Easily manage your team in Timeneye, leveraging the Azure AD provisioning capabilities.
🌟 This feature is included in the ENTERPRISE Plan
System for Cross-domain Identity Management (also known as "SCIM") is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once.
To set up SCIM provisioning in Azure AD you will need to have the involvement of both the timeneye.com admin and the manager of your Azure AD account.
SCIM capabilities supported in timeneye.com
-
Provisioning of Users
-
De-provisioning of Users
-
Updating User Details
Configuration
-
Step 1 - Create a Timeneye Provisioning enterprise app
Go to your Azure AD homepage and click "Enterprise Applications" on the left pane.
Then, click the New application button:
Then click on the "+ Create your own application" button in the top bar; insert a name for the application (e.g. Timeneye Provisioning) and select the option "Integrate any other application you don't find in the gallery (Non-gallery)"; click on the "Create" button at the bottom of the side dialog.
-
Step 2 - Go to Provisioning
Go to the Manage > Provisioning section and click "Get Started".
On the following page, select the "Automatic" Provisioning Mode.
In the "Admin Credentials" section, enter the following:
-
Tenant URL:
This should be: https://api.timeneye.com/scim/v2 -
Secret Token:
This should be taken from your timeneye.com user settings (see instructions below)
You can go to timeneye.com App & User settings section to get the provisioning token.
-
Open up your timeneye.com account
-
Click on Your-User-Name button (bottom of left sidebar) > Personal settings
-
Go to the Third-party apps tab
-
Click on "+ Issue new personal access token"
-
Give it a name, for example, "SCIM access token"
-
Copy the obtained access token (it won't be available anymore after you leave the page)
Notice: the access token will expire a year after the creation -
Paste it in Azure AD
Click Test Connection button to verify the credentials that are authorized for provisioning:
Click "Save" on the left-hand side of the page to save the configuration.
Under Settings, make sure to set the scope to "Sync only assigned users and groups":
Important Note: For security measures, we recommend that you verify that the Scope is set to "Sync only assigned users and groups" before starting provisioning. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Azure AD users will have access to timeneye.com unintentionally.
Under Mappings, select Provision Azure Active Directory Groups, disable the provisioning, and click Save; Timeneye does not currently support the groups provisioning.
Set Up User Provisioning
Go back to the application main page, and then go to "Users and groups":
Click "Add user":
Then, click "Users and groups":
Search for users and select them from the list, and then click the "Select" button at the bottom of the screen.
Select a role for the selected users (see section below for details on how to create roles):
all the selected users will be assigned to the selected role. If you plan to provision users with different roles, you'll have to select them in different batches.
Click the "Assign" button at the bottom-left side:
Note: If you deprovision a user from the timeneye.com app, the user will exist in timeneye.com as an inactive user and will not be counted towards your timeneye.com user count.
User Attributes
These fields are supported for mapping user attributes:
-
Name (can’t contain special characters)
-
Email (must be lowercase)
-
Job Title (user’s position in the company)
-
Active (whether or not a user is enabled or disabled)
-
Microsoft ID
-
Role (owner, admin, or member)
Edit attribute mapping
In order for the provisioning to work correctly, you'll need to edit the attribute mappings. This step is needed to map the Azure AD attributes to the SCIM attributes supported by Timeneye.
-
In the Azure AD provisioning section, click on "Provision Azure Active Directory Users" in the Mappings section.
Use the "Add new mapping" button to add the attribute mappings. -
The mapping should be exactly like the table below:
Azure Active Directory Attribute
customappsso Attribute
Mapping Type
userPrincipalName
userName
Direct
Switch([IsSoftDeleted], , "False", "True", "True", "False")
active
Expression
displayName
displayName
Direct
jobTitle
title
Direct
Join(" ", [givenName], [surname])
name.formatted
Expression
Switch([IsSoftDeleted], , "False", "True", "True", "False")
urn:ietf:params:scim:schemas:core:2.0:User:active
Expression
objectId
urn:ietf:params:scim:schemas:core:2.0:User:microsoftId
Direct
SingleAppRoleAssignment([appRoleAssignments])
urn:ietf:params:scim:schemas:core:2.0:User:role
Expression
The settings for the objectId attribute must be the following:
• Mapping type: Direct
• Source attribute: objectId
• Target attribute: urn:ietf:params:scim:schemas:core:2.0:User:microsoftId
• Match objects using this attribute: Yes
• Matching precedence: 1
• Apply this mapping: Always
The settings for the userPrincipalName attribute must be the following:
• Mapping type: Direct
• Source attribute: userPrincipalName
• Target attribute: userName
• Match objects using this attribute: Yes
• Matching precedence: 2
• Apply this mapping: Always -
Once done, click the Save button in the top bar.
Notice: take particular care in the settings of userPrincipalName and objectId. These parameters are essential for matching the users in your Timeneye account.
Provisioning role
-
Go to Azure AD and click on "App registrations" and search for the timeneye.com application.
-
After selecting the timeneye.com app, navigate to "App roles" where you can view all roles and then click on "Create app role":
-
Insert "Mmber" as Display name, "member" as Value and select Users/Groups as Allowed member types. Check "Do you want to enable this app role?" checkbox.
-
Repeat the step 3 for roles "Owner" and "Admin"
Note: it is important to check the spelling of the Display name and Value of the roles to be correct, otherwise the role won't be correctly provisioned.
Now you can select the role when selecting the users to be provisioned.
Start provisioning
To start provisioning, set Provisioning Status to "On":
Click "Save" on the left-hand side of the page to save the Provisioning Status.
Note: Provisioning sync is done every 40 minutes.
FAQs
-
What happens if the admin who set up the initial SCIM token is no longer admin (their role changed or they were deactivated)?
The access token generated by the admin will still be valid until its expiration (1 year), the SCIM sync will continue to work. -
What happens if I change my personal attributes in my timeneye.com account?
The sync with Azure AD is a one-way sync, and any changes made to a user profile in the timeneye.com profile or teams page will be overwritten the next time Azure AD syncs with your account.
This means that to change any attributes of the user profile, you will need to update them in Azure AD.