Identity Synchronization with Azure AD

Introduction

Azure AD (Microsoft Azure Active Directory) is Microsoft's cloud-based user directory where user and group information is managed. HID Visitor Manager provides the capability to automatically import and synchronize user information from Azure AD so that they are visible when searching for personnel, managing visits, and other activities related to the users within HID Visitor Manager. The following guide details steps to integrate the two systems. Note that SCIM protocol is used to handle the secure exchange of user identity data between the two systems

Pre-Requisites

The following pre-requisites must be met before proceeding:

  • HID Visitor Manager account must be available with administrative access (assigned during account creation)

  • HID Visitor Manager account must be enabled with AzureAD PACS subscription.

  • Microsoft Azure AD tenant account and an administrator user account must be available (with privileges to create and manage applications)

Setup and Configuration

First, we will set up a new user source in HID Visitor Manager. Next, we will configure the Azure AD tenant for SSO. Lastly, we will focus on field mappings so that relevant identity data can be synced into HID Visitor Manager. Once Azure AD is setup, the single sign on can also be enabled by following the Single Sign On using SAML guide.

Step 1: Manage User Source in HID Visitor Manager

  1. Login to HID Visitor Manager using your administrator account.

  2. Navigate to Settings app luncher > General tab > System Configuration sub-tab.

  3. Click Launch next to Launch Systems Configuration Manager.

    Launch syetem configuration manager

  4. Click on User Sources and open the Azure AD configuration record. Note that this is only visible if the Azure AD add-on is enabled in HID Visitor Manager. Multiple user sources can be available here based on the license count.

    User Sources list

  5. Enter the Display Name and Description as required and check the Enable this User Source checkbox. Do not change any other fields. Click SAVE.

    User source configuration

  6. After the new configuration is saved successfully, a new SCIM Endpoint and Secret Token are generated and displayed. These values will be used to configure the Azure AD Provisioning connection described in the next section.

    Note:

    • All the options are checked by default except one. Below are brief explanations of each.

      List of checkboxesDescriptions

      Enable this user source (checked by default)

      		Unchecking this will disable the ID sync feature for the user source.
      Create/update users and user groups upon match (checked by default) Unchecking this will temporarily stop syncing updates from Azure without disabling the whole ID sync feature.

      Assign self-service privileges automatically (checked by default)

      If checked, this option will grant self-service privileges to the Identity by default. To learn more about self-service account and privileges, check out other help pages.

      Update users from other sources upon match

      (Not checked by default)

      		By default, users from other user sources are not updated upon match and a sync failure would happen. If checked, any user in the system with matching attributes will be updated. This is typically used during migrations when users may exist in two directories for a brief duration. The flag must be turned off at other times to prevent overwrites.

Step 2 - Create Azure AD Provisioning Application

  1. Go to Azure AD Tenant home page. Click Enterprise Applications on the left navigation menu and click +New Application

  2. Click Create your own application on the top menu. Provide the name of the application, for example 'HIDVisitorManagerProvisioning'. Click Create. A confirmation message is displayed once the process is completed successfully.


    Create your own application

  3. Click the Provisioning on the left navigation menu. Click Get Started.

    Provisioning

  4. Select Automatic from the Provisioning Mode drop-down menu.

  5. Populate Tenant URL and Secret Token with data from fields 'SCIM ENDPOINT' and 'SECRET TOKEN' that were saved earlier in Step 6 of section Step 1: Manage User Source in HID Visitor Manager

     

    Select the provisioning mode

  6. Click the Test Connection.You should see a message confirming that the connection was verified successfully.

  7. Click Save.

Step 3 - Azure AD Attribute Mapping

  1. Navigate to Enterprise Application and select the newly created application.

  2. On the left navigation menu click Provisioning.

  3. Click Edit Provisioning.

    Edit Provisioning

  4. Click Mappings.

    Azure AD Attribute Mapping

  5. Click Provision Azure Active Directory Users

    Provision Azure Active Directory Users

    Map user attributes are done as shown below. Note that user mappings are provided as a text table below too:

    The following table shows mapping between Azure AD to SCIM Schema for Identity related fields.

