How-to configure User Provisioning desktop application

Prev Next
This content is currently unavailable in Spanish. You are viewing the default (English) version.

Before starting the User Provisioning desktop application, configure the connections in DocuWare Configurations > App Registration and DocuWare Configurations > User Provisioning.

1. Register the User Provisioning desktop application

  1. Go to DocuWare Configurations > Integrations > App Registration.

  2. In the App Registration plugin, select New app registration.

  3. In the Create Application Registration pop-up, choose the option Web application and click Continue.

  1. In the app registration:

    1. Enter a name.

    2. Select as Grant Type the option Client Credentials.

    3. Click the Save button.

  1. Copy:

    1. Application (Client) ID

    2. Client Secret

  2. Switch back to DocuWare Configurations and go to General > User Provisioning.

  3. In the User Provisioning plugin activate the option Enable User Provisioning.

  4. Copy the values shown in the textboxes for Tenant URL and Token Endpoint:

  1. Now you have collected all the information needed to connect the User Provisioning on-premises application with your DocuWare system:

  • The Application (Client) ID

  • The Client Secred

  • Tenant Url

  • Token Endpoint

2. Connect the User Provisioning desktop application with DocuWare

The User Provisioning on-premoses application is located in the DocuWare installation folder. To access it, navigate to the UserProvisioning subfolder at the following path: C:\Program Files(x86)\DocuWare\PowerTools\UserProvisioning.

  1. To configure the application settings, open the file UserProvisioning.WPF\UserProvisioningConfigurator.exe and click Create new.

  1. In the new dialog Select environment, choose DocuWare On-Premise. Click Next.

  1. Enter the details to connect the application to DocuWare. Go back to step 9 in the previous chapter, copy the needed information and paste them here into the textboxes.

  2. Then click Add to configure the connections to the Active Directories.

  1. Enter the information about the Active Directories

  • Enter a Name. You will need the name for the configuration also for configuring the Windows Task Scheduler - see below.

  • Choose type of connection - LDAP or Microsoft.

  • BaseDN and Groups DN should follow the syntax:

    • Groups DN Examples: cn=Admins,dc=example,dc=com or cn=Developers,ou=IT,dc=company,dc=org

    • BaseDN Examles: dc=example,dc=com or ou=IT,dc=company,dc=org

  • Optionally, activate the 'Create Network ID' option - This option is supported only for DocuWare on-premises environment.

    • Provide a Domain name

    • Set a proper NetworkIdAttribute - example: userPrincipalName

    • Note: These attributes will be added only to newly created users. Once they are already provisioned, these attributes won’t be updated afterwards

  • Groups section - each group you’d like to sync should be in separate line. The Group Name will be automatically prefilled. But if you want to rename the group in the DocuWare system you can enter a custom name. All nested groups are created also with the corresponding users.

This is a sample for the configured Active Directory connection dialog:

  • Once the configuration is saved the name will be shown in the previous window - see also step 4:

  • Next to the name of the configuration the options for Active, Edit and Delete are shown.

  • If you need to connect to multiple servers and active directories, create a separate configuration for each onnection.

  1. Click the Save button.

  2. Close the User Provisioning on-premises application.
    Your configuration is already saved and can be found in the following folder: C:\ProgramData\DocuWare\UserProvisioningConfig.

3. Configure the Windows Task Scheduler to execute the synchronization

Switch to the Windows Task scheduler. Create and schedule a Windows task for executing the user and groups synchronization.

  1. Open Windows Task Scheduler and click Create Basic Task

  1. Follow the steps shown in the wizard. First, enter Name for the task.

  1. Choose when the synchronization should be triggered

  1. Select the Action: Start a program. Click Next.

  1. Select the task you’d like to be executed and the arguments, which have to be used.
    The term Argument refers to the User Provisioning configuration you have stored in step 8 of the previous chapter. Write the name of the file copied from the Windows Application (userProvisioning_config_1.json).

  1. For Program/Script browse again to DocuWare\PowerTools\UserProvisioning\UserSyncExe and select UserProvisioning.exe.

  1. Click Finish. The synchronization starts automatically. Wait for the synchronization  (smile)

  2. Once the synchronization is finished the following information will be shown in the User Provisioning Configurator:

  1. If the synchronization of one or multiple users or groups has failed, the Timestamp field can be edited with the previous date so the Synchronization task can run again.

  2. The User Provisioning configurations can be found here : C:\ProgramData\DocuWare\UserProvisioningConfig

  3. Logs can be found here: C:\ProgramData\DocuWare\Logs\UserProvisioning

Notes:

  • New users created via User Provisioning receive a welcome email with a 3-hour password reset link. Configuring an SMTP server is recommended, as lacking one can negatively impact system performance.

  • Ensure that the user account running the sync has permission to read all relevant user properties in Active Directory, as this is required for proper synchronisation.

  • To properly configure SSO using ADFS as the Identity Provider with your DocuWare Cloud system, we strongly recommend setting userPrincipalName as the mapping attribute for usernames

  • Removing a user from the synchronisation group does not deactivate the user; it simply removes them from the group. In order for a user to be properly deactivated in the our system, their account must be deactivated in Active Directory.

  • A user completely removed from the external directory is not automatically updated in DocuWare. The User Provisioning app only syncs changes for defined, existing users. If a user is deleted from the external directory, the app does not detect the change unless the provisioned group is also modified, for example, by a membership or timestamp reset. In that case, the user is removed from the group in DocuWare but remains active.
    The table below explains how user changes in an external directory (such as Active Directory) affect user synchronization in DocuWare via User Provisioning:

Status in the external directory

DocuWare app User synchronisation

DocuWare

User is deactivated

Transfers the status

User is deactivated

User is moved in the external direcory

detects that the user no longer belongs to the synchronizing group

User remains activated

User is removed from directory

Does not transfer a change, unless other group changes or timestamp reset - then user is removed from group

User remains activated