Configuring SCIM with GSuite

You can use SCIM to bring new employees into 15Five, update them, and deactivate them by syncing directly from GSuite to 15Five. This saves you lots of time and ensures that data is accurate and up to date for all your employees, at all times. 

✏️

Note

Typically, customers enable Single Sign-On (SSO) and SCIM together. See our article on SSO to see if the additional integration is a good fit for your company. If you want to set up SSO, be sure to set that up before you set up SCIM. If you are using SSO and SCIM together, SSO will only pass Email and Name ID. All other attributes will be updated by SCIM.


What you’ll find in this article:

  • Features synced
  • How to set up SCIM with GSuite
  • Syncing
  • How to disconnect
  • Troubleshooting and FAQs

Features

Automatic User Provisioning is supported for the 15Five application.
This enables GSuite to:

  • Add new people to 15Five
  • Update select fields in people’s profile information in 15Five
  • Deactivate people in 15Five
  • Push groups and membership to 15Five

The following provisioning features are supported:

  • Push New Users: Creating a new individual in GSuite and assigning them to the 15Five application will create a new individual in 15Five.
  • Push Profile Updates: Updates to an individual GSuite will be pushed to 15Five.
  • Push User Deactivation: Deactivating the individual or disabling the individual's access to 15Five within GSuite will deactivate the individual in 15Five.
  • Push Groups: Groups created in GSuite can be pushed to 15Five. Attributes pushed include name and group members.
  • Delete Groups: Groups deleted or removed from the 15Five application within GSuite will be deleted within 15Five.

How to set up SCIM with GSuite

Ready to set up the SCIM integration with GSuite? Here are the steps to do so, with any tips you may need to know along the way.

✏️

Note

If you want to use 15Five’s start date functionality, and the hire/start date in GSuite is not the date you want the employee to actually gain access to 15Five (ex. start date is in the past), it is recommended that you first do a bulk import to import your employees to 15Five, and then turn off the ‘Start date’ option in your SCIM settings in 15Five. Since 15Five syncs the hire date from GSuite, and can not accept a past start date, this would be the best way to onboard your existing employees.

Set up SCIM with GSuite

1. Set up SSO first if you will be using that integration too.
2. Click on the Settings menu at the upper right corner of your 15Five account and then click Features under 'ADMIN SETTINGS'.

1.png

3. Click on 'Integrations'.

2.png

4. Click Enable to the right of the SCIM 2.0 option.

3.png

5. Generate an access token by clicking the Generate OAuth token. This page will show you all access tokens that have been generated, and who generated them. 

4.png

6. Add the 15Five application in GSuite and authorize using the token you just generated.

a.png

7. Click on Service Provider Details and fill out the required information. For the ‘ACS URLor ‘Connection URL’ and ‘Start URL’ you will use your subdomain. For example: https://yoursubdomain.15five.com/scim/v2/

8. Select the Name ID selection you would like to use as the unique identifier for employees. Most companies use User ID or Email.

b.png

✏️

Note

If you use email and SSO, make sure to not allow JIT provisioning in your 15Five SSO settings. A change in someone's email address that is not immediately updated in 15Five can result in duplicate accounts.

9. Click Attribute Mapping and choose which fields you want to sync from GSuite to 15Five. Attributes marked with (*) must be mapped. Click Next.

✏️

Note

GSuite can be configured to sync passwords with 15Five. This sync is directed from GSuite to 15Five. That is, passwords are only ever sent from GSuite to 15Five for a person; never from 15Five to GSuite.

  • If your company uses SSO with 15Five, do not send the "passwordProfile.password" as an attribute via SCIM. User authentication will be determined from the SAML setup associated with 15Five.

Screenshot_2018-12-04_at_16.40.07__1_.png

It may take 40 minutes before the first people are pushed from GSuite to 15Five after the Admin Credentials (tenant URL and secret token) have been tested and the non-gallery app has been saved. After that, pushes occur about every 20 minutes.

