Set up app-specific provisioning

Provisioning automatically adds or removes user accounts in the target application by syncing attributes from the source directory. Whenever you make changes to a mapped role or a source directory object in a mapped role (i.e., users or groups), Idaptive Identity Service automatically synchronizes the changes in the target application.

Provisioning is based on roles; users and groups must be members of a mapped role to have accounts provisioned in the target application. You can't provision individual uses that are not members of a role.

Idaptive Identity Service can synchronize user accounts from Active Directory, LDAP, the Idaptive Directory, or any combination of those sources.

What you do to set up user provisioning for applications (an overview)

  1. Open an application’s Provisioning tab and select Enable provisioning for this application.
  2. Select either Preview Mode or Live Mode.

    • Preview Mode: Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. When the identity platform next runs a synchronization job, it processes this application but does not save any user account changes in the application. When you’re sure that the provisioning configuration is correct and the preview results match what you expect, you then enable the application for Live Mode.
    • Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.
  3. Enter and verify the provisioning credentials or select authorize to connect with the application provisioning APIs.

    The credential values are obtained from the administrator page for each application. Each application is different, so the credentials and field values that you supply will vary.

  4. Add Admin Portal roles to the application, and you map those Admin Portal roles to groups, roles, or other similar items that are defined in the target web application.

    The connection of the Admin Portal role to the target application role (or other item) is a role mapping. Each application is different and what you can map a role to is different for each application.

    You specify which users have access to the application with the roles you add in the application’s User Access tab. You specify what kind of access those users have in the target application by assigning roles in the application’s Provisioning > Role Mappings area.

  5. Synchronize the user accounts in your directory service with the accounts in the application.

    Refer to Provisioned account synchronization options for more information.