User provisioning via Azure Active Directory

What is SCIM?

SCIM 2.0 is a specification of a REST-like protocol for one-directional provisioning of users over HTTP. Your existing identity management system can be configured to automatically synchronize changes made to its database to a third party application like Leapsome.

In the SCIM protocol, the central identity management system is called the identity provider and the third party application is called a service provider. By configuring Leapsome as a service provider with your existing identity management system, your organization will be able to take full advantage of automatic account provisioning.

What does the Active Directory integration do?

Once set up, the integration allows you to automatically

• Create users (email, firstname, lastname, title, manager)
• Update users 
• Deactivate/Reactivate users 
• Delete users
• Create teams (groups) 
• Assign teams (groups) to users 

Importantly, Active Directory will be treated as the source of truth: Any changes you make in Active Directory will be reflected in Leapsome, even if that means overriding changes made in Leapsome.

How to set it up

Create new application

• In your Azure Active Directory, go to "Enterprise Applications"
• Select "New application"
• Choose "Non-gallery application"
• You will be asked for a name, pick "Leapsome"
• Click "Save"

Configure Provisioning

• Go to the "Provisioning" tab in your new application
• From the "Provisioning mode" dropdown, select "Automatic provisioning"
• For the tenant URL, enter "https://www.leapsome.com/api" (Active Directory can be a bit picky here - sometimes you need to enter "https://www.leapsome.com/api/scim")
• To obtain your secret token, enter your Leapsome administrator account, go to your "Admin settings", select "SCIM user provisioning", and click "Save & generate token".
• Enter your new secret token on the Active Directory Application page and click "Test connection"; a success message should appear.
• Click "Save" at the top of your screen.

Configure Mapping

• In the "Mappings" section, click on "Synchronize ... Groups ..."
• Adjust your Group mappings so that the result matches the following screenshot (any other mappings should be deleted):
  
  
• Save your changes
  
  
• Similarly, click on "Synchronize ... Users ..."
• Adjust your User mappings so that the result matches the following screenshot (any other mappings should be deleted). Importantly, please make sure that matching is based on userName and that the corresponding Active Directory value is the email address of the user:
  
  
  
  
• Save your changes

Assigning users and groups

• Go to the "Users and groups" tabs
• Add all users/groups that should be present on Leapsome
• "Groups" will appear as "Teams" on Leapsome
• AD users and AD group members will be created as users on Leapsome
  (for security groups only, no nested groups)

Provisioning status

• Select "Sync only assigned users and groups" for the Scope
• Switch Provisioning status to "On"
• Save your changes 

That's it - you're all set. Please get in touch with our support team if you have any questions!

Also read: Microsoft support article.

Sidenote: On-premise vs. Azure Active Directory

User provisioning through SCIM 2.0 is only available through the hosted AD version called Azure Active Directory. If you are currently using an on-premise Active Directory solution it will need to first be configured to sync its data to Azure Active Directory using Azure AD Connect, as described in this article.