This guide describes how to setup and configure IFS Applications to synchronize user information from an Active Directory server.
The user concepts are described in About Users .
Note: It is recommended to create and verify the configuration in a test environment before applying the synchronization scheme in a production mode environment. The synchronization job will automatically create user accounts in IFS Applications and licensing can be affected.
Use this page when you want to set up synchronization of users and user information from an Active Directory into IFS Applications.
An overview of the setting up synchronization and a closer look at the process.
Some things to consider even before you start out setting up the configuration.
Setting up synchronization of users from Active Directory into IFS Applications needs thorough preparations to succeed. These are the steps you need to perform to set up a fully functional synchronization configuration.
Categorize users and identify roles to be used in IFS Applications
Prepare the Active Directory by
create groups in accordance to the role hierarchy you determined in step 1
create a system service account with read-access rights to the AD
find out which domain controllers to connect to
Prepare the permission sets you plan to use.
Locate the 'Active Directory User Integration Configuration' in Solution Manager and create a new configuration
Review attribute mappings and add mappings between AD group and IFS user group and permission set.
Verify the configuration by making a test run (no information will actually be committed in IFS Applications)
Run the synchronization manually
Verify the synchronization by looking at some sample users. Did the right AD attributes get synchronized?
If anything needs to be adjusted, go back to step 4
If the synchronization was successful:
set up the synchronization job as a scheduled application server task to run in the background
set up event actions to handle errors and/or job status notifications
Note: It is advisable to do all steps in a test environment before applying the configuration to a production environment.
The synchronization job itself can be divided into separate steps.
The information fetched from the Active Directory is limited to those attributes that are present in the configuration mapping.
A template with a set of mappings is installed as default for new configurations. These mappings might need some adjustments to fit your environment. There is a fixed set of Active Directory attributes available to map onto IFS Application domain properties. Some mappings can have hard-coded values while others can be left empty if no synchronization is desired.
When the synchronization job is set up completely you can start manage users and roles in the Active Directory instead of IFS Applications. The concept is simple - adding users to a mapped Active Directory group will grant permissions to them while removing users from a group will revoke the configured permission sets. If the user does not exist in IFS Applications it will be created.
Note: It is still possible to manage users from within IFS Applications. But they must not be member of any of the groups (in the Active Directory) set up in the configuration. If you make changes to an user that is managed by the sync job your manual changes will be overwritten by the sync job at the next run. Granting an user a permission set manually might work; as long as the permission set is not configured in any mapping in the configuration. The recommendation is to either let the sync job handle the user or let the system administrator manage the user manually in Solution Manager.
There are two different forms available to perform follow up on the synchronization. Both are located under Solution Manager / Security / Users . They give two different views of the log entries that are created when the sync job runs. You can either locate a given sync job by id and timestamp and see which users it affected by it - or the other way around - looking at user accounts and identify which configurations have been modifying the accounts.
Before you start setting up the configuration it is a few things that need consideration.
Contact your network administrator to discuss how to organize groups in the Active Directory. Where should the new groups for user and role synchronization be placed? Who should create it? Who should manage the group and its members?
The synchronization process assumes that the usernames in IFS Applications are the same as the Windows usernames. This is how users are mapped between Active Directory and IFS Applications.
Note: If you for some reason do not have the same username in IFS Applications as in Windows, you have to manually load the database table AD_USER_MAPPING_TAB with the mappings between the user id in the Active Directory and the user id in IFS Applications user registry. Otherwise the synchronization process will have no knowledge of how users are mapped.
If your system is set up to use ADFS or Azure AD as Open Identity Providers for user authentication when creating a new configuration make sure that directoryId property of FndUser is mapped to the Active Directory attribute userPrincipalName. This is the default mapping. As authentication is handled by the Active Directory or the Azure Active Directory there is no need to create individual Oracle-accounts for each user.
Note: If you are using Azure Active Directory as the Open Identity Provider you will have to enable Domain Services in your Azure AD to be able to perform Active Directory Synchronization. More information about how to do this can be found here >>..
If your setup is configured to use IFS Identity provider then Oracle based user authentication is used. In this case you need to change the default mappings used in synchronization . The FndUser.DirectoryId should be mapped to the Active Directory attribute sAMAccountName. An Oracle account will be created for new users and the account name will be the standard Windows username.