User provisioning lets you synchronize user accounts between TalentLMS and your IdP through the SCIM v2 API. It’s a process that can save significant amounts of time and ensure the centralization of your users' access privileges. Common uses include pushing new users to TalentLMS, activating or deactivating users, and updating user profiles automatically.
How to configure user provisioning with Azure AD
We have broken down our guide into four sections:
D. Known issues & troubleshooting
The supported user provisioning features are:
- Push New Users: Users created in Azure AD are added to TalentLMS automatically.
- Push Profile Updates: Updates made to user profiles through Azure AD are synced to TalentLMS.
- Push User Deactivation/Activation: Deactivating a user or revoking their access to the application through Azure AD deactivates the user in TalentLMS. User activation is also supported.
|Note: Deactivating a user means changing the user’s status from “active” to “inactive”. The user’s account is not deleted.|
- Push Password Updates: Updates made to user passwords through Azure AD are synced to TalentLMS.
To configure user provisioning for TalentLMS, you first need to configure SSO with TalentLMS. To do that:
- Sign in to your TalentLMS account as Administrator, go to Account & Settings > Users tab.
- Click Single Sign-on (SSO) (1). Go to this article to find the values for the required fields. In the same article, follow the instructions in Section B for configuring a custom App in Azure AD.
- Click Save and check your configuration (2). You will be prompted to log in to Azure and will then be redirected to TalentLMS where you can confirm that all the required user attribute/value pairs (e.g., username/TargetedID, user email) are returned from Azure AD.
Before returning to your Azure AD custom app page, check Enable SCIM v2 user provisioning and note down the provided API key (3).
To configure user provisioning for TalenltLMS, using a custom Azure app, follow these steps:
- Sign in to your AzureAD dashboard, go to the Enterprise applications, and from the top menu click New application.
- Click Create your own application, give a name, select Integrate any other application you don't find in the gallery, and click Create.
- Click Provision from the left-side menu and then Get started.
- On Provision mode select Automatic.
On Admin Credentials fill the 2 available fields as follows:
- Tenant URL (1): https://yourdomain.talentlms.com/api/scim2 Replace yourdomain with your actual talentlms domain name. If you have mapped a custom domain name for your TalentLMS portal, use the custom domain name instead
- Secret Token (2): Paste the Api Key as shown in the TalentLMS SSO form.
- Click Test connection and, if successful, click Save.
|Note: You can setup custom mapping to send a value from user profiles in AzureAD to TalentLMS for assigning user-types and timezone. For example, to sync user-type from Azure to TalentLMS via SCIM, the custom attribute mapping must have the Target Attribute as userType.|
D. Known issues & troubleshooting
Before you start using your Azure AD-enabled user provisioning service, take a look at these important notes:
- When the “Time zone” and “User type” attributes are not defined for a specific user, then their TalentLMS user account is assigned the default values. To customize the time zone, go to Home > Account & Settings > Basic settings>Locale. The default user type can be configured from Home > Account & Settings > Users. Default values for each branch can be configured from the branch homepage by the branch admin.
When you delete a provisioned user account in TalentLMS, you must make sure the account is deleted permanently. That way, when creating a new user through user provisioning, you avoid getting an error message that their email is not unique. For more on deleting user accounts permanently, see this article.
- When trying to push a user to your TalentLMS domain through the SCIM v2 API, you may get the following error message: "A user with the same email address already exists." This could mean two things:
- There’s already a TalentLMS user account for the same user registered with that email address, but the username is different from the one pushed by AzureAD. In that case, the username matching fails due to the email address not being unique, so TalentLMS tries to create a new user account. The issue is resolved by changing the user’s username either in AzureAD or TalentLMS to match the other one.
- You have recently deleted a TalentLMS user that was registered with that same email address. In that case, the new user’s email is not recognized as unique because the old user isn’t permanently deleted (i.e., TalentLMS doesn’t remove users permanently at first delete so that you can restore a user if they’ve been deleted by accident). The issue is resolved by permanently deleting the user that has the same email. For more on deleting users permanently, see this article.