user story: a anonymous user should be able to create survey, paste in survey participants' email from their outlook, these participants will become valid user in AD, with their emails as primary search key as extension property in AD. User will get mail, being notified that a survey is ready for them......etc.
Since Azure Email property is only readable, I can only add the user mail as an extension property. When extension property such as "SkeypID", "Email" is added, the searchability is also available?
ex. DirectoryService.users.Where(it => it.myproperty!= null && it.myproperty.Equals('test#gmail.com')).SingleOrDefault();
Let's assume that I want to give access to anonymous user creating user in Active directory, (Sorry, did not try this one myself before asking), does it work without using a user identity as company administrator?
Yes, extension attributes are searchable. Use a query like the one referenced at the GitHub README for my OrgChart extensions sample application. The link should look something like this:
GET https://graph.windows.net/contoso.com/users/joe#contoso.com?api-version=1.21-preview&$filter=extension_d8dde29f1095422e91537a6cb22a2f74_skypeId+eq+'joe.smith'
To allow an anonymous user to create a user in ActiveDirectory you could create an application with write permissions to your directory and have that application allow anonymous access. My OrgChart extensions sample application allows you to create and delete users, but you need to provide it application credentials and a tenant where that app has write consent.
Related
We use Azure AD user provisioning, to create and manage users in Salesforce. In itself this is working correctly. But... we have created a new (custom) profile in Salesforce (which Azure AD refers to as role) and this new profile is not being loaded into Azure AD. When creating a new user, we see our old custom profiles, but not the new one.
We started looking in the provisioning logs and saw a lot of "failed" entries. The first part of these logs reads like this:
The name, id, and claim properties of an app role in Azure AD must be
unique. We are unable to update an app role as one or more properties
are not unique. This is most commonly caused by having non-unique role
names in the directory from which roles are being imported.
And then a bunch of non-unique profiles/roles are listed. These are all standard profiles, such as Standard User and System Administrator. They appear twice in the list.
Going back to the screen where we add users, sure enough, these double entries are there as well. Each duplicate being an inactive choice. And: some old custom profiles are shown, also inactive. But not the new one.
This has worked before, as we see the old custom profiles listed. But somewhere/somehow double entries have been added and now we are stuck.
What is the solution? I have no idea on how to remove those duplicate entries from Azure AD. In Salesforce, there are no duplicate profiles. And even if I could remove the duplicate entries from Azure AD, maybe they would be added again on the first provisioning run.
I'm setting up SAML SSO for an application. I have it working except that I'm unable to return a suitable value for the NameID claim. Existing userid's in the application are firstname + last initial so they don't match display names, email addresses, or any of the typical stuff found in Azure AD. I could use a transform to generate that but the available functions don't appear to do what I need.
I could also manually enter the userid in Azure AD and then map the claim to that but I hate to "misuse" an existing field (e.g. putting the userid in user.jobtitle or some such).
I also don't want to have to change everyone's userid in the app to match something that already exists in Azure.
I feel like I'm missing something obvious here since there have to be a lot of apps that don't use a common Azure property as their userid.
Thanks in advance for any help here!
Tom
You can map the attributes & claims present in the active directory to your app fields. For example if user.givenname is present in the active directory and in your app, the field name is firstName, you can achieve this by doing the mapping in manage claim section of User attributes & claims. Same could be done for others fields.
You go into the Enterprise applications > Your App > SAML-based Sign-on > click on edit
In Salesforce, I am using the Salesforce Gmail extension tool to associate emails to the user object (not the contact object). But in Salesforce I can only find the email if I search for it specifically; I cannot see emails associated to a user from the user screen/form similar to how you can see related activities under a contact. Question: is there a way to see emails associated to a user object on the user screen/form? Can this feature be enabled somehow? Thanks in advance.
it is not possible in a standard way because the email shows up that subsist in your user object in user object all data like username password exist but I can create logic in custom apex class to do this with some triggers .its sound like integration with Gmail https://help.salesforce.com/articleView?id=app_for_gmail_setup_considerations.htm&type=5
I have created an integration profile CORE_AKTANA_DI through which data for objects will be loaded into my Salesforce instance through a third-party user. I have provided "View All" permission for all objects to that profile. However, since this is a global Salesforce org, hence, there is data for other countries as well in this instance.
I want the user with the profile to see only data of France i.e with country "FR". In this case, my only choice is to:
Remove the "View All" permission of the profile from all objects.
Give the user a role such as "FR-Corp".
Create sharing rules for all objects with "Private" OWD and share with this role.
The problem is that since this is an integration profile, I cannot assign a role to the user with this profile. Also, it is not plausible to create sharing rules since there are a lot of objects with private OWD.
Same problem occurs by assigning the user to a public group, i.e a lot of sharing rules need to be created.
In this case, please suggest me the easiest possible options.
Actually, how to solve your issue is dependent on business process you are trying to implement. There are few ways:
sharing by hierarchy: setting proper roles and checking 'grant access using hierarchy'
sharing rules: setting proper sharing rules, owner/criteria based
manual sharing: using button
sharing using apex: using share object of any corresponding object
I think, this document will be useful for you.
I don't think what you say is correct:
"The problem is that since this is an integration profile, I cannot assign
a role to the user with this profile."
In my org we have a few integration connections. Each connection is anchored by a SF user license which has both Role and Profile. You should likely give the integration it's own user license and name the user something like "Integration (Fr)" Set the Roll up with appropriate hierarchy position, permissions and sharing rules and once you've done all the token resets needed set as API login only & password never expires. That should do it unless I'm missing something.
I can check user in active directory, if he exist then I give him permission to open app window, but what if an application has many levels of permission? Do I create special groups of permission in active direcotry and check if user belongs to one of them? . Can application log in automaticaly, or there is always need to enter password?
Active Directory can fulfill two related but seperate functions for an application: Authorization and Authentication.
Authentication is validating that the person using your application is a valid user. If you have the user's credentials (i.e. the application prompts the user for their username and password), you can authenticate them against AD by attempting a connection using their username/password.
Authorization is what lets you determine the level of permissions a particular user has in your application. Active Directory groups are a relatively straightforward and flexible way to implement the various permissions levels. Typically, I will create very fine-grained permissions groups that represent each securable action users can perform in the application (i.e. CanDeleteWidgets, CanAddWidgets, CanEditWidgets ). Then create functional or role groups where you place the users for that role (i.e. Managers, Coordinators, Technicians, etc). Finally, you just nest the role groups into the permissions groups so if, for example, the business requirement is that Managers can delete widgets, you would add the Managers group as a member of the CanDeleteWidgets group. While this may seem more complex, it makes it extremely simple to respond to changing business security requirements (i.e. "Technicians need to be able to delete widgets" - Piece of cake. Add the Technicians role group to the CanDeleteWidgets permissions group and you're done).
As far as logging in automatically, yes, there are a number of ways you can automatically log in a user. For winforms apps, you should just be able to grab the currently logged in user and use that. For web apps, if you can use integrated authentication, you end up with the same thing. Your web server will handle the authentication piece and send over the DOMAIN\USERNAME of the user in a server header variable.