Configure identity management
Steps
- On the toolbar, select Account > Identity Management.
-
Under Directory Integration:
- Select Enable identity management checkbox to enable the identity management service for your account.
- Select one of the following options:
- Directory Synchronization Client
Select Directory Synchronization Client to use an LDAP directory. You cannot connect the Synchronization Client to the cloud without doing so, even if you have a valid username and password.
- SCIM integration
Select SCIM integration (cloud web only) to use a cloud-based identity provider.
- FONE integration
Select FONE integration to synchronize the user and group data from the FONE platform. To proceed, ensure that your user and group information is already provided under IDM (Identity Providers) in the FONE platform.
- Directory Synchronization Client
- From the Default user policy drop-down, select the web policy you want to assign to users who do not have a group-based policy assigned. By default,
the first policy in the list is selected. Note: While provisioning user and group data, you can manage policy membership through group membership.
-
If you select either Directory Synchronization Client or FONE integration, the corresponding settings will appear. Configure them as
follows:
- Under Directory Synchronization Settings / FONE Settings:
Select Overwrite groups to replace existing groups with provisioned groups when a group name conflict occurs. This option is applicable only if you have existing group data. If you are a new customer with no group data in the cloud, leave this option cleared.
Users, groups, and email addresses with duplicate names are overwritten by the corresponding LDAP data. After synchronization, they are managed only through LDAP.
If you are switching to LDAP for the first time, ensure that LDAP group names and memberships match your existing setup. This helps maintain policy selections, settings, and existing usernames and passwords.
If duplicate names exist, you have two options:- Allow duplicates to be overwritten by selecting Overwrite groups.
- Rename duplicates to avoid conflicts and leave Overwrite groups cleared.
If duplicate names are found and Overwrite groups is not selected:- In the cloud: You will receive the error message 403: Attempt to overwrite portal-managed group ‘nnnn’.
- On the client: You will receive the error message Error communicating with the Hosted Service portal. Update abandoned.
- Under Web:
- Specify whether the User policy assignment should remain fixed after initial provisioning, or the service should evaluate group policy
membership each time users are provisioned or group policy assignments are updated in the cloud.
- Select Fixed to manage policy assignments in the cloud. In this option, policies are assigned only when the user is added for the first time. The user is then assigned either a group-based policy or the default policy specified earlier. To reassign a user to a different policy, make the changes in the cloud.
- Select Follow group membership to allow users' policy assignments to update automatically based on the changes to their group membership. When a user is moved to a different group, their policy assignment changes accordingly. This is the default setting.
- Select one of the Email settings options:
- Do not email new users to specify that no emails will be sent to new users.
- Email all new users to specify that all new end users should receive an email notification about their protection by the cloud service.
- Email users who do not have an NTLM identity to ensure emails are sent only to end users who do not have an NTLM identity.
Note: Sending emails to end users may overwhelm your email servers and impact performance. You will be prompted to confirm your choice. We recommend performing this action during a low-traffic period. - From the Email template drop-down, select the required template to use for notifying end users about their enrollment in the cloud service. Initially, only DEFAULT option is available, but you can create custom notifications if needed. See Configure block and notification pages for more information.
- Enter the email address from which notification messages will be sent to new users in the Sender’s address field.
- Specify whether the User policy assignment should remain fixed after initial provisioning, or the service should evaluate group policy
membership each time users are provisioned or group policy assignments are updated in the cloud.
- Under Directory Synchronization Settings / FONE Settings:
-
If you select SCIM, configuration details for connecting your identity provider to the cloud service will be provided.
- The Base URL allows your identity provider to access the cloud service. Use the provided Copy option to easily paste the URL into the appropriate configuration page for your identity provider.
- The Bearer token is a unique authentication key used to authorize requests to the cloud service. Click Generate New Token to create the key, and use it during the configuration of your identity provider.
Note: The Overwrite groups and Follow group memberships options, which can be configured when Directory Synchronization is selected, are automatically applied when SCIM is selected.Important: When you generate a new token, it will be displayed only once. Make sure to record the token. When you generate a new token, any existing token will become invalid. If you are using an existing token, it must be replaced with the new one. -
Click Save when you finish.
Note: You can turn off identity management at any time and revert to managing all users, groups, and email addresses in the cloud. If you plan to do this, see Turn off identity management for possible considerations.