Setup the AD absence.io app
Sections in this article
- Maintain SCIM Provisioning & Details of Technical Steps
- Provision Users to absence.io from Active Directory
- Troubleshooting & known Issues
- Setup SCIM in absence.io & connect to Active Directory
Please note, that it might be difficult for us to help you on some issues. This is due to the diversity of Active Directory setups, licenses, the access restrictions in place and the sensitivity of the data.
We kindly advise that a Microsoft Azure Expert can help you on your end if needed. We are of course here to help you with problems as far as possible!
If you are interested in the technical details - further down you find troubleshooting steps & technical infrastructure of our Azure Active Directory SCIM integration.
Setup SCIM in absence.io & connect to Active Directory
- Given: a.io account with firstname.lastname@example.org + any number of email@example.com user profiles
- company connect with in a.io china create instance
- create custom app in AD
- create groups in AD for AD identities assign AD User Identities to this group within the custom app
- Existing a.io users with "firstname.lastname@example.org" in AD "username" field -> SSO for users active, included in provisioning cycles
- Non existing absence.io users -> created as inactive in absence.io, no invite send out
Create a non Gallery App
- Connect your Office 365 account.
- In integration settings in absence.io retrieve your SCIM credentials (URL & Secret)
- Create a custom "Non Gallery App"
- Go to your Microsoft Azure Portal
- Go to Enterprise applications
- Click on "New Application"
- Create your own "Non-Gallery-App
Activate Provisioning in the non-gallery App
- In the app you just created, go to "Provisioning" on the left
- enable automatic provisioning (cannot be set to manual again, only deactivated)
- test the connection, if it fails, check your SCIM credentials
- Setup a notification email as needed
- Scroll down, enable Automatic Provisioning and Save
- The final step may need some patience - wait a few minutes (and up to an hour) on the absence.io user list to see your identities being created from your directory
Provision Users to absence.io from Active Directory
- A user can be added to the “non gallery app“ directly or through a group and will then be provisioned.
- Through several "non gallery apps" and user assignment to these apps, AD Admins can create different scopes of provisioning to one or multiple absence.io accounts.
- When the user is modified in Active Directory by being removed from the provision group, or deactivated, then they get deactivated/deleted from absence.io.
- absence.io might therefore not now why a user is removed from an absence.io instance. How your group and app memberships are setup in active directory is out of our hands.
Already existing identities in Active Directory
When you already have some user identities setup in your active directory and absence.io instance, these users identities can be connected for provisioning purposes.
All other not existing users in absence.io will be provisioned into absence.io as inactive once the integration connection is setup.
Email address changes & sync
In case a active directory user (ie. identity) email address (UserPrincipleName) is changed, the correlating absence.io users email address will also change. This is true for any initially provisioned user into the absence.io instance. To make sure this works, please checkout the attribute mappings of users in the non-gallery enterprise app (see screenshot below). The attribute ObjectID must be mapped to ExternalID attribute instead of the mailNickname attribute.
However for users, who where already created in the absence.io instance and then connected to their provisioning AD identity, we will not change the corresponding absence.io users's email address.
Troubleshooting & known Issues
- Admin who ran Connect Company is no longer an admin or no longer part of the Active Directory. In this case a new admin has to redo the Company Connect on absence.io.
- Admin is not added to the non gallery app as a user
- All users need a email on AD to be created or linked in absence.io. Make sure your users have a correct email in the "userName" field in active directory.
- Provisioning might take a while (up to 40 Minutes). So it can take some time before users show up in absence.io user list. This is due to Microsoft Active Directory default behaviour.
- For old azure app users before our December 2019 release -> reconnect the O365 application in absence.io settings
- You have to have the O365 Company Integration activated to enable SCIM in absence.io
- If you have errors on some users in provisioning, try to renew your Office 365 admin consent.
Maintain SCIM Provisioning & Details of Technical Steps
For a detailed explanation please visit the Microsoft Help for active directory here.
- Create a SCIM endpoint in absence.io & connect to a Microsoft Azure Active Directory Non-Gallery App with the created SCIM credentials. May have to connect O365 on organisation level & give admin consent. This is explained above.
- AD sends a request to absence.io O365 SCIM endpoint
- AD starts a provisioning cycle and starts requesting the a.io SCIM endpoint
- The requests include the userName property. That property is treated by absence.io as the user email, which is required for every user on absence.io.
- Other properties that come from the request are the users first and last name.
- Additional properties are collected in order to fulfill the SCIM protocol, but are never displayed anywhere in the app. Those being externalId and contact email (not used as source of identity).
- absence.io sends a request to Microsoft Graph API /v1.0/users endpoint
- Needed so absence.io has access to the id property, which is required for single sign on.
- The userName property received on the original request is used to match userPrincipalName, giving us the remaining data from the provisioned user that was not included in the original provision payload.
- With all the information in place, the user is then activated and saved to the absence.io database.
Because of Step 3, any company setting up automatic user provisioning must do the Company Connect operation. In case it has already been done before 2020 then it needs to be done again (disconnect, then reconnect). This is important because it will allow the app to have access to the Microsoft Graph API on behalf of the admin who ran the operation. Without this permission, it is impossible to automatically enable the authentication for a provisioned user.