User directory sync deployment guide
This guide complements the User Directory Sync user guide article and describes deployment steps and responsibilities.
Overall deployment process
Pre-requisites
Login handler application is a pre-requisite for Azure/Entra and Okta directory sync with Intranet. Synced users will not be able to access Intranet without the Login handler application.
Local user account on the intranet with admin permissions. You will need this account during User sync and Login handler configuration steps, because it will allow you to access the Intranet and complete required steps.
Indivitual steps
Deploy user sync module
Scheduled and performed by Claromentis team.
If Login handler had not already been deployed, then it is recommended that it is deployed at the same time.
Configure the provider and test
Performed by the customer.
Please follow the instructions for Azure/Entra or Okta config, testing the connection and performing test sync outlined in User Directory Sync user guide.
Existing user directory?
If this is a brand new system install and you would like the User directory sync application to create the users synced from Azure/Entra or Okta, then skip the next two steps and head over to completing the user sync configuration steps.
Provide user mapping
Performed by the customer.
If your People directory has already been populated by either local users or users synced from other external directories then you will need to provide a user mapping csv file to Claromentis team. The file contains the mapping between existing and new user names. This will allow Claromentis team to keep all content linked to Intranet users, even if their usernames have changed.
This is the expected format of csv:
existing_username, new_username, target_directory
You can export all existing users from your People directory into a csv file using these instructions. You will then need to provide the new username and target directory.
Target directory is optional, but helpful information. Most entries will just contain your new directory name, e.g. "Okta". If you need to keep some of the users as local accounts, then specify "Local". The directory names do not need to be precise, it's just an indication to Claromentis team whether we keep the user local or move them to the new directory.
Perform directory migration
Completed by Claromentis team. It will include:
- deactivating current AD sync (if existing)
- renaming user accounts
- assigning the user accounts to the new directory
Users will not be able to access the system whilst we are performing this step.
Complete the user sync configuration
Performed by the customer.
You may need to use your local account to complete these steps - see prerequisites section.
Please follow the instructions for configuring security groups for production system, data mapping and group sync outlined in User Directory Sync user guide. Once this is complete, you can enable and schedule the application to perform the sync on a regular basis.
Is SSO already configured?
User sync does not store any authentication details and therefore for the users to access the system, we must enable the login function. Typically this is done through Single Sign On (SSO), implemented in Claromentis Login Handler application.
(Re)configure SSO
Joint activities from Claromentis and customer teams.
If the Login Handler is already configured with your previous user directory, then the next step is for Claromentis team to re-configure the SSO in order to make sure that it works with your new directory. Once this is done, we will ask you to test the access and make sure that no duplicate user accounts being created.
If this is a brand new installation or SSO has not beed configured, then you and the Claromentis team will follow the SSO setup process.
Once all of the above steps are completed, your users will be correctly updated and will be able to access the Intranet.
