Summary
During the onboarding process, it’s important that we discuss:
-
How user accounts will be created and updated - do you want to use ‘local’ users, created within Claromentis or instead would you like to integrate with your existing user directory (e.g. Active Directory, Azure or Okta)
- Login / Single Sign-On (SSO) - should team members log in to Claromentis using a local account (Username and Password) or alternatively, would you like to utilise Single Sign-On (SSO) by integrating with your existing Identity Provider (e.g. Active Directory, Azure or Okta)?
- Permissions roles and groups - Claromentis of course has user accounts, Groups ( and subgroups) and Roles as part of its powerful and flexible permission system. It’s up to your project team to discuss with your IT team whether existing Groups can be synced to the intranet to be used as a way of setting permissions for pages, folders, documents and other resources within the intranet on a group level. Alternatively, you may decide not to sync groups from your User Directory and that you want the groups to be managed as ‘Local’ groups within the intranet itself.
Questions to Discuss and Document
Before any work starts please discuss these questions with your PM and Onboarding Team at Claromentis.
- How would you like to create and update users?
Do you want to use ‘local’ users, created within Claromentis or instead would you like to integrate with your existing user directory? - If using ‘local’ users, how will you create users within Claromentis?
Examples: Either one by one in the People Admin panel or via a one time CSV upload of all team members. - If you want to integrate with an existing User Directory, which User Directory?
Examples: Active Directory and Azure are currently supported. - Do you want team members to login to Claromentis using a ‘Local’ account by using a Username and Password, or would you like to utilise Single Sign On ( SSO ) in the production system?
- If you would like to use SSO, what Identity Provider would you like to integrate with?
Examples: Azure, ADFS, Okta, One Login etc. - Would you like to manage permissions Groups within Claromentis (using ‘Local’ groups) or instead do you plan to create and sync permissions groups from your existing User Directory?
Currently supported User Directories (for syncing groups): Active Directory or Azure
Proof of Concept and initial system build
In an initial system build before the system is launched we often have a local team of users that are learning the system and building content. These accounts are created locally as they are not normally in an AD group.
To avoid any possible confusion we always request their usernames are suffixed with -local. For example j.smith-local. This allows us at the appropriate time to delete the local account and migrate their content to the centrally managed equivalent.
A normal process for the initial build is as follows:
Phase 1 (of an Intranet POC with 25 users):
1. Create local users for the Intranet Admin team
2. Create useful roles such as:
- Administrator
- Content Manager
3. It’s important to note that if you plan on syncing Groups from your User Directory to use as permissions groups for content such as Pages, Folders and Documents that it’s best to conduct training once the integration has been set up. Alternatively, Create ‘local’ groups only to demonstrate permission and without finalising the group structure, as this will be lost if you later sync groups from your User Directory. If groups are going to be managed as ‘Local’ groups within Claromentis, you can of course go ahead and demonstrate how to use groups and finalise group structure as part of onboarding.
4. Create accounts for the team that will be accessing Claromentis as part of the POC (usually this is any team member not part of the Intranet Admin team). You can either create users either one by one in the People Admin panel or via a one time CSV upload of all team members.
5. Begin to use the system and let our team know if you have any questions or would like any further assistance!
Phase 2: User Directory and Single Sign-On integration
1. Let the onboarding team know which User Directory (for creating and syncing user information) and Identity Provider (for Single Sign-On) you’d like to integrate with. Here is an overview of what we support, currently: https://discover.claromentis.com/knowledgebase/articles/787/en
2. Make a final decision on whether groups will be managed within Active Directory or as ‘Local’ groups within Claromentis (see the important information about this earlier in the article)
3. The Project Manager will start the process of integration by putting your technical team in contact with our Ops team. The Ops team will forward you the necessary information required to get this set up and will ask you to test this once it’s ready to go.
4. Once you’ve confirmed that the SSO accounts are working. The initial ‘Intranet Admin’ team should swap from using their ‘-local’ suffixed accounts to using the SSO account. You can disable the ‘-local’ suffixed accounts so that these accounts are no longer displayed in the 'People' directory (and to avoid paying for these licensed users).
5. Following this, let our Onboarding team know if you have any questions or would like any further assistance!