Start dates

Interested in having your people gain access to 15Five for the first time on a specific day? With 15Five start dates, you can set a date before which your people will not be able to log in to 15Five, nor will they receive notifications. On the specified date, they will be sent an email notifying them that they have been invited to 15Five and can log in. To send start dates to 15Five, follow these steps:

✏️

Note

You must add the start date to the person before assigning the person to 15Five for the first time. If people are assigned to 15Five for the first time without a start date, it is assumed that they should start immediately and a welcome email will be sent immediately.

  • Ensure each person that needs to be provisioned with a start date has a start date of the form "MM/DD/YYYY" stored in an extension attribute. For example, "extensionAttribute1" can be used.
  • Navigate to the 15Five application within GSuite > Enterprise Application.
  • Under the 'Provisioning' sections, open the Mappings drop-down, and click on the User mappings link.
  • Under the Attribute Mappings list, click Edit attribute list for ... to add a new attribute.
  • Enter "urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate" for the attribute name and "String" for the type. Click "Add Attribute".
  • Navigate back to the 'User Attribute Mapping' page.
  • Click Add New Mapping at the bottom of the Attribute Mappings table.
  • For "Source Attribute", select the extension attribute that holds the person's start date value. For example (extensionAttribute1)
  • For "Target Attribute", select "urn:ietf:params:scim:schemas:extension:15Five:2.0:User:startDate".
  • Click OK to save your mappings and application.

Syncing groups

Please note that these are the only group attributes that are updatable via the GSuite integration:

  • Group name
  • Group members

Groups created in 15Five cannot be imported into GSuite. Since groups cannot be imported from 15Five into GSuite, it is suggested that you create groups in GSuite first. These groups, when assigned to the 15Five non-gallery app, will be pushed to 15Five along with all people. Groups cannot be used to manage access to 15Five. For example, the following steps will NOT cause an individual to be de-provisioned from 15Five:

  1. Create a group in GSuite.
  2. Assign people to that group in GSuite.
  3. Assign the group to 15Five application in GSuite.
  4. Remove an individual (Person A) from the group in GSuite.
✏️

Note

Steps 1 through 3 will cause people to be provisioned to 15Five, but the last step will not cause Person A to be removed from 15Five. Person A will only be removed from the group within 15Five. To remove people from 15Five, they must individually be unassigned from the application within GSuite. Therefore, it is suggested that people be individually assigned to the 15Five application within GSuite (rather via group assignment) for consistency.

10. In the 'Set provisioning scope' dialog box, add a group to restrict provisioning to members of groups you define.
11. Click the underscore and start entering your group name. A list of available groups should appear. Selecting one adds it and opens another underscore to add another. Continue to add as many as you want to sync over. To remove any group you added, click next to it.
12. Once you’re done, click Finish.
13. Review the information in the 'Provisioning summary' dialog box, then click OK.
14. Choose one of the following actions:

  • Click Activate provisioning.
    • If needed, first enable the Activate Provisioning button.
  • Set the app to On for everyone or On for some organizations.
    • If the app is set to Off, this choice is grayed out.
  • Reload the page, then click Activate provisioning.
  • In the confirmation dialog box, click Activate.

Group types

When a new group gets created and synced over via SCIM, that new group will go into the 'Groups' group type in 15Five. In terms of attributes, the only thing 15Five will read from SCIM in regards to groups and group types is the Group ID. After a group is appearing in 15Five, it will be up to the account administrators to reorganize this group(s) to other group types as needed. Groups can be moved to a new group type (manually, via CSV, or via API) in 15Five and future SCIM syncs will not override the group type because the group ID itself hasn't changed.

The gist: Group types within 15Five do not talk to SCIM. SCIM does not talk to 15Five about group types. SCIM only talks to 15Five from a group perspective (ie creating a group, naming a group, adding or removing members, deleting a group). The group type organization and maintenance is manually done in 15Five alone (ie creating a new group type, moving to a group type, enabling features per group type).

