Automatic Refresh of Users when using Azure AD as SSO

Does BPM'Online automatically refresh the list of users from Azure AD when it is configured to use Azure AD as SSO? Or do we have to manually create/update/delete the users in BPM'Online as well in addition to maintaining them in Azure AD?

Thanks in advance for all the help...

Like 0

Like

7 comments

Hello! 

This can be done turning on JIT on the site. To do this you would need to send a letter to the support@bpmonline.com if your site is located in cloud as well as do some additional settings on your side. Please see the article below: 
https://academy.bpmonline.com/documents/administration/7-14/setting-just-time-user-provisioning

Best regards, 
Dennis

Dennis Hudson,

​​​​​​Thank you for your reply! I am working on an on-premise setup. Can JIT be configured on an on-premise installation along with Azure Active Directory as SSO provider? Thanks again for all the help...

amanthena,

Yes, it can be activated for on-site and cloud deployed applications. Please refer to this Academy article when setting SSO up 

https://academy.bpmonline.com/documents/administration/7-14/setting-single-sign-adfs#XREF_62278_ADFS

Best regards,

Oscar

Oscar Dylan,

Thank you!

Oscar Dylan,

Dennis Hudson,

Is it possible to automatically sync the roles (organizational and functional) of the user in Azure Active Directory through JIT to BPM'Online? I was referring to the documentation mentioned here - 

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bpmonline-tutorial

At the end of this article, there is a point about user creation - 
"In this section, you create a user called Britta Simon in Bpm’online. Work with Bpm’online support team to add the users in the Bpm’online platform. Users must be created and activated before you use single sign-on."

It mentions that the users would have to be manually "created" and "activated" in BPM'Online for SSO to work. This contradicts JIT feature on BPM'Online. Could you please re-confirm if JIT is valid for Azure Active Directory(AAD) and that it is also possible to automatically synchronize the organizational and functional roles in AAD to BPM'Online through JIT?

Thanks in advance...

 

Dennis Hudson,

Oscar Dylan,

Hi! Any update on this? Your help here would be greatly appreciated. Thanks!

amanthena,

 

Hello, 

 

You can synchronize user's data from Active Directory to Creatio with a help of JIT function.
Each time a user logs on using SSO, the data on the contact page are updated with the data obtained from the identity provider. If a user has no account, it can be created when the user logs in for the first time.
If there is already a user with such username, the data will be simply updated based on the received information, if there is no user with such username, a new user will be created and provided with all the needed licenses based on it's user type (company employee/portal user). 

To specify contact fields that should be populated with data from the identity provider, configure the mapping of the SAML Assertion fields with Creatio columns. This is done in the SAML Assertion of the identity provider and in the [ SAML field name converters to contact field name ] lookup.

You can find more detailed information in the article below:
https://academy.creatio.com/docs/user/setup_and_administration/user_and…

As for the roles, Creatio should have the same roles as Active Directory (and as user as well). This way, once the user logs on, all their roles are being updated based on the received information. However, if the user has roles that are not presented in Creatio, new roles will not be created (but can be updated during the next login, if you decide to add same new roles to Creatio).

 

Hope it clarifies!

Best regards,
Anastasiia

Show all comments