Microsoft Active Directory SSO Integration Management

Important_icon.pngWarning: This document contains instructions for adjusting synchronization settings that can adversely affect your device data, user data, and/or user mapping settings in Incident IQ. As such, only qualified personnel should proceed with making adjustments to the settings outlined in this document.

Guide Overview

The Microsoft Active Directory Integration App allows administrators to facilitate logins through Microsoft Active Directory in Incident IQ. This also allows districts the ability to automatically populate and update user data in iiQ based on information from your local active directory server. The following guide is designed to provide an in-depth overview on how to manage the Microsoft AD App in iiQ.

Not what you were looking for? Perhaps one of these other guides will help:

 

Guide Index

You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.

  1. Accessing the Microsoft AD App Management
  2. Overview Tab
  3. User Mappings Tab
  4. Location Mappings Tab
  5. Role Mappings Tab
  6. Sync History Tab
  7. User History Tab
  8. Sync Executable Tab

 

Accessing the Microsoft AD App Management

Navigate to the Apps Management page and select Options on the Microsoft AD App.

mceclip0.png

This will take you to the Microsoft AD App management page where you will be able to select the following tabs:

  • Overview tab where you can view basic user and group data, reset your authentication status or run a manual sync with your active directory.
  • Identity Provider Settings tab allows you to configure your Microsoft AD metadata, SAML attribute mappings, miscellaneous logic used during login attempts, as well as your login button.
  • Login History tab where you can review both successful and unsuccessful login attempts made by your district users.
  • User Mappings tab where you can update your filter settings and email translations.
  • Location Mappings tab where you can change the default location users will automatically map to if they do not have an existing mapping in the system.
  • Role Mappings tab where you can change the role users will automatically map to if they do not have an existing mapping in the system.
  • User History tab where you can look up individual users data coming in from Microsoft AD.
  • Sync Executable tab allows you to setup, update, and download your sync executable file.

[Return to Index]

Overview Tab

This tab provides you with a brief summary of your current users, groups, and changes made to users in Incident IQ during the last sync with Microsoft AD.

In the General Settings tab you may enable the following settings:

  • Enable User Login: This allows users to log into Incident IQ through the Microsoft AD. If this option is disabled, then all accounts authenticated through Microsoft AD will be unable to log in.
  • Enable User Sync: This option allows Incident IQ to update user accounts with data provided by the iiQconnectors app. Without this option, the ability to run nightly or manual user syncs will become disabled.

mceclip0.png

Also, you have the option of forcing a manual sync with your active directory by selecting Start New Sync. Please note that this import will only update user data based on the last data sent to Incident IQ through the connectors app. If you are running a manual sync during the day you will first want to manually run the connectors app to send over a new batch of user data.

mceclip1.png

[Return to Index]

 

User Mappings Tab

From here, you can change your email filter and translation information, as well as your user creation, updating, and deletion settings. 

Under the Filter section, you can select to include or exclude users being imported based on their email address, username, OU fragment(s), and group(s). Please note, you can only filter by one email address. 

  • Example Email Filter: If you set a filter for "@iiq.k12.ga.us" in the email section, Incident IQ will automatically ignore these email addresses containing this string during a sync.
  • Example OU Filter: Setting a OU Filter of "OU=Guests" will ensure that all users that belong to this particular OU will not import during a sync.

mceclip9.png

Next is the Mapping section.Here you control how fields are populated in Incident IQ.

  • Translate Username: This enables Incident IQ to translate username pulled from Microsoft AD into a uniform format when storing in iiQ.
  • Translate Email: This enables Incident IQ to translate email addresses pulled from Microsoft AD into a uniform format when storing in iiQ. This is useful, and often necessary when using Incident IQ in conjunction with programs such as Infinite Campus.
    • Example: Setting a translation to find "@k12.us.com" and replace it with "@iiq.k12.ga.us" will ensure that all "@k12.us.com" addresses are updated and stored as "@iiq.k12.ga.us" in iiQ only. This will not make any changes to the addresses stored within Microsoft AD itself.
  • Phone Number Mapping: select if you want to import phone numbers and the mapping process. 

mceclip2.png

Control how users are populated in iiQ under the Import Handling section. 

