This article explains general information about user management and setup through auto-provisioning in Meisterplan.
- Setting Up Auto-Provisioning in Meisterplan
- Creating and Managing Users
Note: It is easiest to use auto-provisioning when SAML is enabled for Meisterplan.
Auto-Provisioning is a means of user management that allows you to keep user information, including new users, in your Meisterplan system up to date via the connected identity provider. This helps you ensure consistency and quality of user data across all tools. This also means that auto-provisioning is a means of keeping users up to date in your Meisterplan system, not resources. In this article, it is assumed that the reader has a basic knowledge of auto-provisioning.
Supported Identity Providers
If you use another identity provider, please feel free to contact our support at firstname.lastname@example.org.
Setting Up Auto-Provisioning in Meisterplan
Prerequisite: To set up auto-provisioning of users, you must make sure that Meisterplan has been added as one of the apps in your identity provider. More information on how to do this can be found in each tool's auto-provisioning documentation.
Step 1: Assign the users in your organization to the Meisterplan application in your identity provider tool.
Step 2: Authenticate Meisterplan in your identity provider tool. For this, you will need your:
- The Meisterplan API Domain (i.e., tenant URL)
- for customers with systems hosted in the US: https://api.us.meisterplan.com/scim/v2
- for customers with systems hosted in the EU: https://api.eu.meisterplan.com/scim/v2
- And a Meisterplan API Token (i.e., Secret Token). The user must have access to the API. This means that API token needs to be derived from the user's Meisterplan profile.
For auto-provisioning, we recommend creating a dedicated user and user group with the following rights:
- Access Meisterplan APIs and Connect External Applications
- Manage Users and User Groups
After logging into this dedicated Meisterplan user account and creating an API token, share the API token in your identity provider.
Step 3: Create mappings between the identity provider tool and the users you would like to manage through auto-provisioning in Meisterplan. The required mappings for Meisterplan are:
- UserName: SCIM attribute userName (this is the primary key mapping)
- Email Address: SCIM attribute emails[type='work'].value
Optional mappings are:
- active (optional)
- name.givenName (optional)
- name.familyName (optional)
- urn:ietf:params:scim:schemas:extension:meisterplan:2.0:User.passwordNeverExpires (optional)
- urn:ietf:params:scim:schemas:extension:meisterplan:2.0:User.sendInvitationMail (optional)
- urn:ietf:params:scim:schemas:extension:meisterplan:2.0:User.linkedResource.id (optional)
Trying to map other fields will result in an error.
Testing Your Configuration
In order to make sure you are auto-provisioning the correct users to Meisterplan, we suggest testing your configuration in a sandbox environment. We also suggest creating a user group in your identity provider that should be provisioned to Meisterplan.
Creating and Managing Users
The following explains what happens when creating new users, or managing existing users in the identity provider.
If a user is assigned for provisioning but they do not have an account in Meisterplan:
- the user will be created in Meisterplan.
- the user may login via SSO.
- if SSO is not enabled, you must follow one of the following steps:
- When setting up the mapped attributes in the identity provider, set urn:ietf:params:scim:schemas:extension:meisterplan:2.0:User.sendInvitationMail to true. This will send an automated invitation email to newly provisioned users.
- Manually create a password for a user in Meisterplan and share it with them.
- Or create a password invitation email for users in Meisterplan.
If a user is assigned for provisioning and the username is already present in Meisterplan:
- the user will be updated in Meisterplan with the data that has been mapped in the identity provider.
If there is a user group present in the identity provider but not in Meisterplan:
- the user group will be created in Meisterplan and the created user group will be given no user rights.
If a user is removed from the identity provider:
- the user will be deactivated in Meisterplan.