The Enboard SSO Integration App allows administrators to facilitate logins through Enboard single-sign on in Incident IQ. This allows districts the ability to automatically populate and update user data in iiQ based on information from your local active directory server.
The following guide is designed to provide step-by-step instructions on how to install the Enboard SSO Integration app, establishing a link with Enboard for SSO functionality, as well as setting up a nightly task to sync user data with Incident IQ.
You can use the following links below to quickly navigate to a specific section in this document. To quickly return to this index simply use the Return to Index link located at the end of any section.
- Creating an Active Directory User
- App Installation
- App Configuration
- Establishing the IDP/ISP Connector with Enboard
- Creating a Scheduled Sync Task
Creating an Active Directory User
Before beginning the installation process you will need to ensure you have the following:
- An active directory vendor account that has the following permissions:
- Replicating directory changes.
- Replicating directory changes in filtered set.
- Replicating directory changes all.
- A machine that runs .NET Framework v.4.5.1 or higher and also has network access to reach your district's AD server.
Important Note: You will need to complete this step before proceeding. If you are unfamiliar with how to grant these specific permissions to a user then please refer to the following Microsoft help guide on Giving Users Replicating Directory Changes Permissions.
To install the Enboard SSO integration app, begin by selecting Incident IQ Apps > Browse on the left navigation bar. Scroll down to the Single Sign-On section and click on the Enboard SSO app.
On the Enboard SSO app page click on Install.
Once the installation has been completed, click on Manage App Settings and continue to the next section to configure your Enboard SSO installation.
On the Overview Tab select the two options: Enable User Login and Enable User Sync. Before doing anything else, you will need to check these two options and click Save.
Next, click on the Sync Executable tab.
This page will assist you in setting up your connector app configuration file. At the very least, you will need to provide the following information:
- AD Username (You will want to use the service account created in [section 1] of this document)
- AD Password
- AD Domain (Example: district.k12.tx.us)
- AD Server IP (22.214.171.124)
If desired, you may also set up OU exclusions to prevent account information stored within select AD OUs from being brought over during system syncs. Please note that setting up filters is entirely optional and can be updated at any time.
Additionally, you can also enable the sync to copy over additional AD Attributes as well such as Student/Employee ID and Grade if those data points exist in AD. As with OU filters, this setting is entirely optional and can be updated at any time.
Once you have completed entering your configuration information, click on Download Executable to download the connector app. Please note, you will want to download this connector app to a device that has access to your AD server and also runs overnight.
After downloading the connector file, you will want to run a manual sync to test the connection as well as download user data to Incident IQ. To do this, run the IncidentIQ.Connectors.MicrosoftAd application (ignore the CONFIG File and PDB File in this case.) In the connector app window that appears, click Run now.
If the app runs successfully, a data packet of user data will be sent to Incident IQ that can then be used to run a system sync.
Establishing the IDP/ISP Connection with Enboard
At this point in time, you will need to set up the SSO functionality of the Enboard SSO app. To do so, begin by going to the app Overview tab and clicking on the Download Service Provider Metadata button.
Additionally, further down in this tab you will also need to map SAML attributes needed for login. (Usually login_id, username, email, sAMAccountName, etc.)
After this tab has been configured, the Role mappings and Location mappings will need to be completed to map users to locations and roles within iiQ by OUs, groups, or any additional attribute that captures location or role for each user.
Creating a Scheduled Sync Task
To schedule the sync to occur automatically, you'll need to create a task in Windows Task Manager. You can do so by searching for Administrative Tools and selecting Task Scheduler. This will open the Task Scheduler window.
In the Task Scheduler window, start by clicking on Action > Create Basic Task...
This will open the Create Basic Task Wizard. At the very least, you will need to provide a name for the new task. You can also add a task if desired. Once complete, click Next.
In the next step, you will be asked to select when this task should Trigger. We recommend running it daily (overnight) for the most accurate user data. Please ensure you set the task to run regardless of whether a user is logged in or not on the server. Once complete, click Next.
For the next step, you will need to specify what action the task will take when running. Select Start a Program and then click on Next.
When specifying the action to perform, locate the file IncidentIQ.Connectors.MicrosoftAd.exe in the Program/script file browser. Supply the argument -usersync in the Add arguments field. And finally, you will need to indicate the path you unzipped the files to in the Start in field. Once complete, click Next.
In the final step, you may review all of the settings of your task. Once you have completed your review, check Open the Properties dialog for this task when I click Finish option and then click the Finish.
In the sync properties window, you will need to check Run whether user is logged on or not as well as Run with highest privileges. Click OK to complete the sync setup.