0-AD in 30 min
This document is a tutorial guide which elaborates on how to configure the Azure AD connector and how to onboard the Azure Application in IDHub.
What you will learn in the Tutorial
- How to create tenant in IDHub
- How to onboard the AzureAD application in IDHub
- Basic & other details to be filled for AzureAD
- Fetching Attributes for AzureAD and corresponding attribute mappings
- Fetching Entitlements for AzureAD
- How to approve the Onboarding Task for AzureAD application in IDHub
- Review the onboarded AzureAD application in IDHub
- How to perform the reconciliation of AzureAD application in IDHub
- Perform Reconciliation
- See the Reconciliation logs and status
- Validate the sync
- How to perform provisioning of accounts from IDHub to AzureAD
- Requesting access to AzureAD app
- Provision Account
- Verify the account in your AzureAD instance.
What are the Prerequisites?
You would need the Azure AD Connector URL in order to onboard the Azure AD application and to do provisioning. Click here to learn more about the detailed steps for onboarding the Azure AD connector and getting the connecting URL.
How to create Tenant in IDHub
- Go to sath.com
- Under the pricing main menu click on
Try
- You will be redirected to the Cloud trial signup page
Enter Basic Details in the signup page
Please enter your basic details here in order start your IDHub Cloud trial subscription
- First name
- Last name
- Password
You can also use your google account to signup.
Enter the Tenant name
After signup you will be asked to enter the tenant name.
Please enter the tenant name in this page.
Tenant name will be used to login to your tenant from the IDHub cloud page.
Tenant ID is auto generated based on the tenant name that you have entered here.
- This serves as a unique identifier for your tenant and will be used by our Support team.
- You can also enter a different Tenant ID, if needed.
Click on “Agree and start now
” button to complete the signup process.
If you already have a sath account, then you can click on the link “Sign in with a different sath account
”, which will take you to the log out page. You can log out from the there and then re-login from your existing sath account.
Get an email with credentials to login to your IDHub Cloud Tenant
After this you will get an email with your IDHub tenant URL and the credentials to login as you can see in the screenshot below:
How to on-board AzureAD application
In this section you will learn about the steps of on-boarding the AzureAD as a connected application in IDHub. Make sure you have the Connector URL before you proceed further.
Enter Basic & other Details in the Onboarding Wizard
- From the Manage Catalog page, select “Add Application”.
- Click on Add Application drop-down
- Click on the Add application menu
Enter Basic details
- Application name
- Application Description
- Application URL
- Application Owner
- IT Owner
Enter Integration details
- Intergration Level : Connected
- Connector URL: Paste the connector URL here that you have obtained from the previous step.
- Create Users on Reconciliation checkbox : Tick this checkbox if you consider AzureAD as your source of truth and you want accounts to be created when you do reconciliation.
- Authentication Type: OAuth2
Other Sections in the Application Onboarding:
- Scheduler: If you want to automatically synchronize Azure data to IDHub then you can set a scheduler for the reconciliation. The default is “do not repeat”. You can also set that to daily, weekly, monthly and yearly.
- Approval Workflow: You need to set the approval workflow of the AzureAD application here from the drop-down
- Risk Level: If desired, you can set an appropriate risk level to the application.
- Requestable toggle: If you want the application to be requestable so that users can request access to the application, then you can turn the toggle to on.
- Once all fields are completed on this page, you should be able to proceed to the next page.
- If you cannot proceed, you are either missing data in the required fields mentioned above, or there may be an issue with your connector URL.
- If you suspect an issue with your connector URL, contact us for further assistance.
Fetching the Attributes for the Application
In this step you will learn to fetch Azure attributes, and map them to the IDHub user schema attributes.
Click on Fetch Attributes link
IDHub will now pull Azure Attributes and would be mapped to the corresponding IDHub field attributes as you can see in the screenshot below:
- As per the account schema that you have used to onboard the AzureAD connector, IDHub would pull the Azure Attributes and map them to the IDHub User field names.
- You can click on the edit button for each attribute and can map them to a different IDHub user field if needed or you can change the sync direction as well.
- You might not require all of the AzureAD attributes, so you can remove some of them (if needed) from the Attributes column by clicking on the minus icon for all of those attributes.
Account name field attribute
The Account Name Field is the unique identifier for each account in Azure. IDHub is configured to automatically assign the Azure attribute “id” as the Account Name Field key. Since this is account name field, therefore sync direction doesn’t apply in this case.
Setting the Reconciliation Key
You need to map a reconciliation key as this is the field on the basic of which reconciliation of data will be processed between Azure & IDHub. By default IDHub sets the “userPrincipalName” as the default recon key. However you can set a different recon key if required.
Now, you need to map the recon key to IDhub field name, the steps are as follows:
- Click on the edit icon for the field under the attributes column which you want to set as the recon key
- Map the Azure Attribute field to an appropriate IDHub user field name.
