Introduction
The Kallidus Sapling platform helps HR and People Operations teams automate and streamline administrative tasks so they can focus on employee experience, retention, and creating an amazing culture for the most successful teams.
Azure AD is Microsoft’s enterprise identity service that provides provisioning, single sign-on, and multiple authentication to thousands of software applications.
With the Azure AD integration, Sapling will:
- Simplify User Sign-On: Users can log directly into Sapling using Azure AD SSO
-
Create Users (optional): When a new hire is onboarded in Sapling, they will automatically be created in Azure AD
-
Update User Attributes (optional): When a user profile is updated in Sapling, the corresponding user profile will be updated in Azure AD
-
Deactivate Users (optional): When a user is offboarded in Sapling, the corresponding user in Azure AD will automatically be deactivated
How it Works
Simplify User Sign-On
- Users can log directly into Sapling using Azure AD SSO
- Users will be able to log in using Azure AD SSO as long as their user emails in Azure AD and Sapling match
Create Users (optional)
- When onboarding a new hire in Sapling, you'll have the option to automatically provision an Azure AD account for them and share their credentials on a specified date/time
- When the user provisioning slider is enabled, we will validate the Company Email to ensure it matches the Microsoft subdomain specified under the integration settings - check out the Setting Up the Integration section for guidance
-
When you're done onboarding the new hire, they will immediately be created in Azure AD with their personal information and job details
- Once created in Azure AD, your IT team can proceed with their usual access provisioning processes and send user credentials to the new hire accordingly (if not already scheduled) - they can do so manually, or automatically via dynamic rules in Azure AD
-
Check out this article for more information on onboarding new hires in Sapling
-
Check out the Supported Fields section for what fields are synced from Sapling to Azure AD for user creation
Update User Attributes (optional)
-
When a user profile is updated in Sapling, the corresponding user profile will immediately be updated in Azure AD
-
Please note that this is only supported for Sapling users who were created in Azure AD via this integration
-
For all other Sapling users, your IT team will need to manually update them in Azure AD - they can do so individually, or via bulk upload in Azure AD
-
Check out the Supported Fields section for what fields are synced from Sapling to Azure AD for user updates
Deactivate Users (optional)
-
When a user is offboarded in Sapling, the corresponding user in Azure AD will automatically be deactivated once the Sapling Access Cutoff date (specified during offboarding) is reached
-
Please note that this is only supported for Sapling users who were created in Azure AD via this integration
-
For all other Sapling users, your IT team will need to manually deactivate them in Azure AD - they can do so individually, or via bulk upload in Azure AD
-
Check out this article for more information on offboarding users in Sapling
Before Enabling the Integration
Admin Permissions Required
To enable the Azure AD integration, you'll need a Super Admin role in Sapling and both an Application Administrator and User Administrator roles in Azure AD. The Applicant Administrator role is needed to authorize the integration, and the User Administrator role is needed to use the integration (for creating/updating users). If needed, you can remove the Applicant Administrator role from your Azure AD profile after authorizing the integration - but you'll need to retain the User Administrator role to keep the integration working (for creating/updating users).
User Creation and Syncing Limitations
Sapling can only auto-create Azure AD accounts for new hires that are onboarded after the integration is enabled. Additionally, user updates and deactivations will only be synced from Sapling to Azure AD for users who were created in Azure AD via this integration.
For all other Sapling users, you'll need to manage their user updates and deactivations in Azure AD manually. You can do so individually, or via bulk upload in Azure AD.
All users will be able to log directly into Sapling using Azure AD SSO as long as their user emails in Azure AD and Sapling match - regardless of how their Azure AD accounts were created.
Setting Up the Integration
Part 1: Enable the Azure AD integration and allow for SSO sign-ins in Sapling
- Under Administration Tools, navigate to Integrations
- Scroll down to find the Azure AD integration and enable the integration slider
- Enter your Microsoft subdomain
- If you'd like for new hires to be created and/or user attributes to be updated in Azure AD, enable the appropriate sliders below and click "Next" - leave both sliders disabled if you only want Azure AD SSO
- Click "Connect" to sign into your Azure AD admin account and grant the necessary consent - you'll need at least a User Administrator role for the consent to be valid
- Once redirected back to the Integrations page in Sapling, relaunch the Azure AD integration widget by clicking "Settings"
- Click "Next" and "Activate" to complete the integration
- Under Administration Tools, navigate to Platform Settings
- Under the SSO tab, allow for users to sign in using "Password and SSO" or "SSO only" and click "Save"
Supported Fields
Kallidus is continually expanding the number of fields that sync between Sapling and Azure AD.
Please note that is not possible to exclude or custom map any of the supported fields above, or map any additional fields at this time.
Key Factors to be aware of
Field Name Matching
-
For the fields to sync correctly, the naming conventions must match between Sapling and Azure AD for both the fields names and field values (for dropdown fields)
Looking to do more?
Want to build your own custom integration? Check out the publicly available resources below:
Comments
0 comments
Please sign in to leave a comment.