mode field and set it to Automatic                                                                                                                                                                                                                                          AP01.jpg                                                                                                                                                                                 
  8. Scroll down and click on Admin Credentials. In the Tenant URL field, enter Your Base URL (that you copied when you were creating your API key in Jostle). In the Secret Token field, enter the API key you created and copied.                                                                                                                                                                                        AP02.jpg                                                                                                                                                                          
  9. After you've entered the URL and API key, click Test Connection. There should be a message in the top right part of the window which says "The supplied credentials are authorized to enable provisioning".
  10. In the Notification Email field, enter the email address where you want to receive alerts and then  check the box next to "Send an email notification when a failure occurs" (NOTE—Jostle will also send provisioning failure notifications, so this is optional).
  11. Go to the top of the screen and click Save to save the settings so far.
  12. Scroll back down and click on Mappings to open the next section.                                                                                                                                                                                                                                               Mapping                                                                                                                                                      
  13. Click on Provision Azure Active Directory Groups
  14. Change Enabled to No, then click Save, then Yes on the confirmation dialog.
  15. Click the X in the top right to go back.
  16. Click on Provision Azure Active Directory Users
  17. Ensure that Enabled is set to Yes                                                                                                                                                                                                                                                                            AP03.jpg                                                                                                                                                               
  18. Optional: if you want to specify filtering on which users you want to sync to Jostle then configure the Scope Object Scope.
  19. Once you are done specifying scope (optional), ensure that under Target Object Actions, the boxes next to Create, Update and Delete are all checked.
  20. Under Attribute Mappings, all of the default mappings are displayed.  Click the blue Delete button to the far right of the attributes listed below, as they are not supported:  
    a) displayName
    b) jobTitle
    c) preferredLanguage
    d) Join(“ “, [givenName],[surname])
    e) physicalDeliveryOfficeName
    f) streetAddress
    g) city
    h) state
    i) postalCode
    j) country
    k) telephoneNumber
    l) mobile
    m) fascimileTelephoneNumber
    n) mailNickname
    o) employeeId
    p) department
    q) Manager
  21. The default mapping has Azure AD Attribute ‘mail’ mapped to SCIM work email. Since for Jostle, work email is required, make sure you map this to a field where there will always be a value.
  22. Add additional mappings for attributes supported by Jostle that you want to sync. In order to do this, you’ll have to configure the attributes first by checking Show advanced options and clicking on Edit attribute list for customappsso.
  23. Delete the attributes below not supported by Jostle: 
    a) displayName
    b) title
    c) preferredLanguage
    d) name.formatted
    e) All addresses
    f) All phoneNumbers
    g) externalId
    h) name.honorificPrefix
    i) name.honorificSuffix
    j) nickName
    k) userType
    l) locale
    m) Timezone
    n) emails[type eq “home”].value
    o) emails[type eq “other”].value
    p) All ims
    q) All roles
    r) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
    s) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter
    t) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
    u) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division
    v) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
    w) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager                                                
  24. At the bottom of the list add the following:                                                                                           

    Name

    Type

    emails[type eq "personal"].value

    String

    emails[type eq "alternate1"].value

    String

    emails[type eq "alternate2"].value

    String

    urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail1Label

    String

    urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail2Label

    String

     
  25. After the edits the list should look like this:                                                                                                                                                                                                                                                            AP04.jpg                                                                                                                                                                 
  26. Click Save and then Yes on the confirmation dialog.
  27. Now add the mappings for the additional fields as desired by selecting Add New Mapping for each attribute. This will bring up a dialog on the right part of the screen. For the following Jostle attributes enter the following mappings values where for the Source attribute you specify the desired attribute from your Azure AD attributes (i.e. an attribute that makes sense to map to that field - if you don't have anything suitable for a field, then just leave it out of the mapping):                                                                                   

    Jostle attribute

    Mapping Type

    Target Attribute

    Personal Email

    Direct

    emails[type eq "personal"].value

    Alternate Email 1

    Direct

    emails[type eq "alternate1"].value

    Alternate Email 2

    Direct

    emails[type eq "alternate2"].value

    Alternate Email 1 Label

    Direct

    urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail1Label

    Alternate Email 2 Label

    Direct

    urn:ietf:params:scim:schemas:extension:jostle:2.0:User:alternateEmail2Label

     
  28. Click Save and then Yes on the confirmation dialog.
  29. After the edits, the mapping will look something like this but with the Azure Active Directory Attribute being the ones you chose for the mapping from your Azure AD:                                                                                                                                                                                                            AP05b.jpg                                                                                                                                                                
  30. Click the X in the top right corner (under your name/avatar) to go back to Provisioning.
  31. In the Settings section, select the desired setting for Scope to sync only users assigned to this application or all users.
  32. Turn on provisioning by changing Provisioning Status to On and then click Save (you can click Refresh to update status)

NOTES

  • Some stats are available on the right: View provisioning details and View technical information
  • Audit and provisioning details can be viewed by going to View audit logs and View provisioning logs, respectively.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.