Expand my Community achievements bar.

Provisioning users in SSO environment

Avatar

Level 3
Definition of our use case: We have a need to manage 2 distinct user segments in WF. All production, leadership, and system admins: these people could have shifting Access Levels depending on changes in roles, temporary needs, or testing requirements -- we want to be able to control their Access Levels manually All other members of the organization (000's) should be able to access WF as Reviewers -- we would like these to be auto-provisioned as Reviewers Our organization is managed via SSO and only membership in a defined AD group allows authentication into WF. For anyone to access WF, we have to set up their WF account manually and then add them to the AD group (which means a eparate tool that requires changes be submitted and approved by a supervisor(s)) Our IT group wants to set up a separate AD group for each WF Access Level (7 versions) and authenticate/auto-provision everyone that way. So, as we need to change users' Access Levels, we wouldn't touch WF but move them from one AD group to another. This seems fraught with possible errors and is cumbersome for SysAdmins, especially as we want to change users' Access Levels. As I understand it, auto-provisioning accounts mean WF accounts are provisioned each login. Would this remove other user settings, like Custom Forms or profile pics, each time they logged in? Are there any best practices or solutions out there for an organization like ours? Steve
1 Reply

Avatar

Level 7
Hi Steve, We don't generally recommend provisioning access levels, as there have been times in the past where we've seen the last admin get moved over to a non-admin group, and then nobody has admin access anymore. Bar that risk, it is entirely possible for you to set up, my only concern is limiting access to users that have access to move accounts between groups. Also, the way that the auto-provisioner works is it checks the fields that are set in the attribute mapping. Profile pictures, groups, teams, etc, do not change unless they are mapped out. Throwing it out there, the minimum required to enable auto provisioning is a first name, last name, and email address field, though I'm sure you are aware of that. I would suggest working with our Support team to ensure that everything is configured in your preview environment and working as expected before even considering it in production. Thanks! Dustin Martin Assigned Support Engineer Workfront