User provisioning via Azure Active Directory

What is SCIM?

SCIM 2.0 is a specification of a REST-like protocol for one-directional provisioning of users over HTTP. Your existing identity management system can be configured to automatically synchronize changes made to its database to a third party application like Leapsome.

In the SCIM protocol, the central identity management system is called the identity provider and the third party application is called a service provider. By configuring Leapsome as a service provider with your existing identity management system, your organization will be able to take full advantage of automatic account provisioning.

What does the Active Directory integration do?

Once set up, the integration allows you to automatically

• Create users (email, firstname, lastname, title, manager)
• Update users 
• Deactivate / Reactivate users 
• Delete users
• Create teams (groups) 
• Assign teams (groups) to users 

Importantly, Active Directory will be treated as the source of truth: Any changes you make in Active Directory will be reflected in Leapsome, even if that means overriding changes made in Leapsome.

How to set it up

Create new application

• In your Azure Active Directory, go to "Enterprise Applications"
• Select "New application"
• Choose "Non-gallery application"
• You will be asked for a name, pick "Leapsome"
• Click "Save"

Configure Provisioning

• Go to the "Provisioning" tab in your new application
• From the "Provisioning mode" dropdown, select "Automatic provisioning"
• For the tenant URL, enter "https://www.leapsome.com/api"
• To obtain your secret token, enter your Leapsome administrator account, go to your "Admin settings", select "SCIM user provisioning", and click "Save & generate token".
• Enter your new secret token on the Active Directory Application page and click "Test connection"; a success message should appear.
• Click "Save" at the top of your screen.

Configure Mapping

• In the "Mappings" section, click on "Synchronize ... Groups ..."
• Adjust your Group mappings so that the result matches the following screenshot (any other mappings should be deleted):
  
  
• Save your changes
  
  
• Similarly, click on "Synchronize ... Users ..."
• Adjust your User mappings so that the result matches the following screenshot (any other mappings should be deleted). Importantly, please make sure that matching is based on userName and that the corresponding Active Directory value is the email address of the user:
  
  
  
  
• Save your changes

Assigning users and groups

• Go to the "Users and groups" tabs
• Add all groups that should be created as teams on Leapsome (based on the AD / SCIM logic, this only creates the corresponding group, not its members!)
• Add all users that should get a Leapsome user account (simply adding groups containing users as members is not sufficient)
• Example:
  • InActive Directory, you have the group "Management" with 3 assigned users - Sarah, Tim and Jack.
  • In Active Directory, you add the group "Management" and the user "Sarah" to the Leapsome app.
  • On Leapsome, the Active Directory SCIM connection will create the user "Sarah" (but not Tim and Jack) and the team "Management".
  • On Leapsome, Sarah will be assigned to the Management team.

Provisioning status

• Select "Sync only assigned users and groups" for the Scope
• Switch Provisioning status to "On"
• Save your changes

That's it - you're all set. Please get in touch with our support team if you have any questions!

Sidenote: On-premise vs. Azure Active Directory

User provisioning through SCIM 2.0 is only available through the hosted AD version called Azure Active Directory. If you are currently using an on-premise Active Directory solution it will need to first be configured to sync its data to Azure Active Directory using Azure AD Connect, as described in this article.