    Azure AD SCIM Schema
    userPrincipalName userName
    Switch([IsSoftDeleted], , "False", "True", "True", "False") active
    Switch(IsPresent([displayName]), "", "True", [displayName]) displayName
    Switch(IsPresent([jobTitle]), "","True", [jobTitle]) title
    mail emails[type eq "work"].value
    Switch(IsPresent([givenName]), "", "True", [givenName]) name.givenName
    Switch(IsPresent([surname]), "", "True", [surname]) name.familyName
    Switch(IsPresent([physicalDeliveryOfficeName]), "", "True", [physicalDeliveryOfficeName]) addresses[type eq "work"].formatted
    Switch(IsPresent([state]), "", "True", [state]) addresses[type eq "work"].region
    Switch(IsPresent([country]), "", "True", [country]) addresses[type eq "work"].country
    Switch(IsPresent([telephoneNumber]), "", "True", [telephoneNumber]) phoneNumbers[type eq "work"].value
    Switch(IsPresent([mobile]), "", "True", [mobile]) phoneNumbers[type eq "mobile"].value
    userPrincipalName externalId
    employeeId urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
    Switch(IsPresent([companyName]), "", "True", [companyName]) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization
    Switch(IsPresent([department]), "", "True", [department]) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
    Switch(IsPresent([manager]), "", "True", [manager]) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
    6. Note:

    • Many of the Azure AD attributes contain a switch expression. This is optional but recommended. This ensures that if a field is set to empty in Azure AD, it flows down to HID Visitor Manager in the same manner and empties the field in HID Visitor Manager too. Follow steps 6 to 8 only if an attribute mapping requires an update.

  6. Click an attribute that requires a mapping update. In this example, we will edit the 'manager' field.

  7. From the Mapping Type drop-down menu select Expression. You can select other mapping types based on your requirements.

    Edit Attributes

  8. In the Expression Text box, provide the mapping expression as required. Refer to Azure AD help as needed. The recommended expression is: Switch(IsPresent([attribute]), "", "True", [attribute]). Click OK. This expression ensures that even if the manager field is set to empty, the change will flow down to the HID Visitor Manager system. This may not be required if the manager field will always have some value stored.

  9. You may have to repeat the above steps for each attribute that requires any changes. To add new attribute mappings, click Add New Mapping, provide the expression and select the Target Attribute from the drop-down menu. Click OK.

  10. Once all mappings are reviewed, click SAVE.

    Save mapping attributes

 

Step 4 - Add users and user groups to provisioning application and test provisioning

  1. Click Assign users and groups.

    Assign users and group

    Assign users and groups

  2. Select users/groups that need to be provisioned to HID Visitor Manager by clicking on each item. Click the Select button at the bottom. Click Assign when done. A confirmation message is displayed once the users are successfully assigned.

    Assign users and groups

    Assign users and groups

  3. Navigate back to the Provisioning page.

  4. Click Provision on demand on the top menu to verify that user provisioning is configured correctly.

    Provision on demand

  5. Search for the user and select it. Click Provision.

    Provision on demand

  6. After a successful provisioning click Provision another user if needed. When done, Click X to close side window and click X again to close the tab.

    Provision another user

  7. Click Restart Provisioning if provisioning was already completed.

  8. Once provisioning is successfully completed, check if identities have been added/updated in HID Visitor Manager system.

Step 5: Review HID Visitor Manager users mappings

Note that if Azure AD mappings are done as above, no mapping changes are needed on the HID Visitor Manager side for the sync to happen.

To view/edit default mappings between HID Visitor Manager and Azure User source

  1. Login to HID Visitor Manager using your administrator account.

  2. Open the Settings app luncher > General tab > System Configuration.

  3. Click Launch next to Launch Systems Configuration Manager.

    Launch Systems Configuration Manager

    Launch Systems Configuration Manager

  4. Open the Data Objects tab and select Person. This section will list default mapping between HID Visitor Manager SCIM Schema to the HID Visitor Manager Application.

    Mapping between WorkforceID SCIM Schema to the WorkforceID application

Note:

  • By default, all the mapped fields in HID Visitor Manager SCIM Agent are displayed as read-only in HID Visitor Manager Application. You may make the fields editable by enabling IS Write to respective fields based on the above screenshot.

Reference Mappings

The following table shows internal mappings between SCIM Schema attributes to HID Visitor Manager SCIM Agent for identity-related attributes. HID Visitor Manager SCIM Agent supports only the following attributes from SCIM Schema. Any extra attributes which are not listed below are ignored.

