Azure AD User or User & Group Sync
This document will describe how to set up user and group syncing between Azure AD and Zinc.
- Create the Zinc enterprise application in Azure - this provides connectivity to Zinc.
- Configure the user attributes - this configures mappings to work with Zinc.
- Configure the user scoping filters - this allows the customer to define which users are synchronized with Zinc.
- Optionally, to also support AD group sync, configure the group attributes and configure the group scoping filters
- Start provisioning and monitor progress.
- Any existing Zinc enterprise application must be removed. Prior to removing this application, please note any scoping filters (users and/or groups) used by the application as these will need to be transferred to the new application created below.
Create the Zinc enterprise application
Open the Azure AD dashboard at https://manage.windowsazure.com/, you should see something like this:
Select the active directory (Zinc in the example above), and select the ‘Applications’ section across the top.
Create a new application for Zinc by using the ‘Add’ button at the bottom of the page.
You will be given a few choices in the following dialog, choose ‘Add an application from the gallery’ -> choose ‘Custom’ and enter a name for the application:
When the application is created, you should see something like this:
You can ignore steps 1 and 3 - they are both related to SSO, which is not required.
Click on ‘Configure account provisioning’ in step 2.
You will need to set the provisioning endpoint and the authentication token; you will need to enter the following:
Provisioning Endpoint URL: https://api.zincit.io
Authentication Token: (Obtain this token from Zinc Engineering.)
Click the arrow in bottom-right corner of the screen to move to the next screen and test the connection. If it fails, contact Zinc Support..
If successful, move to the next screen (by clicking the arrow) where you will need to set the provisioning options:
- Make sure to disable ‘Automatically provision all accounts ...’.
- Enable both ‘Group’ and ‘User’ object types to provision.
- It is up to the customer whether they want emails sent on failures. If yes, enable the check box and add an email address.
Click the arrow to move to the final screen of the setup. When you are on the final screen, do not start provisioning at this time -- leave that option unchecked.
At the bottom right corner of the screen, click the checkmark to create the application.
Configure user attributes
In the User section, edit the ‘Matching Rules’ by changing the ‘Target Attribute (Zinc AD Sync)’ to ‘userName’. You will need to hover over the cell to edit the value.
Make sure to apply your changes by clicking the ‘Apply Changes’ button at the bottom of the page.
Configure user filtering
- In the User section, edit the ‘Scoping Filters’ by modifying the default rule created during the setup process:
- This should be changed on a per customer basis to provide a rule that will filter their AD users to be sent to Zinc.
- NOTE: if you remove this default rule, it will result in all users being synchronized to Zinc.
- Make sure to apply your changes by clicking the ‘Apply Changes’ button at the bottom of the page.
Optionally, configure group attributes
- Navigate to ‘Attributes’ -> ‘Provisioning’.
- In the Group section, edit the ‘Attribute Mappings’ by changing the ‘externalId’ and ‘displayName’ mappings. To edit a mapping, hover over the row and click the pencil icon.
For the ‘externalId’ mapping, change the ‘Attribute’ value in the ‘Source: Azure AD’ section to ‘objectId’ and click the checkmark button in the bottom right corner of the screen.
3. For the ‘displayName’ mapping, change the ‘Attribute’ value in the ‘Source: Azure AD’ section to ‘displayName’ and click the checkmark button.
4. After the changes have been made, the mappings should look like this:
Optionally, configure group filtering
- Navigate to ‘Attributes’ -> ‘Provisioning’
- In the Group section, edit the ‘Scoping Filters’ by modifying the default rule created during the setup process:
3. This should be changed on a per customer basis to provide a rule that will filter their AD groups to be sent to Zinc.
- NOTE: if you remove this default rule, it will result in all groups being synchronized to Zinc.
- Navigate to the ‘Configure’ screen.
- Turn on account provisioning:
- Make sure to save the changes by clicking on the ‘Save’ button at the bottom of the page.
- Navigate to the ‘Dashboard’.
- It may take a few minutes for the sync to start once provisioning has started.
- The ‘integration status’ section will show the current status of the provisioning and allow you to view any errors that have occurred.