User Account Management
Workplace accounts for your organization can either be managed manually by a system admin or automatically using a cloud identity provider. Workplace also supports automated account management via Active Directory.
This article is only applicable to users of Workplace Advanced.
Using a cloud identity provider is a straightforward way to enable automated account management in Workplace. Our identity and access management partners provide the following benefits:
- Keep user data centralized. Connect your primary identity store (ex. Microsoft Active Directory or Oracle Directory Server) with a cloud directory to synchronize user accounts across applications, including Workplace. An agent or plugin from the cloud identity provider synchronizes changes from your primary identity store into a cloud replica.
- Unified system of record. Maintain your primary identity store as people join and leave your organization.
- Sync account changes to Workplace. User account information and status changes are synchronized between your cloud identity provider and Workplace, eliminating the need for manual user administration when people join and leave your organization.
To start, follow the steps outlined here as a system administrator to create a custom integration app to provision user accounts. These steps will provide you with the following values needed to complete configuration:
- Access Token: The access token that allows an application to manage accounts.
- SCIM URL: The API endpoint that a cloud application will use to manage accounts.
- Community ID: The ID of your organization, which allows a cloud application to differentiate between Workplace instances.
Next, follow the directions hosted by your cloud identity provider.
Keep in mind that Workplace integrates natively with the following partners:
The AD Sync Component requires the following:
- Software installation must be run by a user with AD Domain Administrator privileges.
- AD Sync is designed to run on Windows Server 2012 R2 or Windows Server 2016. Other configurations may work (when the OS language is set to en_US), but aren't supported by Workplace.
- AD Sync needs to run on a computer that is domain-joined to the same AD controller that your Workplace users belong to. If your Workplace users belong to multiple AD Domains, you may need to follow the installation and configuration procedure for AD Sync on a server in each domain.
- The following Microsoft components are required and will be installed with AD Sync if they're not already on the server: .NET Framework 4.5.2, and SQL Server 2014 Express LocalDB (a light version of SQL Server Express) to store user data. All cumulative updates should be installed.
- For each group of users that you want to sync to Workplace from Facebook, you must identify: the Distinguished Name (DN) of the root entry in Active Directory that contains the users, and either an LDAP Filter or an Active Directory Group that identifies the users you want to sync to Workplace.
- Your Domain Controller must be able to support LDAPS (SSL) connections over port 636.
The Workplace AD Sync component lets you sync selected groups and organization units from Active Directory to Workplace, eliminating the need for manual user administration when people join and leave your organization. AD Sync is designed to automatically:
- Provision (create) user accounts as new people join your organization.
- Update user profile attributes over time as they change (ex. different phone number).
- De-provision (deactivate) user accounts as people leave your organization, or should no longer have access.
AD Sync runs as a Windows Service within your IT infrastructure. After you configure it to query AD for the set of users you'd like to give access to Workplace, AD Sync will run on a schedule every three hours to reconcile accounts between AD and Workplace.
Note: If your Active Directory is synchronized to a cloud identity provider that partners with Workplace, we recommend integrating Workplace with your cloud provider directly.
The AD Sync Component has the following limitations:
- Only syncs users from the Active Directory domain that the server belongs to or to a domain in the same AD forest that has the appropriate trust relationships established.
- Only configured to sync users based on: LDAP filters (ex. a specific user class or attribute value), or AD security / distribution groups.
- Will only handle up to 100,000 users max (approx.) using the default admin-less SQL Server 2014 Express LocalDB. Syncing more users requires an admin to manage their own database.
- Has only been tested on Active Directory domains and forests at the Windows Server 2012 functional level.
- Only allows customizing the following user-profile attributes' mapping rules: formatted name, and location; all other attributes will be mapped by default logic.
- Won't sync users that don't have an AD value for these three required Workplace fields: email address, display name and family name.
AD Sync does a one-way batch replication of selected users' profile data. The AD Sync Component doesn't write back to your directory service. After you configure it to query AD for the set of users you'd like to give access to Workplace, AD Sync will run on a schedule every three hours to reconcile accounts between AD and Workplace.