✏️

Note

If an existing group and department (or two groups) need to be combined, this merge should take place in SCIM and then 15Five will update accordingly.


Syncing

Syncing through SCIM is done anytime a field changes. You can also test a sync by updating any desired field, which will kick start a sync.

We verify people by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If you are seeing issues with the managerId field not syncing correctly, check the id that you have mapped here or any downstream software you have syncing to GSuite. If you are having issues with fields not syncing correctly, email our Support Team at support@15Five.com and we can take a look!


How to disconnect

Disconnecting the SCIM integration is a matter of unchecking the ‘Enabled’ box in your SCIM settings.

6.png


Troubleshooting, Support, and FAQs

Q: How do welcome emails work?
After assigning 15Five to an individual in GSuite for the first time, a new individual in 15Five will be created. If SSO is enabled for that individual's company in 15Five, that individual will be sent a welcome email with a link to the SSO page at 15Five. If SSO is not enabled, that individual will be sent a link to sign in and set their password.

Q: If SCIM is on can I still add people on a one-off basis?
A: No, if SCIM is on you cannot manually add individuals via the 'Manage people' page or the team 15Five page. Importing new individuals via CSV is an option if SCIM is enabled for your organization. Reach out to Support to explore this option.

Q: Can GSuite sync passwords?
When updating an individual's GSuite password, that individual's 15Five password may be updated (depending on whether the"passwordProfile.password" attribute is being sent by GSuite). If SSO is enabled for the individual's company in 15Five, no password changes will occur for the individual within 15Five. If SSO is not enabled in 15Five and the"passwordProfile.password" attribute is being sent by GSuite to 15Five, then an individual will receive an email with a link to reset their password in 15Five.

Q: Manager/Reviewer not syncing?
A: There are a few potential reasons for this:

  • Confirm that ‘Sync Managers’ is selected in your SCIM settings.
  • There's an active Best-Self Review cycle in your company's account. Since changing reviewers during a review cycle causes changes to the review cycle, manager updates are not performed during active Best-Self Reviews.
  • Did the manager exist in 15Five before assigning them to the employee in GSuite?
  • Confirm that your managerId or managerEmail attributes are mapped correctly.
  • GSuite sends the manager information present in the manager attribute for a given individual. The information in the attribute can be an email address for the manager or a 15Five ID for the individual. Make sure this field is populated.
  • If you have a downstream software connecting to GSuite, confirm that the id mapped from that software to GSuite is an id that is passed to 15Five. We verify individuals by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If we do not see an ID we recognize, often the reviewer field will appear blank in 15Five.
  • Modify the individual(s) profile in some way (perhaps by altering an unused field (State, Zip, etc)). Bulk modification of individuals is possible in Okta.
  • Un-assign and re-assign the direct report to the 15Five application. Please note this will trigger a "Welcome Back" email to be sent to the re-assigned individual(s).

Q: Anything to keep in mind when changing a username?
15Five depends on the uniqueness of an individual's email address. Therefore, provisioning will fail if an individual's userPricipleName is updated but their email address is not. Ensure these two source attributes (userPricipleName and mail) send the same value and retry the provision if has failed.

Q: Updates or de-provisioning not working for some individuals?
Individuals added to 15Five before SCIM was enabled for the 15Five account may not be tracked by GSuite. To make GSuite aware of these individuals' membership in 15Five, select Clear current state and restart synchronization and save the non-gallery app. This could remove individuals from 15Five if they are not assigned to the non-gallery app in GSuite.

Q: We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
A: No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with individuals that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.

Q: Can I sync employee timezones via SCIM?
A: Not at this time.

Q: Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group admin?
A: It is advisable to pass over the groups through IdP. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.

Was this article helpful?
0 out of 0 found this helpful