- Click on the reconciliation key toggle and keep the toggle on
- Click on save button.
We recommend that you can add a new custom field in IDHub and then map the “userPrincipalName” to that custom field.
- Click on the Add New Field
- In the pop-up window fill in the details for the attribute name and description and then click on the save button.
- Now click on the save button.
Please review the screenshot below for the steps:
- You can map “
mailNickname
” Azure Attribute to “login
” IDHub user field - You can map “
mail
” Azure Attribute to “Email
” IDHub user field. - You can map "
id
" Azure Attribute to "Employee Number
" IDHub user field.
Synchronization Direction
Synchronization (Sync) directions controls which direction the data will flow during the sync process. For example, information for specific attributes can be restricted to flow from IDHub to Azure, or vice versa. You can configure sync directions for every Azure Attribute as per your business user case. You can follow the below steps for changing the sync direction.
- Click on the edit icon and confirm the sync direction is correct for each attribute
- Click on save
The default sync direction mappings, you can see below:
After confirming the sync direction for the attributes, click on the Next
button.
Fetching Azure Groups to IDHub Entitlements
In this step you will learn to fetch all your Azure Groups, remove any Groups that you do not want to be managed inside IDHub. You can configure the Azure Groups in IDHub as per your business user case. Once the onboarding of Azure is complete, your Azure Groups will be converted into IDHub “Entitlements”.
- Click on Fetch Entitlements: This will pull all Azure Groups into IDHub entitlements
- You can remove any Entitlements (Groups) you don’t want managed inside IDHub by clicking on the “-” icon, if applicable.
- Edit each Entitlement (Azure Group) to accommodate the workflow needed, assign a Risk Level, consider if each should be requestable, and Save.
- Once all Entitlements have been configured, click Submit.
Approve the Azure Application Onboarding Task
After clicking on submit a task would be generated for the Access Manager to claim and approve the onboarding task. Once the access manager approves the task. AzureAD application will now be visible in the Manage Catalog.
Review Azure in Manage Catalog.
- Click on Manage Catalog
- Look for a green icon, illustrating a “Good” or healthy Application Health Status Check.
- This will indicate that Azure is now onboarded and connected successfully.
- This will indicate that Azure is now onboarded and connected successfully.
Perform Application Provisioning
In this step you will learn about performing an Application Synchronization (App Sync) which is the process of initiating the reconciliation of data, from the target system to IDHub, and vice versa. In this case, the target system is Azure. When performing a reconciliation of the data, IDHub will push and pull data, to and from Azure, according to the sync directions configured in previous steps.
- From the Manage Catalog page, navigate to the Azure Application and select “Application Sync”.
For the initial sync, you will need to select “Reconcile” and the entity would be “Account” as the goal is to move all Azure data into IDHub.
- You can define a condition for the reconciliation in the condition checkbox. The condition will be checked by IDHub when doing the reconciliation process so that only accounts which matches the given condition would be reconciled.
You can review the reconciliation logs in order to validate the sync.
- Click on Manage Catalog
- Click on the AzureAD application
- Click on the Reconciliation Log
- This will show the reconciliation status along with all the records updated and other details
- You can also stop the reconciliation process by clicking on the “-” icon.
- Once the sync is complete you can click on the view link to validate the sync
If there are any errors in reconciling accounts from Azure, it will show errors. You can click on the arrow icon for each account to see the errors. Also the accounts which are reconciled will show a green icon.
To further validate the sync you can view the users created by going to the “search catalog”. User would have access to the Azure Application and the Azure groups would be added as entitlements
- Depending on the # of users being added, it may take several minutes to fully load in Search Catalog.
- Match users in IDHub with Azure users, look at the id inside Azure entitlements and match the Object ID in Azure
Perform Provisioning of IDhub to Azure
In this step you will learn about provisioning of IDHub to Azure. Below are the steps to provision users from IDHub to Azure.
Go to search catalog
Add the Azure application to the cart
- Make sure you add the user for which you are provisioning
- Make sure you add the user for which you are provisioning
After filling in all the required details, click on the Done button.
You can click on the “Track Request” link from the left panel of IDHub to see the status of the provisioning.
IDhub would automatically provision the IDHub user to Azure AD
You can also verify if the user has been created in the AzureAD by going into your AzureAD instance and viewing the user.
Ending Notes
We've reached the end of this tutorial and IDHub team would like to extend our heartfelt thanks to you for taking the time to engage with this content. Your dedication to learning and growth is what fuels the creation of resources such as this.
We hope that this tutorial has been informative, helpful, and has enriched your knowledge on the topic. Your willingness to learn is admirable, and we hope that the insights provided here have added value to your journey.
If you have any questions or concerns, or if there are areas you wish to explore further, please feel free to reach out here. Your feedback is incredibly valuable, not only in improving these resources, but also in helping to shape future content.