Manually adding O365 Users to ShareDo
To add your O365 users to ShareDo, open the application and go to the administration tool (Launchpad > Open Admin). Select “Users” and then “All” from the left-hand navigation – this will open the user list.
From the context ribbon, select “Add user”.
Fill in the details about the user as needed and then click the “User Account” navigation at the bottom of the blade.
Mark the user as active, and not locked. Make sure to select the “Identity Provider” configured in the earlier step and set the “Identity Claim” to the UPN of the user in O365 (this will be their O365 email address). Fill in the remainder of the form and click Confirm, then Save.
At this point the user should be put into relevant teams to grant access to ShareDo features.
Automatically provisioning O365 users to ShareDo
ShareDo supports the SCIM API and can be configured to accept provisioning requests from Azure Active Directory.
The following sections provide a guide on configuring ShareDo for automated provisioning of users and teams.
Register SCIM Client App
Within the ShareDo administration area, open the identity service management page. This can be found under Admin > Integrations > Manage Identity Service.
Select to Add App, and “Add client credentials application”
- Enter a Client name – (i.e. [Client] SCIM)
- Enter a Client ID – i.e. [Client]SCIM
- Enter a Client Secret – you can select the Randomise option to generate a random key
- Create a long-long lived access token – i.e. 5 years.
Next – open the client and select the option to provide you with a Bearer Token. You will need to provide this when configuring Azure AD.
Enable the SCIM Feature
Navigate to Global Features in ShareDo. Admin > Features > Manage global features
-
Enable and configure the SCIM Feature
-
Add a new Provider
- Configure the SCIM Provider
- Identity Provider - select the Identity Provider (e.g. Azure AD) that will be providing users to ShareDo.
USER CONFIGURATION
- Default User Type - users added from your identity provider are given a ShareDo user type. This can be overridden by providing a mapping for a 'userType' from your AAD, but it is common for users to be added to a common low privilege user type.
- Manager Connection - some identity providers hold an organisations hierarchy/reporting line. This can be reproduced in ShareDo, provided these users are also synchronised to ShareDo.
GROUP CONFIGURATION
Where groups are used as containers in the identity provider, these groups become teams in ShareDo. It is possible to assign permissions to these groups so that users in those groups have a basic set of ShareDo permissions.
The alternative is to assign specific user types to users on provisioning or through manual action. Assigning users to specific types will add them to teams that would then have appropriate permissions.
- New Teams Organisation - Teams must belong to organisations. It is most common for teams to belong to your Organisation record.
- New Team Ods Type - Teams may also have their own 'type'. ShareDo team types can be used for access control (ACL) or task allocation (POD). It is possible for AD groups to become teams within ShareDo, that are then used for task allocation or access control.
Create an Enterprise Application
These steps will require you to be an Azure AD Administrator.
- Access your Azure AD management portal.
- Select Enterprise Applications
- Select to add a new Enterprise Application
- Select to create your own application
- Provide an application name (i.e. [Client] – ShareDo – SCIM [environment]) and select to Integrate any other application you don’t find in the gallery.
- Select Provisioning
- Select Automatic Provisioning
- Tenant URL – https://{ShareDo-url}/api/scim/{identity-provider}
- Secret Token – [Bearer Token from step 3.1]
Test the connection to ensure AAD can communicate with your ShareDo instance.
Configure Mapping
When provisioning requests are made to create or update users or group, the payload provided can be customised to map properties from AAD to named properties of the payload provided in these requests.
The provisioning feature allows you to configure this mapping.
If the below mapping is provided then additional attributes such as contact details will be added with these actions.
Users
Once this User payload reaches ShareDo, it is mapped to the following ShareDo schema attributes.
Note that the default mapping in Azure AD for mail (email) is set to provide this as: emails[type eq 'work']
This needs to be updated to map mail to: emails[type eq 'email']
The following table defines the mapping from the SCIM 2.0 to the ShareDo schema.
| scim attribute | ShareDo ATTRIBUTE | NOTES |
|---|---|---|
| User Schema | ||
| id | ODS. SCIMId | SCIM id is held in a custom attribute on the ODS record |
| username | User.IdentityClaim | |
| Name.givenName | Person.firstName | |
| Name.middleName | Person.middleName | |
| Name.familyName | Person.Surname | |
| Name.displayName | Ods.ShortName | |
| Name.honorificPrefix | Person.Title | If the values cannot be mapped to the optionset then they are ignored |
| preferredLanguage | Person.PreferredLanguage | |
| Locale | Person.Timezone | |
| Active | User Profile Active | |
| birthdate | Person.dob | |
|
Emails
|
Contact Details |
Primary flag is used to indicate their primary email address. Type should map to the contact types defined |
| phoneNumbers | Contact Details | Type should map to the contact types defined |
| Addresses | Locations | |
| Groups | Team Membership | |
| Roles | Primary Team Role | The first role passed will be set as the role on the primary team |
| Enterprise User Schema Extension | ||
| employeeNumber | ODS. Reference | SCIM id is held in a custom attribute on the ODS record |
| Organisation | User.Organisation | |
| Manager | ODS Connections | Creates a connection |
Groups
When this payload reaches ShareDo it is mapped to the following ShareDo schema attributes.
| Groups Schema | ||
| externalId | ODS. SCIMId | SCIM id is held in a custom attribute on the ODS record |
| displayName | Team.Name | |
| members | Team Members | List of team members |
Enable Provisioning
When you configure the Enterprise Application for Provisioning, you will need to decide if you will synchronise the users and groups added to this Enterprise Application, or users and groups from the entire directory.
Sync only assigned users and groups
When you select users and groups added to this Enterprise Application, the provisioning feature will synchronise only the users and groups added to the users and groups area for this Enterprise Application.
Sync all users and groups
When you select the entire directory, the provisioning feature will synchronise all users and groups in Azure Active Directory.
Finally, you need to enable Provisioning
Testing your identity synchronisation configuration
Once configured, you can test your identity synchronisation configuration by creating users and groups in the directory or adding them to the Enterprise Application.
However, this process is not synchronous, and the background process does not provide immediate feedback on a provisioning request.
To address this, there is a feature within Azure AD to manually run the provisioning of a user or group on demand.
Selecting this option allows you to have Azure AD synchronise the user or group immediately.
