This guide is all you need to know about UNIFYAssure/Aurion.
- Creating and disabling Active Directory/Azure Active Directory Accounts based on Aurion HR data.
- Keeps account attributes up to date.
- Maintains Manager and Direct Reports relationships.
UNIFYAssure/Aurion is compatible with:
- Aurion v10.1.2.04 MR1 or later
- Microsoft Active Directory or Microsoft Azure Active Directory
The UNIFYAssure/Aurion connector uses the Aurion APIs. UNIFYAssure will need a Security User in Aurion to access the APIs. The checklist below contains information about the permissions required.
Reading information from Aurion uses the Aurion querying system. UNIFY can supply a query that will work for most Aurion implementations. To retrieve the information, UNIFYAssure uses the QUERY functions in the Aurion API.
To update Employee and Security Users, the API methods for updating and creating are used. This means what fields can be written to are limited to the fields available in the API.
Find out more at our UNIFYBroker/Aurion documentation.
Microsoft Active Directory
UNIFYAssure uses LDAP/SSL to communicate with Microsoft Active Directory. See Networking about how this is secured.
Microsoft Azure Active Directory
UNIFYAssure uses the GRAPH APIs to communicate with Azure Active Directory.
UNIFYAssure will only use secure channels to communicate.
- TLS 1.3 or higher connections are preferred.
- If we need to communicate within your network, there are two options:
- Virtual Private Network (VPN). There are some limitations to this, contact us to discuss.
- A UNIFYAssure agent. This can be run on a server inside your network, and can be firewalled to only contact those services needed.
Active Directory with VPN
Active Directory with Agent
There are other combinations available, just contact us to find out how we can connect.
Find out more about how we handle security in the FAQ.
Using Aurion as the Authoritative Source or “Point of Truth”, the following functionality is offered:
- Automated On-Boarding and Off-Boarding
- Active Directory/Azure Active Directory Account Creation
- Account automatically created in Active Directory based upon employee creation in Aurion and nominated Aurion information synchronised to the relevant Active Directory/Azure Active Directory account. (Includes updating Manager and Direct Reports relationships in Active Directory based upon the Employee’s Position.)
Some customisations are permitted under UNIFYAssure pricing. This is limited to
- Additional fields can be read from Aurion, provided a modified Aurion Query can be supplied. These fields can be written directly to a field on Active Directory objects with no transformations.
- Additional fields can be written to Aurion, provided these fields already exist in the SEC_USER and EMP_PERS APIs. Refer to your Aurion documentation for which fields are included in those API calls.
- Additional fields can be read/written from Active Directory/Azure Active Directory, provided they are on the user object, and either available through AD LDAP or AAD GRAPH.
Any customisations outside of this may either be made by a short engagement or by using UNIFYConnect instead. Please contact us to discuss.
- Microsoft Active Directory 2008 or later; or
- Microsoft Azure Active Directory
- Aurion v10.1.2.04 MR1 or later
Aurion SecUser account
A Security User must be created to permit UNIFYAssure/Aurion to communicate with the Aurion server. This account can be created by your organisation’s Aurion administrators. The following must be completed:
- SecUser account created
- Aurion SecUser granted permissions to use the following APIs:
- End-point details are known, including any valid certificate chains required for SSL.
The UNIFYAssure/Aurion service will provision a new AD account for an Aurion HR employee record on synchronisation if an existing AD account cannot first be matched to that employee record. This match requires the use of a correlation ID or breadcrumb on the AD account, such as the
employeeID AD user property recommended by UNIFY. This property must already exist in AD and contain the unique Aurion person number for every employee record that must be matched to an existing AD account.
Please contact UNIFY for your options should this not be already set up.
Choose which of the two directory options suits you best.
This section is for those that are connecting the service to Active Directory.
UNIFYAssure must have an account on Active Directory with permissions to create, modify and disable accounts. It must also be aware of the SSL certificate used by the LDAPS end-point on the nominated Active Directory server.
- An Active Directory account with appropriate permissions has been created for use by UNIFYAssure/Aurion
- Connectivity must be arranged for the Active Directory. The two preferred options are a VPN, or the UNIFYAssure agent.
- UNIFYAssure must have a valid certificate chain. Therefore, either the Active Directory end-point SSL certificate is from a Windows Trusted Certificate Authority, or UNIFY Solutions must be supplied with a public Certificate Authority root certificate.
Azure Active Directory
To connect to your Azure Active Directory, you will need to create an App Registration with a ClientID and ClientSecret. The permissions granted to this App Registration are
In any enterprise Active Directory installation, attribute values maintained on user objects are usually used to drive enterprise policy. This may include but not be limited to the following:
- Use of automation (e.g. in login scripts) to map user home drives and user profile paths to managed network resources/file shares;
- Use in dynamic distribution lists (e.g. Exchange Dynamic Lists) to leverage user attributes to address emails to collections of users;
- Use in other policy to drive membership of other AD groups, such as security groups or groups; and
- Calculation of license (CAL) counts based on the number of active employee records, for example.
With the implementation of synchronisation rules in UNIFYAssure, some of the properties used in policy such as the above will now be mastered (authoritative) in Aurion HR. This implies that any downstream dependencies must be in alignment with the new data source for all mapped and synchronised properties, and that attempts to alter the synchronised attributes directly in AD post implementation may be undone in subsequent synchronisation cycles.
Additionally, in order for UNIFYAssure to provision new AD accounts that meet various uniqueness, GAL visibility and security policy criteria, rules have been built into the solution to initialise the following special attributes:
- Email address
- Windows Login Name (pre Windows 2000 format)
- User Principal Name
- Common Name
- Display Name
Given that there will always be scenarios where name clashes occur in an environment which cannot be resolved without some form of human intervention, the synchronisation model is designed to allow these specific values to be changed manually directly in AD post provisioning, and for these to persist despite future synchronisation cycles. The initial values set by the solution are determined according to UNIFY’s accumulated best practice and experience, and that this model has been adopted for this solution to deliver the best, most manageable outcome within budget.
A typical Aurion deployment will incorporate policy, in the form of workflow, based on employee attribute values changing. One example might be the changing/setting of an email address resulting in a notification being sent to that target.
Any Aurion workflows which may be initiated as a result of email updates must be understood and adjusted if required to avoid the initiation of unwanted emails, particularly when these occur for large numbers of updates which has the potential to occur in the initial synchronisation steps following deployment.
We are pretty confident in our solution. It has run large enterprises identity systems for years. However, it is always a good idea to plan for the slight risk of something going wrong.
For both your directory and your Aurion, you need to make sure you have valid disaster recovery plans that work. We will check with you before we complete the installation.