Chat now with support
Chat with Support

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring Microsoft Entra ID for federated authentication

If you use Microsoft Entra ID (formerly Azure AD) as your SAML identity provider, you must configure it before configuring SAML 2.0 authentication in Active Roles. For more information on configuring SAML 2.0 authentication in Active Roles, see Configuring SAML 2.0 authentication.

To configure Microsoft Entra ID (formerly Azure AD) for federated authentication

  1. Navigate to Enterprise applications > All applications, click New application, and then select Create your own application.

  2. Enter a Name, select Integrate any other application you don’t find in the gallery (Non-gallery), and click Create.

  3. Click Single sign-on, and as the single sign-on method, select SAML.

  4. In Basic SAML Configuration, click Edit and configure the following.

    Identifier (Entity ID)

    urn:RSTS/identity

    Reply URL (Assertion Consumer Service URL)

    https://<active-roles-server>/RSTS/Login

  5. In Attributes & Claims, modify the Unique User Identifier (Name ID).

    Name identifier format

    Unspecified

    Source Attribute

    Any Entra ID attribute that includes the user’s ADobjectGUID, ADuserPrincipalName, or ADsAMAccountName.

  6. Remove all default Additional claims.

  7. When configuring SAML in Active Roles, in SAML Certificates, download the Federation Metadata XML.

  8. Make sure to assign access to the appropriate users and groups, and perform any other required configurations, such as Conditional Access and Self-service.

Configuring Okta for federated authentication

If you use Okta as your SAML identity provider, you must configure it before configuring SAML 2.0 authentication in Active Roles. For more information on configuring SAML 2.0 authentication in Active Roles, see Configuring SAML 2.0 authentication.

To configure Okta for federated authentication

  1. Click Create App Integration and as the Sign-in method, select SAML 2.0.

  2. In General Settings, enter a Name.

  3. In Configure SAML, configure the following:

    Single sign-on URL

    https://<active-roles-server>/RSTS/Login

    Audience URI (SP Entity ID)

    urn:RSTS/identity

    Name ID format

    Unspecified

    Application username

    Any Okta attribute that includes the user’s ADobjectGUID, ADuserPrincipalName, or ADsAMAccountName.

  4. (Optional) After creating the application, configure the Sign-On Policy and assign access to the appropriate users.

  5. When configuring SAML in Active Roles, in the application’s Sign-On section, navigate to the Metadata URL and copy the XML data to use.

Configuring OneLogin for federated authentication

If you use OneLogin as your SAML identity provider, you must configure it before configuring SAML 2.0 authentication in Active Roles. For more information on configuring SAML 2.0 authentication in Active Roles, see Configuring SAML 2.0 authentication.

To configure OneLogin for federated authentication

  1. Create a new SAML Custom Connector (Advanced) application.

  2. In Parameters, modify the default NameID parameter. Set the value of this parameter to a OneLogin attribute that includes the user’s ADobjectGUID, ADuserPrincipalName, or ADsAMAccountName.

    NOTE: If your users are synchronized via the OneLogin Active Directory Connector, userPrincipalName and sAMAccountName are available by default. objectGUID can be mapped to a Custom Attribute.

  3. Assign user access to this application.

  4. In Configuration, configure the following.

    ACS (Consumer) URL

    https://<active-roles-server>/RSTS/Login

    Entity ID

    urn:RSTS/identity

  5. When configuring SAML in Active Roles, after saving your settings, from the More Actions drop-down, download the SAML Metadata XML file to use.

  6. (Optional) To display tiles to each different Active Roles website on the dashboard of your users, set this application to not be visible in the portal. To do so, create a Quicklink SP (GET) application for each website, then in Configuration, set the URL to the relevant Active Roles website, and assign it to your users appropriately.

Configuring PingOne for federated authentication

If you use PingOne as your SAML identity provider, you must configure it before configuring SAML 2.0 authentication in Active Roles. For more information on configuring SAML 2.0 authentication in Active Roles, see Configuring SAML 2.0 authentication.

To configure PingOne for federated authentication

  1. Add a new SAML Application.

  2. In SAML Configuration, select Manually Enter and enter the following:

    ACS URLs

    https://<active-roles-server>/RSTS/Login

    Entity ID

    urn:RSTS/identity

  3. When configuring SAML in Active Roles, in Configuration, select Download Metadata.

  4. In Attribute Mappings, set the PingOne mapping for the saml_subject attribute to any PingOne attribute that includes the user’s ADobjectGUID, ADuserPrincipalName, or ADsAMAccountName.

  5. Select the appropriate Policies and provide Access as required.

  6. Enable the application.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating