Configuring SCIM with GSuite

If you are configuring SCIM with GSuite, this article is for you. An additional article from the GSuite perspective can be found here. The below guide provides the steps required to configure provisioning for 15Five, and includes the following sections:

  • Features
  • Prerequisites
  • Configuration Steps
  • Troubleshooting Tips

Features

Automatic User Provisioning is supported for the 15Five application.

This enables GSuite to:

  • Add new users to 15Five
  • Update select fields in users’ profile information in 15Five
  • Deactivate users in 15Five
  • Push groups and membership to 15Five

The following provisioning features are supported:

  • Push New Users - Creating a new user in GSuite and assigning them to the 15Five application will create a new user in 15Five.
  • Push Profile Updates - Updates to a user in GSuite will be pushed to 15Five.
  • Push User Deactivation - Deactivating the user or disabling the user's access to 15Five within GSuite will deactivate the user in 15Five.
  • Push Groups - Groups created in GSuite can be pushed to 15Five. Attributes pushed include name and group members.
  • Delete Groups - Groups deleted or removed from the 15Five application within GSuite will be deleted within 15Five.

Prerequisites 

Before you configure provisioning in GSuite...

1. Click on 'Settings' from the left navigation.

Screen_Shot_2020-07-09_at_1.20.23_PM.png

2. Then click on 'Features' to expand the feature settings.

Screen_Shot_2020-07-21_at_2.52.42_PM.png

3. Last, click on 'Integrations'.

Screen_Shot_2020-07-21_at_2.52.56_PM.png

4. Click on 'Enable' to the right of the SCIM 2.0 option.

Screen_Shot_2020-07-21_at_4.05.07_PM.png

5. Generate an Access Token.

Screen_Shot_2019-06-05_at_4.06.56_PM.png

NOTE ✏️: Your company must first have the SCIM integration setting enabled. If you do not see a SCIM option from your Integrations page, reach out to your Customer Success Manager or support@15five.com.

IN GSUITE

  • Please note that you will need to use a tenant URL of the form below:
    • https://<subdomain>.15five.com/scim/v2/
  • Important Notes
    • Once you have the access token, in the text field within the Authorize dialog box, enter your access token.
    • Replace the {your-domain} placeholder in the Connection URL field with your 15Five domain. For example, https://{your_domain}.15five.com/scim/v2/.
    • The SCIM key is 30 characters long and should be placed in the "Connection URL" field in GSuite. Make sure to use a SCIM key rather than a 15Five Public API key. A 15Five Public API key is 32 characters long.
    • It may take 40 minutes before the first users are pushed from GSuite to 15Five after the Admin Credentials (tenant URL and secret token) have been tested and the non-gallery app has been saved. After that, pushes occur about every 20 minutes.
    • Attributes marked with (*) must be mapped.

After adding your domain into the Connect URL field, continue with the below steps to map attributes. 

  • Click Next.
  • In the Map attributes dialog box: Next to the selected cloud directory attribute, click Down Arrow to map to the corresponding 15Five attribute. 
    Attributes marked with (*) must be mapped.
  • Click Next.
  • (Optional) In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    • Click the underscore and start entering your group name.
      A list of available groups appears. Selecting one adds it and opens another underscore to use to add another.
    • If necessary, add more groups and choose a scope. 
    • To remove any group you added, click Edit next to it.
  • Once you’re done, click Finish.
  • Review the information in the Provisioning summary dialog box, then click OK.
  • Choose one of the following actions:
  • Click Activate provisioning.
    • If needed, first enable the Activate Provisioning button: 
  • Set the app to On for everyone or On for some organizations
    • If the app is set to Off, this choice is grayed out.
  • Reload the page, then click Activate provisioning.
  • In the confirmation dialog box, click Activate.

Syncing Passwords

GSuite can be configured to sync passwords with 15Five. This sync direction is from GSuite to 15Five. That is, passwords are only ever sent from GSuite to 15Five for a user; never from 15Five to GSuite.

If your company uses SSO with 15Five, do not send the "passwordProfile.password" as an attribute via SCIM. User authentication will be determined from the SAML setup associated with 15Five.

SSO 

If SCIM and SAML SSO are being used together, only an email address needs to be sent as a SAML claim. All other data can and should be sent via SCIM. 

Welcome emails

After assigning 15Five to a GSuite user for the first time, a new user in 15Five will be created. If SSO is enabled for that user’s company in 15Five, that user will be sent a welcome email with a link to the SSO page at 15Five. If SSO is not enabled, that user will be sent a link to sign in and set their password.

Passwords

When updating an GSuite user’s password, that user’s 15Five password may be updated (depending on whether the"passwordProfile.password" attribute is being sent by GSuite). If SSO is enabled for the user’s company in 15Five, no password changes will occur for the user within 15Five. If SSO is not enabled in 15Five and the"passwordProfile.password" attribute is being sent by GSuite to 15Five, then a user will receive an email with a link to reset their password in 15Five.

Groups

Please note that these are the only Group attributes that are updatable via the GSuite integration:

  • Group Name
  • Group Members

Groups created in 15Five cannot be imported into GSuite. Since groups cannot be imported from 15Five into GSuite it is suggested to create groups in GSuite first. These groups, when assigned to the 15Five non-gallery app, will be pushed to 15Five along with users.

