This article covers how the DocuWare Desktop App “User synchronization” connects to the Active Directory (LDAP) or Azure Active Directory (Microsoft Graph) to create or update DocuWare users.
It only supports Microsoft Active Directory via LDAP, so it is not compatible with other LDAP user directories such as Open LDAP.
Starting user synchronization
After starting user synchronization, first enter the DocuWare URL.
User synchronization automatically switches between secure and non-secure SSL/TLS options depending on URL syntax. If the URL is correct and accessible, the app will perform several checks: Login token available, cloud or on-premises system, identity service available.
If a login token is available, the step "Login to DocuWare" is skipped.
If no login token is available, a login page is displayed in the browser. Here the user can create a login token with Single Sign-On or with DW account information.
If it is not possible to create a login token, a "Login to DocuWare" fallback dialog is displayed. Here the user specifies the organization, user, and user password. DocuWare authentication is used for this.
Connecting to LDAP
To synchronize users from the local Active Directory (LDAP), the Windows account under which the User Synchronization application is running must be a member of the Windows domain of this Active Directory. The DocuWare system does not have to be part of the domain. Only the User Synchronization app connects to the LDAP system and DocuWare.
Connection URL and access data are not required here. The connection is established with the user running the app and is therefore limited to the permissions of this user.
After calling up the users, select whether existing DocuWare users should be compared with existing Active Directory users. The assignment is done via user name and email. The accounts are only linked in the database if both match (external provider and external ID).
Within the app, the Active Directory structure can be searched. To synchronize, first select the organizational unit (OU) that contains the groups and then the OU that contains the users. Several groups can be selected, but they must be located in the same OU. After you have selected the OU that contains the correct groups, select one of the group name attributes:
Name
CN
sAMAccountName
For the users, select an OU where each user is available, regardless of whether the users are members of groups to be synchronized. You then specify one of the attributes for the user name.
sAMAccountName
userPrincipalName
userPrincipalNamePrefix
CN
DisplayName
Name
Connecting to Azure AD
To connect the User Synchronization app to Azure AD, you must configure Azure AD in the Azure Portal. Enter the following parameters to establish a connection to Azure AD.
Issuer URL
Client ID
Client Secret
The local AD does not require comparable parameters, this step is only visible with Azure AD.
Configuration of Azure AD
To synchronize users from the Azure Active Directory, a connection must first be established.
The following steps are necessary:
Create new app registration
In the Azure Portal you call up the app registrations and create a new app registration.Assign permissions
The following permissions are required to synchronize users. Please also note the type of the Application / Delegated permission.
Create client key
Create a new secret client key (Client Secret) under the item Certificates & Secrets. Back up the key as it will be permanently hidden when the page is closed.
Copy credentials:
In the app registration overview, copy the application ID (Client ID) and under Endpoints copy the URL to the OpenID Connect metadata document (Issuer URL) and paste it together with the Client Secret
Within the app, the Azure Active Directory structure can be searched. To synchronize, first select the groups you want to synchronize with DocuWare and then the groups that contain the users.
The users are always created using the UserPrincipalName prefix, so the user name is usually firstname.lastname
Group Assignment
By default, a new group with the same name is created in DocuWare; if such a group already exists, users are synchronized with it.
Or you can skip the LDAP group during synchronization. This will not add the users to any group. But if they are in the user node, they are added to DocuWare and at least to the Public group (all users are added to the Public group).
The third option is to select an existing group from DocuWare and add LDAP users to it.
The last option is "Edit DocuWare Groups." This option opens a new window in which users can add or remove groups. When groups are removed, they are not actually removed from DocuWare, but only from the user sync pool of the groups to be synchronized. When you add a group, a group is not automatically created in DocuWare; the group is only created after the synchronization process.
New groups are initially named as placeholders; after refreshing the window they can be renamed to unique names.