Configuring external user provisioning
Enabling external user provisioning allows automatic user management from one identity provider data source by leveraging the System for Cross-domain Identity Management (SCIM).
Permissions
External user provisioning needs to be enabled in Diligent One and set up in an identity provider. To configure external user provisioning for an organization, someone with System Admin permissions in Diligent One and someone with administrative permissions in the identity provider is required. These permissions may be held by one person or multiple people who will need to coordinate the external user provisioning set up. In general, this should only need to be set up once, and then the system runs on its own.
Requirements
Diligent One supports user provisioning via SCIM 2.0 to enable automatic user management from one data source.
Supported operations
Once external user provisioning is enabled, adding or removing users from an organization and updating user profiles is automatically pushed to Diligent One from an identity provider.
In the future, support is planned for the following operations: group assignment and group management (add and delete).
When you enable external user provisioning, it doesn't remove the ability to manually add and manage users directly in Diligent One. By enabling external user provisioning, you are adding to your user management options and can use both in a hybrid solution.
To clarify, users exclusively added in Diligent One, that are not synched with the identity provider, can only be managed in Diligent One. Users synched from an identity provider should only be managed in the identity provider. If changes are made to synched users in Diligent One, the changes will be overwritten in the next synch. See Support for hybrid user provisioning.
Support for hybrid user provisioning
Ideally, the identity provider would operate as the single source for all users to streamline and automate user management. However, there may still be scenarios where a hybrid solution is the best way to manage users in your system. For example, you might not need to add users to an identity provider if those users only require temporary access for the purposes of troubleshooting or consulting.
In a hybrid solution, users exclusively added in Diligent One, that are not synched with the identity provider, can only be managed in Diligent One. Users synched from an identity provider should only be managed in the identity provider.
Important
The following information is intended to make you aware of potential issues that may arise from a hybrid solution so that you can make the best choice for your organization and avoid these issues:
- Currently, in Diligent One, there is no visual distinction between users managed via the identity provider and those manually added in Diligent One.
- Users manually added in Diligent One and not synched with the identity provider, only exist in Diligent One and can only be managed in Diligent One.
- Do not manage user updates in Diligent One if the user is already synched from the identity provider. If a user that is synched with the identity provider is edited in Diligent One, those edits will be overwritten by a subsequent, automated sync from the identity provider. If a user is synched, the identity provider is the single, trusted source that the profile will default to. In this case, any changes should be made in the identity provider, so that they will be pushed to Diligent One.
- While the risk is low, removing a synched user from Diligent One before that user is removed from the identity provider could result in automation failures in the external source. If this does happen, manual action may be required in the external source to re-sync the Diligent One with the identity provider. If this happens, contact Support for assistance.
Limitations
External user provisioning is limited to one integration per organization.
Enable external user provisioning in Diligent One
Setting up external user provisioning requires the following:
-
Enabling external user provisioning in Diligent One Platform.
-
Setting up your identity provider.
Enabling external user provisioning in Diligent One Platform
By enabling external user provisioning in Diligent One, an API key is generated to add to your identity provider to complete the set up process.
-
Open the Launchpad home page (www.diligentoneplatform.com).
Note
-
If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
-
Diligent One Platform also supports the domain www.highbond.com. For more information, see Supported domains.
-
-
From the left navigation, select Platform Settings, and under Organization management, select Organization.
-
On the page that appears, select Manage user provisioning.
The User provisioning page appears.
- On the User provisioning page, select Create.
- From the Provisioning set up details side panel that appears, copy the generated API key and base URL.
- Save the values in a secure place before you close the Provisioning set up details side panel.
Caution
For security reasons, this is the only time you can access the API key. If you do not save the API key, lose, or forget it, you need to generate a new one. For more information, see Refresh tokens for external user provisioning.
- Close the panel.
The User provisioning page displays the details and the number of days until the API key expires.
NoteAfter you enable external user provisioning, you still have the option to add and remove users manually to grant short term access for scenarios such as support troubleshooting and consulting. However, this should be done with caution, as it may cause syncing issues. For more information, see Support for hybrid user provisioning.
Setting up your identity provider details
After enabling external user provisioning in Diligent One, you must configure it in your identity provider to complete the setup. Refer to your identity provider's documentation for specific setup instructions, as the process may vary depending on the provider.