Groups cannot be used to manage access to 15Five. For example, the following steps will NOT cause a user to be de-provisioned from 15Five:

  1. Create a group in GSuite
  2. Assign users to that group in GSuite
  3. Assign the group to 15Five application in GSuite
  4. Remove a user (User A) from the group in GSuite

Steps 1 through 3 will cause users to be provisioned to 15Five, but the last step will not cause User A to be removed from 15Five. User A will only be removed from the group within 15Five. 

To remove users from 15Five, users must be individually unassigned from the application within GSuite. Therefore, it is suggested that users be individually assigned to the 15Five application within GSuite (rather via group assignment) for consistency. 

Group types

When a new group gets created and synced over via SCIM, that new group will go into the 'Groups' group type. In terms of attributes, the only thing 15Five will read from SCIM in regards to groups and group types is the group ID. After a group is appearing in 15Five, it will be up to the account admins to reorganize this group(s) to other group types as needed. Groups can be moved to a new group type (manually, via CSV, or via API) in 15Five and SCIM syncs will not override the group type because the group ID itself hasn't changed.

The gist: Group types within 15Five do not talk to SCIM. SCIM does not talk to 15Five about group types. SCIM only talks to 15Five from a group perspective (ie creating a group, naming a group, adding or removing members, deleting a group). The group type organization and maintenance is manually done in 15Five alone (ie creating a new group type, moving to a group type, enabling features per group type). 

NOTE ✏️: If an existing group and department (or two groups) need to be combined, this action will need to be taken in SCIM and then 15Five will update accordingly. 

Start dates

Interested in having your users enter 15Five for the first time on a specific day? With 15Five start dates, you can select a date before which your users will not be able to log in to 15Five nor will they receive notifications. One the specified start date, they will be sent an email notifying them that they can log in.

To send start dates to 15Five, follow these steps:

  • Ensure each user that needs to be provisioned with a start date has a start date of the form "MM/DD/YYYY" stored in an extension attribute. For this example, "extensionAttribute1" will be used. If you would like information on setting extension attributes in GSuite, please see these documents: 
  • Navigate to the 15Five application within GSuite > Enterprise Application. 
  • Under the provisioning sections, open the Mappings drop-down, and click on the User mappings link.
  • Under the Attribute Mappings list, click on "Edit attribute list for ..." to add a new attribute.
  • Enter "urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate" for the attribute name and "String" for the type. Click "Add Attribute".
  • Navigate back to the User Attribute Mapping page.
  • Click "Add New Mapping" at the bottom of the Attribute Mappings table.
  • For "Source Attribute", select the extension attribute that holds your user's start date value. For example (extensionAttribute1)
  • For "Target Attribute", select  "urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate".
  • Click Ok and save your mappings and application. 

Please note that you must add the start date to the user before assigning the user to 15Five for the first time. If a user is assigned to 15Five for the first time without a start date, it is assumed that the user should start immediately and a welcome email will be sent immediately.

 

Troubleshooting, Support, and FAQs

Manager/Reviewer not syncing? 

Make sure that the manager exists within 15Five prior to provisioning. 15Five will ignore any manager assignments that include managers not present in 15Five. 

GSuite sends the manager information present in the manager attribute for a given user. The information in the attribute can be an email address for the manager or a 15Five ID for the user. Make sure this field is populated.

Finally, ensure that Sync Managers is enabled within 15Five's SCIM settings.

Please note, for consistency reasons, manager updates are not performed during active Best-Self Reviews. 

Changing a username?

15Five depends on the uniqueness of a user’s email address. Therefore, provisioning will fail if a user’s userPricipleName is updated but their email address is not. Ensure these two source attributes (userPricipleName and mail) send the same value and retry the provision if has failed. 

Updates or de-provisioning not working for some users? 

Users added to 15Five before SCIM was enabled for the 15Five account may not be tracked by GSuite. To make GSuite aware of these users' membership in 15Five, select "Clear current state and restart synchronization" and save the non-gallery app. NOTE: This could remove users from 15Five if they are not assigned to the non-gallery app in GSuite. 

Q: My user has a SCIM ID. Does that mean they were provisioned via SCIM?
A: No. All users are given a SCIM ID upon account creation regardless of whether or not they were provisioned via SCIM. Assigning these IDs helps 15Five stay consistent and organized. It's the value which is used to look up the user when a SCIM call comes in of the form /scim/v2/Users/<scim id>.

Q: We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
A: No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with users that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.

Q: Can I sync employee timezones via SCIM?
A: Not at this time.

Q: If SCIM is on can I still add people on a one-off basis?
A: No, if SCIM is on you cannot manually add users via the 'Manage people' page or the team 15Five page. Importing new users via CSV is an option if SCIM is enabled for your organization. Please reach out to Support, your Implementation Specialist, or your Customer Success Manager to support you with this.

Q: Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group admin?
A: It is advisable to pass over the groups through IdP. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.

Q: What is the frequency of SCIM uploads from our IdP to 15Five?
A: It’s an on demand basis, i.e. you make a change and your IdP pushes it immediately to 15Five.

Have questions that need a human touch? 

This integration is built and supported by 15Five and our Support Team. Contact the 15Five Support Team at support@15five.com if any issues arise. Thanks!

 
Was this article helpful?
0 out of 0 found this helpful