  • Create User: When this box is checked, a new user will be created in Incident IQ for any new users found during the initial import from Microsoft AD, as well as any new users found when a sync is run.
  • Update User: When enabled, a user will be updated in Incident IQ when any changes are found during a sync. This will update custom fields as well. 
  • Update Custom Fields: When enabled, only update custom fields for users when any changes are found during a sync. 
  • Set to 'No Access': When enabled, if a user is removed or disabled in Microsoft AD change their role to no access in Incident IQ.

mceclip5.png

The Map custom values section allows you to select additional values you want imported and map them to default or custom fields in iiQ. This gives you the ability to pull in custom data fields and custom view column options. Click on the Add button. 

Next, fill out the following field mapping options:
Please note, there may be pre-configured mapping and they can not be changed.

  1. Select the custom value  
  2. Select the iiQ field the custom value should map too. You can map to default field or map to a custom field. 
    • If you map to a Custom Field, you will need to set a field name, select a field type (text, number, or date), and set whether the field information needs to be searchable through filters.

mceclip3.png

Please note, any custom field added here will need to also be setup in the sync executable as well in order for Incident IQ to pull this data field during a sync. Please refer to the Sync Executable tab for additional information on making changes to connectors executable.

Under the Additional Options section you can customize the Login Button Text

mceclip11.png

Last section is Field Mappings. Controls which fields this app should update. 

mceclip12.png

[Return to Index]

 

Location Mappings Tab

This tab allows you to select or modify your current location mappings between Incident IQ and Microsoft AD. The default location acts as a fallback for user accounts that do not match any of your other custom location mappings. Please note that if no custom role mappings are set, then all users brought into the system will default to this location.

mceclip1.png

When mapping to locations, you may use groups, OU fragments, location name, or any combination of the three. The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective locations. Please note, when using OUs you will want to structure them in the same format as the examples below:

  • OU=Cold Harbor
  • OU=Class of 2024
  • OU=CHMS

mceclip2.png

[Return to Index]

 

Role Mappings Tab

This tab allows you to select or modify which user groups are assigned to which role in Incident IQ. The default location acts as a fallback for user accounts that do not match any of your other custom role mappings. Please note that if no custom role mappings are set, then all users brought into the system will default to this role.

mceclip3.png

When mapping to locations, you may use groups, OU fragments, role name, or any combination of the three. The custom mappings section allows you to specify your user groups or OUs you wish to utilize for mapping users to their respective locations. Please note, when using OUs you will want to structure them in the same format as the examples below:

  • OU=Staff and Faculty
  • OU=Students
  • OU=IT Staff

mceclip5.png

[Return to Index]

 

Sync History Tab

This tab allows you to view your sync history between Microsoft AD and Incident IQ. Every sync, whether it completed successfully or not, is logged for reference purposes. Clicking on View Details will display the number of users that have been added, updated, no change, set to no access during the course of that specific sync. To the right you can Download SSO Data.

mceclip6.png

Also, you can filter the sync data under the Details Status section. Select the status you would like to filter by and start entering in the users name or email address. Clicking on the users link will take you to the user history tab. 

mceclip7.png

[Return to Index]

 

User History Tab

This tab allows you to search for any user's Microsoft AD information. This includes their Microsoft AD ID, email addresses, Group Membership, and their sync history. This information is useful in quickly determining if the user is affected by any email translations, establishing their group mappings, and identifying if syncing between the systems is being suppressed.

mceclip9.png

[Return to Index]

 

Sync Executable Tab

This tab allows you to configure your sync executable file used to access and send data to Incident IQ. Please note that if you make any changes to this page after initial setup, you will need to redownload a new executable file and replace your old one in order for these changes to take effect during syncs.

mceclip4.png

At least one profile should be setup on this page with the following data provided:

  • AD Username
  • AD Password
  • AD Domain
  • AD Server IP

mceclip5.png

You may also setup specific OUs to search for during syncs so the system only pulls user data from those. However, we recommend leaving the filters blank.

mceclip6.png

Also, you may also pull in additional attributes through the executable during syncs if needed. Please note, if you have any custom fields mapped in the Users Mapping tab, you will need to ensure they are properly setup here as well.

mceclip7.png

[Return to Index]

Was this article helpful?
1 out of 1 found this helpful