The Eduphoria! Active Directory Synchronization feature will allow you to easily update important staff information automatically.
It can be optionally configured to
- automatically create and delete accounts,
- update email and name information, and
- manage locations.
Are passwords synchronized?
No Active Directory password information is exchanged using this feature. Active Directory User Syncing can be used alongside Active Directory Remote Authentication, SAML2, or basic Schoolobjects authentication methods.
Schoolobjects Authentication - The user's email address will remain as the user login and will also be required in Active Directory as that is how the initial connection between Eduphoria! and Active Directory accounts will be made. Users will still log in using their existing credentials, email address and user-defined password.
Active Directory Remote Authentication or SAML - The user will continue to use their Active Directory credentials to login through the Remote Authentication portal or SAML provider.
How do I control which users are synchronized?
The feature is designed to allow only certain security groups to be synchronized. When configuring the tool that polls Active Directory, you can specify particular security groups to allow.
What information is synchronized?
By default, the following pieces of data will be automatically updated based on the information in Active Directory:
- first name
- last name
- email address
- new accounts
What actions in Active Directory will delete and create/restore accounts?
- Any new account that exists in the allowed security groups will be automatically created in Eduphoria!.
- Deleting or Disabling an account in Active Directory will delete the corresponding account in Eduphoria!, if that feature is enabled.
- Removing a user from the allowed security group(s) will cause that user account to be deleted in Eduphoria!.
- Eduphoria! will synchronize the Active Directory GUID with each Eduphoria! account. This is used to update and connect the account even if username, email, and other identifying fields in Active Directory are changed. Therefore, should you delete an account from Active Directory, that GUID will be deleted with it.
- A new account created, even using the same email or username, will be treated as a new account in Eduphoria!.
- Manually un-deleting an account in Eduphoria! will reset the GUID connection. This will allow you to reconnect an existing Eduphoria! account to an Active Directory account that was deleted and then recreated.
How often will the synchronization occur?
You can schedule the tool to run as often as you like. Depending on the size of your user base, you should adjust the frequency of synchronization accordingly. Larger user sets should synchronize less often, etc.
Will I know what changes are made?
An update email is sent to all Eduphoria! System Administrators in the system. This email will include what specific changes were made.
During configuration, what if all of my users are not found in Active Directory?
Should a mistake occur in setup, the system will automatically stop synchronization if more than 5% of the users change at once. This is to prevent your entire user base from being deleted, moved to the wrong locations, etc. An email will still be sent to System Administrators notifying them of the failure to synchronize.
What fields will be read in Active Directory?
For first name, last name, and email address, the corresponding fields in Active Directory will be read for this information. Location management can use either the Department field or the Office field. Each field can contain information, as it will be combined to assign a user to multiple locations. Each field can also contain multiple values as long as they are separated with a comma, semicolon, backslash, or forward slash. Employee ID will be read from the field that you specify during configuration.
Web Manager Setup
Now that you know how the synchronization will occur and what information is involved, you can begin setting up and configuring the feature.
Follow the steps below to set up the synchronization feature:
- Log into Eduphoria! as a System Administrator.
- Go to the Management application.
- Select the Organization default tab.
- Click Directory Services at the left.
- Check the first box Enable Directory Services Integration to enable the entire synchronization feature.
- Note: Once enabled, you can then select optional features to delete Eduphoria! accounts, update school/location information, and synchronize Employee ID.
If you enable Employee ID, you will need to specify the field in Active Directory where Employee ID can be found. This field needs to be populated with the true Active Directory name, not the user friendly name. For instance, it would need “PhysicalDeliveryOfficeName” versus “Office” if you were to use that field. That is only an example, as location information would be pulled from that field normally.
Once all desired options are selected, click the Save button on the top toolbar.
Eduphoria! Directory Sync Tool Setup
After enabling the synchronization feature and selecting the various options, you are ready to install and configure the local synchronization tool.
- This small application will need to be installed on a computer in your local network’s domain.
- The tool requires a 64 bit Windows Operating System.
- It will not run on a 32 bit Operating System.
- It will do the actual polling of Active Directory and synchronization with the Eduphoria! system.
Launch the installer and follow the onscreen instructions. No options are available.
Once installed, a new icon will appear on the desktop for the SchoolObjects Directory Sync tool. Launching this tool will give you a small application with two options: Run and Settings.
NOTE: Before you begin to run any synchronizations, make sure you use the Settings button to set up the process.
The first tab under Settings is Connection which will allow you to enter the credentials used to connect to Eduphoria!. This user account will need to have System Administrator access. Enter your username and password, click Save, and then click Test Connection. After confirming a proper connection, click Save again.
The second tab, Groups, will allow you to define which security groups will be included in the synchronization. Type the group name in the top white box, and then click Add. If you make any mistakes, select the incorrect group and click Remove. Once the proper groups have been entered, click Save.
The last tab, Schedule, will let you configure how often the tool should run. It will create a scheduled task for you that will start the synchronization process. Enter a time and local credentials that will have local administrator permissions. Click Save when finished.
The First Synchronization
Once the Web Manager and locally installed tool are configured, you can run the first synchronization. Since the first run may cause more than 5% changes due to account information updating, you will need to run the process manually.
- Click the Run Now option under any of the Settings tabs, OR
- Click Run on the initial screen of the local tool.
After the process is complete, System Administrators in Eduphoria! should receive an email as to the status. You will see a list of all users created, deleted, or updated on the left. Selecting any user will show the user's name, email address, Active Directory GUID, type of change, and the user's internal Eduphoria! User ID.
If all changes look acceptable, click Apply Changes. This will then process the actual synchronization with Eduphoria!. If there appear to be erroneous changes, then you can Cancel the process. This makes the initial synchronization very safe, as you are required to approve the changes.
Remember that if more than 5% of users are modified in the scheduled process, then it will fail. A summary email will still be sent informing System Administrators of the failure and informing you that a manual process will need to be completed if those changes should be committed.