Active Directory User Syncing: Tech Specs

The Eduphoria Active Directory Synchronization feature allows districts to automatically synchronize accounts from Active Directory to Eduphoria. It can be configured to simply create new accounts in Eduphoria as they are created in Active Directory, or can be enabled for even deeper integration to remove deleted/disabled accounts, synchronize location information and synchronize employee ID.

 

 

This tool by itself does not enable users to authenticate with their Active Directory credentials, it simply keeps your Eduphoria users synchronized with Active Directory.  Active Directory User Syncing can be used in addition to Active Directory Remote Authentication or SAML if you want users to authenticate via Active Directory.

 

 

The following fields are synchronized from Active Directory by default when Directory Services Integration is enabled.

 

The following fields are synchronized from Active Directory depending on the additional options enabled for Directory Services Integration.

 

SchoolObjects	Active Directory attr LDAP Name	Supported Length	Notes
Campus	physicalDeliveryOfficeName	255 characters per Name/ID
Campus	department	255 characters per Name/ID
Employee ID	Must specify full AD attr LDAP name	255 characters	Select any open field in AD

Before an account will be synchronized to Eduphoria from Active Directory, the following must be true of the account:

• The account cannot be in an Active Directory OU that has the string “Students” or “Computers” in its name, regardless of capitalization. Accounts in an OU with “Students” or “Computers” in its name, WILL NOT be synchronized.
• The account must have a valid email address listed in Active Directory.
• The account must be a member of a group allowed. Any account not in one of the specified allowed groups will not be synchronized. Allowed Groups are specified on the Groups tab of the SchoolObjects Directory Sync Tool.
  

If an account is found in Active Directory that does not exist in Eduphoria, Directory Services Integration will automatically create that account in Eduphoria. The account in Eduphoria will be forever linked to the account in Active Directory by the unique object GUID.

If an account in Active Directory is disabled, deleted, or removed from an allowed group, Directory Services Integration will automatically delete that account from Eduphoria. This is an optional feature enabled by turning on the Delete disabled and deleted accounts from SchoolObjects functionality.  

 

If an account was deleted from Eduphoria because it was removed from an allowed group or the account was disabled in Active Directory, all that needs to be done is to put it back in an allowed group or re-enable the account in Active Directory. Either one of these actions will result in the account and all of its data being re-enabled in Eduphoria. This can occur because Eduphoria links to the account on the objectGUID field in Active Directory, and it knows it is the same account.

 

If an account was deleted from Eduphoria because it was deleted from Active Directory, go into Eduphoria and un-delete the account before recreating in Active Directory. This is required because when accounts are deleted and recreated in Active Directory, the objectGUID is linked to the account on changes and it no longer sees it as the same account. The tool assumes the account is a new user with a re-used username/email.

 

If un-deletion of the account occurs in Eduphoria first, it will link back to that account on email address and update the objectGUID link. The account must be undeleted in Eduphoria before this will happen. If the account in Eduphoria is not un-deleted before recreating it in Active Directory, a brand new account will be created in Eduphoria for that user.  

 

Any modifications to Name, Username, Email, Campus Memberships (if enabled), or Employee ID (if enabled) in Active Directory will automatically update the account in Eduphoria on the next Directory Services Synchronization. Once Directory Services Integration has been enabled and the Eduphoria account has been linked to an Active Directory account, changes cannot be made to these fields in Eduphoria. The account has to be modified in Active Directory, it cannot be modified in Eduphoria. If you do not have the “Read school assignments” or “Read Employee ID” options turned on, you can still make changes to the users employee ID and campus with Directory Services enabled.

 

With the “Read School Assignments” option enabled, Directory Services Integration can pull Campus assignments from Active Directory and set those campuses in Eduphoria. This option does not synchronize Department information for user accounts. Department membership must still be set manually under Manage Users in Eduphoria. With this option turned on, you will not be able to set Campus membership manually from within Eduphoria. All campuses for a user under Manage Users will be grayed out since they are syncing from Active Directory.

 

Campus information is pulled from the Department “department” or Office “physicalDeliveryOfficename” fields in Active Directory. It looks in both of these fields, so campus info can be used in either or both places. Multiple campuses can also be listed if separated by a , ; | / or \ in either field.  

 

Campus information listed in the Office or Department fields in Active Directory must match the full literal campus name of the school in Eduphoria under Manage Schools, or the full literal Local ID or State ID fields under Manage Schools for that campus in Eduphoria. It attempts to match on School Name, State ID, and Local ID in that order. If it cannot match a campus for a user, it will go ahead and create that user without a campus assignment.  

 

The first synchronization will need to be manually initiated from the SchoolObjects Directory Sync Tool for hosted customers or Server Manager under Directory Services for self-hosted customers. The first synchronization will link the existing user accounts in Eduphoria based on GUID if already using Active Directory, or email address if using Schoolobjects authentication. After the first sync, all accounts are linked based on GUID. The first sync will present a list of changes that will need to be approved. This gives the opportunity to catch mistakes before those mistakes are applied to the Eduphoria accounts.

 

Subsequent synchronizations will happen automatically, and emails with a summary of the successful changes and failures will be sent. The automatic synchronization will automatically fail and email if it detects a 5% or greater change to the user base. After an automatic fail, a district can manually run the synchronization tool and approve changes similar to the first sync.