While other identity providers that support SCIM 2.0 may be compatible with this solution, we actively test and support the following identity providers:
- Microsoft Entra (formerly Azure Active Directory): Configuring external user provisioning for Microsoft Entra
- Okta:
- Ping One: Creating a SCIM connection
- One Login: Create a SCIM app (Recommended schema: SCIM V2.0 - Core schema)
SCIM attribute mapping
The following table demonstrates how Diligent One attributes map to standard SCIM attributes.
Core user schema
| SCIM attribute name | Diligent One attribute name | Mandatory at user creation |
|---|---|---|
| userName | Yes | |
| name.givenName | First Name | Yes |
| name.familyName | Last Name | Yes |
| title | Title | No |
| name.initials | Initials | No |
| phoneNumbers(type work).value | Phone Number | No |
| phoneNumbers(type extension).value | Phone Extension | No |
| name.middleName | Middle Name | No |
| addresses[type eq "work"].streetAddress | Office Address line 1 | No |
| addresses[type eq "work"].streetAddress2 | Office Address line 2 | No |
| addresses[type eq "work"].locality | Office Address City | No |
| addresses[type eq "work"].region | Office Address State | No |
| addresses[type eq "work"].country | Office Address Country | No |
| addresses[type eq "work"].postalCode | Office Address Postal Code | No |
| addresses[type eq "work"].location | Office location | No |
| phoneNumbers[type eq "home"].value | Home Phone | No |
| phoneNumbers(type mobile).value | Mobile Phone | No |
| phoneNumbers[type eq "mobile"].value | Secondary Email | No |
Policy manager extension
There are up to 13 optional fields that can be populated through SCIM by mapping an attribute of a user in the identity provider to the following SCIM attribute:
urn:ietf:params:scim:schemas:extension:Diligent:2.0:User:externalField<insert_field_number>Value
Address expiring tokens
When a token is about to expire, the admins receive emails 30 days, five days, and one day in advance. A final email is sent upon expiration. Emails continue until the token is deleted or expires. When it expires, all dependent processes fail unless replaced.
Refresh tokens for external user provisioning
A token needs refreshing if it is lost, forgotten, nearing expiration, or expired. To avoid syncing issues, ensure you complete the process in one sitting. Coordinate with your IT department or an administrator, as the token you generate in Diligent One Platform must also be implemented in your identity provider.
To refresh a token, follow these steps:
-
Open the Launchpad home page (www.diligentoneplatform.com).
Note
Diligent One Platform also supports the domain www.highbond.com. For more information, see Supported domains.
Note
If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
-
From the left navigation, select Platform Settings, and under Organization management, select Organization.
-
On the page that appears, select Manage user provisioning.
The User provisioning page appears.
- On the User provisioning page, next to the API key field, select Generate new.
- From the Provisioning set up details side panel that appears, copy the generated API key.
- Save the value in a secure place before you close the Provisioning set up details side panel.
Caution
For security reasons, this is the only time you can access the API key.
- Close the panel.
The User provisioning page displays the details and the number of days until the API key expires.
-
Go to your identity provider, and do the following:
-
Ensure that your identity provider is using the new token.
-
Follow their instructions to keep your users in sync.
-
-
In the Diligent One Platform, on the User provisioning page, delete the token that is nearing expiration.
Disable external user provisioning in Diligent One Platform
The effects of removing user provisioning are as follows:
-
The existing API keys are revoked instantly.
-
User syncs stop.
-
The user management is only available locally in Diligent One Platform.
To disable external user provisioning to manually manage users via Diligent One exclusively, you must first disable external user provisioning in your identity provider. How you disable depends on your specific identity provider. For more information, see Setting up your identity provider details.
When external user provisioning is disabled in Diligent One, it no longer pulls user data from your identity provider, but the identity provider still sends user data as normal which causes it to fail. To avoid this, external user provisioning needs to be disabled from the identity provider. This may require coordination with your IT department or whoever has the appropriate permissions for your identity provider.
After disabling external user provisioning in your identity provider, do the following:
-
Open the Launchpad home page (www.diligentoneplatform.com).
Note
Diligent One Platform also supports the domain www.highbond.com. For more information, see Supported domains.
Note
If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
-
From the left navigation, select Platform Settings, and under Organization management, select Organization.
-
On the page that appears, select Manage user provisioning.
The User provisioning page appears.
-
On the User provisioning page, select Remove.
-
In the Remove user provisioning dialog box that appears, review the effects of removing user provisioning, and select Remove.
