To make creating new users easier, we now introduce WATS Provisioning. WATS Provisioning is an addition to the existing API to allow WATS to communicate with SCIM-compliant provisioners to automatically create, update, and disable/delete user accounts in WATS.
SCIM (System for Cross-domain Identity Management) is a specification for user provisioning cross-domain through specific behaviours for API actions. Read more about it here: IETF RFC7644
For WATS, the intended application is through Azure and is the only officially supported channel, but users can experiment with other SCIM-compliant providers (Okta, Google) as well.
WATS Provisioning is meant to be used alongside Azure AD Authentication. To enable, see Azure AD integration.
NOTE: WATS Provisioning is supported from WATS version 23.1
We are in dialogue with Microsoft to provide an official Azure AD Gallery application to make the setup process as easy as possible. Until this is resolved please use the following method to set up your own Azure Enterprise Application to use with WATS Provisioning:
- Log in to the Azure portal with your Azure account.
-
Navigate to your Azure Active Directory and go to the "Enterprise applications" tab on the left-hand menu.
- Click on the "New application" button, “Create your own application” and select "non-gallery application".
=>
- Fill out the necessary details, use something easy to recognise such as "WATS Provisioning" for the name, to create your application. Click "Add" to continue.
- After the application is created, it is recommended to navigate to the “Properties” tab and enable “Assignment required” and disable “Visible to users”.
- Select "Provisioning" from the left-hand menu and click on "Get Started."
- Under “Admin Credentials”, fill the “Tenant URL” field with "https://<your_WATS_instance_url>/api/SCIM/v2/".
- Generate a secret token through this URL: https://<your_WATS_instance_url>/api/SCIM/v2/Token?duration=90 (Change 90 if you wish to generate a longer-lived token measured in days) or through the WATS API (see here) and fill the “Secret Token” field with this token. The fields should look something like this:
- Click “Test Connection”. If the token or URL cannot be verified, Azure will return an error.
- Under “Mappings”, click “Provision Azure Active Directory Groups”, set “Enabled” to No, then save.
-
Under “Mappings”, click “Provision Azure Active Directory Users” and ensure the “Attribute Mappings” are set to these values:
userPrincipalName userName mail emails[type eq "work"].value
givenName name.givenName surname name.familyName SingleAppRoleAssignment([appRoleAssignments]) roles[primary eq "true"].value IIF([IsSoftDeleted], "false", "true") active - Note: SingleAppRoleAssignment and IIF requires "Mapping Type" to be set to "Expression":
- Ensure all values are the same as provided above. userPrincipalName is used to match objects and should be the only field with a "Matching Precedence". The other fields should not be populated in this column. If using a provisioner other than Azure, apply a mapping named "PasswordSignInEnabled" and set this to true, or users will not be able to login and will require an administrator or manager to enable local login.
- Click Save.
- Under “Settings” in the “Provisioning” tab, set “Scope” to “Sync only assigned users and groups”. Fill out the other fields as desired.
-
When finished, toggle “Provisioning Status” to On and click Save.
Azure will now connect to WATS and start the provisioning cycle.
You can now add users under the “Users and groups” tab and Azure will automatically provision them on a 40-minute cycle (Azure-defined, this cannot be changed).
By default, WATS will assign users the “Analyzer” role when creating new users. We recommend creating custom roles that can be assigned in the application that allows for easier synchronization of user roles to WATS:
- Log in to the Azure portal with your Azure account.
- Navigate to your Azure Active Directory and go to the "App Registrations" tab.
- Find the Enterprise application you created above in the list.
- From the left-hand menu, select “App roles”.
. - Click “Create app role”.
From here, you can create roles for the standard WATS roles (Administrator, Viewer, Analyzer, Manager, Operator). Custom roles are not supported.
An example setup can be seen in the screenshot below:
Note: For each role, assign the base role under Value. For Administrator role add Administrator, for Viewer add Viewer, and so on.
Here is a full example of all WATS standard roles and their properties:
After setting up roles, you can go back to the Enterprise Application by navigating back to your Azure Active Directory, then selecting your application under Enterprise applications in the left-hand menu, where you now can (after Azure syncs the roles) assign groups or individual users to the roles you created. The role sync can take up to an hour.
We recommend creating individual Azure Active Directory roles for each WATS role to make assigning new users easier or use existing suitable roles existing in your Directory already.
Comments
0 comments
Please sign in to leave a comment.