While Workplace allows you to manage accounts manually or in bulk by using a spreadsheet, we recommend that you automate your account management to have better control over your people. With an automated account management tool in place, a user account will be automatically created, updated or deactivated in Workplace when the account is created, updated or deactivated in your organization's user repository.

Workplace has an out of the box integration with the largest Cloud Identity Providers such as Azure AD, G Suite, Okta, OneLogin and PingFederate.

You can connect your Cloud Identity Provider by:

Using a Workplace third-party integration (where the provisioning connector is hosted by the Identity Provider).
Using Workplace Import (where the provisioning connector is hosted by Workplace).

In case that your organization uses a different central user repository, you can use the Account Management SCIM API to create your own custom account management tool.

Connect via Third Party Integration

In this section we cover how to connect Workplace with a Cloud Identity Provider that your organization manages by using a Workplace Third-Party Integration.

We are working to move these third party integrations from SCIM 1.1 to SCIM 2.0. SCIM 2.0 is the latest industry standard API for account management. If you have an installed third party integration, you must take a series of actions to migrate to SCIM 2.0 before December 2nd, 2022. Cloud Identity providers will update their installation guides (referenced below) with the steps to complete the migration successfully.

Prerequisites

To enable this configuration, the following is required:

Your organization uses a Cloud Identity Provider that integrates with Workplace.
You have integrated your master identity store (e.g., Microsoft Active Directory or Oracle Directory Server) with the Cloud Identity Provider to synchronize user accounts.
A user in Workplace who has a role of System Administrator.
Your users' email domains have been verified (recommended) or allow listed in Workplace.

Configure your Cloud Identity Provider

Given that each Cloud Identity Provider has created their own integration with Workplace, you'll need to follow their documentation in order to complete the provisioning process.

List of supported Cloud Identity Providers

After a cloud connector is installed you can enable the setting Automatically invite people to Workplace as soon as they're added using this integration in case you want to immediately invite users when they are created by this integration.

Connect via Workplace Import

In this section we cover how to connect Workplace with a Cloud Identity Provider that your organization manages by using Workplace Import. Workplace Import support G Suite and Azure AD.

G Suite Integration

If the users in your organisation are managed using G Suite, then using Workplace Import from G Suite is the right solution to add, update, and disable users in Workplace automatically.

Workplace Import from G Suite does not currently support multi-IdP integration. If your organisation is using multiple G Suite directories today, please consider consolidating into a single directory.

Prerequisites

To enable this configuration, the user that performs the configuration steps needs to be both a G Suite and a Workplace admin.
Your users' email domains have been verified (recommended) or allow listed in Workplace.

Configure the G Suite Integration

For a successful setup make sure to follow the steps below:

In the Admin Panel, select People.

Click + Add People.

Click Connect an Identity Provider.

Select G Suite. The Set up G Suite as your Identity Provider window opens.

Click Connect, and log in using your G Suite admin account.

Select from: Add everyone, Add people from different departments, Add people that are part of a specific structure in your organisation (for example, report to the same manager).

Configure Invitations. Choose when you want to invite the users: You can send invitations automatically at the end of this configuration process or you can send invitations at a later date independent of this configuration process.

Select Create users to create the accounts.

The user profile attributes that will be automatically mapped are the following: email, externalID, firstName, lastName, fullName, manager, jobTitle, department, phoneNumber, location, isActive.

Manage via SCIM API

Manage via Account Management API

In case you don't want to use one of the supported Cloud Identity Providers, you can build your own custom automated account management tool. Take a look at our Developer Documentation to see how you can create, update and deactivate users with the Account Management API.

Account Management: Automatic

Contents

Account Management

Authentication

IT Configuration

Account Lifecycle

Workplace Blueprints

Security and Governance

Integrations

Overview

Connect via Third Party Integration

Prerequisites

Configure your Cloud Identity Provider

List of supported Cloud Identity Providers

Connect via Workplace Import

G Suite Integration

Prerequisites

Configure the G Suite Integration

Manage via Account Management API