User Directory Synchronization and SSO
Synchronize users
You can synchronize users against a user directory. The user directories currently supported are
LDAP directory (such as Microsoft AD)
Microsoft Azure AD
To set up directory synchronization, go to Owner → [You owner] → User Directories
To, e.g. connect to Azure AD, press “New Azure AD connection.”
Give your directory a name and an AD group to filter optionally. Only users in this group will then be added to drofus. Click “Create User directory.”
You will have to press “Login” to log in to your directory. You will be redirected to Microsoft to log in. You will need to log in with an account that has permission to read your directory.
After this is done, you can press Sync to test the synchronization. You will get a preview of users that will be added, and you can optionally choose to send them a welcoming email.
Users that does not have a surname and given name in the directory will be skipped.
The directory will control the user's existence, so you can not delete the user without doing it from the directory. The username, email, and first and last name will be updated from the directory, and it is also impossible to change from the admin anymore. Users' information (email, first and last name) will be updated if anything changes in the directory. If you have users with the same username as in the directory, the directory will take control, too.
If you, a user, are removed from AAD, the following will happen:
Member: User account will be disabled
Guest: Project access will be disabled for all projects of your owner that the guest has access to.
Synchronization of the directory will take place once every day.
User authentication
Users can authenticate through Microsoft from the login page on dRofus WEB. To do this, their username in Microsoft Azure AD must match their username in dRofus. This can be accomplished using the sync above or ensuring their usernames match. Existing users with the same username in Azure AD and dRofus can also use this feature. Log in from the web and the client (2.7 and above) using the “Login with dRofus WEB” at the login screen.
Currently, there are some limitations to be aware of:
Login using dRofus WEB on the client is currently a BETA feature. Things like accessing the API and reports will not work.
You can not prohibit users from login in directly using their dRofus account. E.g., the user can request a dRofus password through their forgot password site and still log directly in using their dRofus username and password.