This tutorial describes how to configure the iGrafx platform with Azure AD to have automatic user provisioning and de-provisioning. User provisioning is only available in an iGrafx cloud offering. For more information on how this technology works see this Azure document.
The following items are required to continue:
- An Azure Active Directory tenant
- An Enterprise or Dedicated iGrafx Cloud Tenant
- A secret token (instructions to generate the token are found below)
- A custom tenant identifier (requested via our support page)
To create your SCIM directory and generate your secret token:
The user performing the steps requires Manage user directories server permission
- Log into iGrafx Process360 Live Process design
- Go to Administration → User Management → Directories
- Click Add new directory
- Enter the name of the directory
- Select directory type SCIM
- Click Create directory
- Note your SCIM secret token for later use
Note: To generate a new token, click edit on the SCIM directory and then generate new token
To configure automatic user account provisioning to iGrafx in Azure AD:
In the Azure portal, browse to the Azure Active Directory > Enterprise Apps > All applications section.
- Click New Application at the top of the page.
- Click Create your own application
- Enter a name in Input Name field
- Select "Integrate any other application you don't find in the gallery"
- Now click Provisioning Tab
- May have to click Get Started button to see the next step
- Set the provisioning mode to Automatic
Enter the Tenant URL and Secret Token received in the prerequisites
- Click Test Connection to see if your connection was successful ( Not successful? Contact our support for further assistance)
- Under Settings → Enter an email to receive any synchronization issues
Enable User Mapping
Now open the mappings dropdown located under the "Admin Credentials" section
- Enable Provisioning of Users and select what users you want to synchronize
- Select Create, Update, and Delete under target object actions
By default, Azure sets a lot of mappings. iGrafx only needs the following 5 attributes mapped which are included in the defaults set by Azure.
We suggest changing the defaults to the below, in particular the username must be adjusted to be a valid email address. The
iGrafx User Attribute Attribute Mapping Values Mapping Type Source Attribute/Expression Target Attribute Username Direct userName Enabled Expression Not([IsSoftDeleted]) active Direct emails[type eq "work"].value First name Direct givenName name.givenName Last name Direct surname name.familyName
You can delete these extra Attribute Mappings. If you delete the mappings, the remaining ones should look like this:
- Click Save
Enable Group Mapping
- Enable Provisioning of Groups and select the group source
- Select Create, Update, and Delete under the Target object actions
By default, only the group Attribute Mappings should be properly mapped and look like the following:
If missing either objectId or members, click Add New Mapping and input the following values based on the missing attributes
Mapping Type Source Attribute/Expression Target Attribute Direct members members Direct objectId externalId
Afterwards, your Attribute Mappings should look like this:
- Click Save
Once configured, press save at the top of the main window and synchronization should begin. Synchronization should happen every 40 minutes.
For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.
- Managing user account provisioning for Enterprise Apps
- What is application access and single sign-on with Azure Active Directory?