Identity Provider

The Axon Ivy Engine allows you to connect external Identity Providers (IDPs) to automatically create, maintain, and deactivate your workflow users. Axon Ivy Engine never removes or deletes users, it just deactivates them.

Axon Ivy Engine currently offers interfaces for three different IDPs:

If an IDP supports daily user synchronization (which all standard IDPs do), you can make the following settings for all of your IDPs:

 1Import:
 2  # Shall we synchronize NEW users with the Identity Provider only on demand (i.e. at first login)?
 3  # This setting does not affect synchronization of existing users.
 4  # If OnDemand is set to: 
 5  # true:  NEW users are not imported by the synchronization job. 
 6  #        Instead, a NEW user is imported the first time she logs in. 
 7  # false: NEW users are imported by the user synchronizing job. 
 8  #        If a user has not yet been imported by the user synchronization job, she is also imported the first time she logs in.
 9  OnDemand: false
10
11# Shall we run the daily Identity Provider user synchronization job?
12# When the synchronization runs is defined by UpdateTime.
13UpdateEnabled: true
14
15# Time of day when the security system will synchronize the users.
16# The engine has to be running at this time otherwise the synchronization will not be executed.
17# Daily security system synchronization can be switched on or off by setting UpdateEnabled.
18# Format is hh:mm. e.g. "02:00" or "14:15"
19# [daytime]
20UpdateTime: "00:00"
21
22UserSynch:
23  # Shall we synchronize a user with the Identity Provider at login?
24  # If the user does not exist yet, he will be synchronized anyway. In case of slow Identity Proovider
25  # connections, it can make sense to set OnLogin to false.
26  OnLogin: true
27
28# Role mapping that is considered by the user synchronization.
29# Users are added to the roles to which they are assigned in the given Identity Provider.
30Roles:
31  # The left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.
32  # On the right side, e.g. ext-manager-id, the external name of the role is set.
33  # The synchronization adds all users to Manager respectively Employee that are assigned to ext-manager-id respectively ext-employee-id in the specified Identity Provider.
34  Manager: ext-manager-id
35  Employee: ext-employee-id