SCIM Schema HID Visitor Manager SCIM Agent Additional Comments
externalId externalId Mandatory for the Identity sync to work.
userName userName Mapped to Login Name of the identity
active active Mapped to Status of the identity
emails[type eq "work"].value emails Mapped to Email of the identity
name.givenName givenName Mapped to First Name of the identity
name.familyName familyName Mapped to Last Name of the identity
addresses[type eq "work"].formatted physicalDeliveryOfficeName Mapped to the Location of the identity This value will populate only if there is an exact match to Location Name in HID Visitor Manager
addresses[type eq "work"].country country Mapped to the Country of the identity If there is a match for an Identity's Location, this value is derived from Location Information Azure AD country value has to match with the ISO3 country code present in HID Visitor Manager. Country Codes can be found in Admin → Master Data
addresses[type eq "work"].region state Mapped to the State of the identity If there is a match for an Identity's Location, this value is derived from Location Information Azure AD State value has to match with State code present in HID Visitor Manager
phoneNumbers[type eq "work"].value telephoneNumber Mapped to Phone field of the identity. Phone fields can be provided in the below formats including country code +1(510) 555-5555, 1.510.555.5555 Note: To map this field to the Alternate Phone field of the identity, edit the mapping and change the FIELDNAME to PHONE2. Changing it back to PHONE1 maps it back to the Phone field of the identity.
phoneNumbers[type eq "mobile"].value mobile Mapped to the Mobile Phone field of the identity Phone fields can be provided in the below formats including country code +1(510) 555-5555, 1.510.555.5555
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization companyName Mapped to the Employer of the identity Organization will be added only if the exact match is found with Employer Name in HID Visitor Manager
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department department Mapped to the Department of identity. Departments can be Managed in Admin → Master Data Note: New Department will be added by default if the exact match is not found. To change this behavior and to only assign department when an exact match is found in HID Visitor Manager, edit this mapping in HID Visitor Manager and unselect "MARK THIS AS MASTER DATA FIELD". Note: Department Name is case sensitive. For example, Customer Support Department is not the same as customer support department.
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager manager Mapped to the Manager Name of the identity. Manager Name will be added only if a match is found in HID Visitor Manager. Manager Email and Manager ID will be derived from the manager's profile in HID Visitor Manager. Note: If the Manager is removed in Azure AD, after the provisioning, the manager in HID Visitor Manager will stay the same as before.
Note:

Notes on other fields in the Identity UI:

  • PrimaryID field in the Identity UI is auto-populated by HID Visitor Manager.

  • Employee type is defaulted to 'Employee'

  • Building, Floor, Suite, Prefix, Suffix, Gender, and Date of Birth attributes cannot currently be mapped. These fields can be managed directly within HID Visitor Manager.

Adding Azure AD Single Sign-On

Once Azure AD Identity sync is set up, single sign-on can also be enabled by following the Single Sign-On using SAML guide.

Frequently Asked Questions

Q. What is the number of identities tested by this integration?

A: The integration has been tested with up to 10000 (ten thousand) users, 10 (ten) user groups, and 5 (five) user groups assigned per user.

Q: How long does it usually take to synchronize the users?

A: For approximately 3000 (three thousand) users in our testing, it took approximately 3 minutes to perform the initial provisioning and synchronization. Afterwards for about 100 user modifications, it took around 2 seconds to complete per cycle.

Q: What if 'Test Connection' in the provisioning profile fails?

A: If 'Test Connection' in the provisioning profile fails try the below options and if it still fails contact customer support.

Check for any trailing spaces in the secret token field and try again after removing any spaces.

Regenerate the secret token and try again with the latest token.

Q: What if the test 'Provision On Demand' fails?

A: If the test 'Provision On Demand' fails, look for errors in the provisioning logs in the Azure AD app.

Q: What if 'Provision On Demand' test is successful on the Azure AD side but Identity is still not visible on HID Visitor Manager side?

A: Sync logs are available at User Source Level. Navigate to Web Configurator => User Source. In General Tab, there is an area called Sync Status which shows details about Total Identities successfully synced or failed. It also shows when the Last Sync happened. To view more details about Identities sync click on View Logs.
Identity is still not visible on WorkforceID side

Q: What if a Failure is reported in Audits?

A: If a Failure is reported in Audits and the error is due to misconfiguration of attribute mapping, review the "HID Visitor Manager - Attribute mapping" section to make the corrections and try to sync the identities again. If the error is not clear, please contact customer support.