This guide is all you need to know about UNIFYConnect/Aurion.

Solution objectives

  • Creating and disabling Active Directory/Entra ID (formerly Azure AD) Accounts based on Aurion HR data.
  • Keeps account attributes up to date.
  • Maintains Manager and Direct Reports relationships.

Compatibility

UNIFYConnect/Aurion is compatible with:

  • Aurion v10.1.2.04 MR1 or later
  • Microsoft Active Directory or Microsoft Entra ID (formerly Azure AD)

Connectivity

Aurion connectivity

The UNIFYConnect/Aurion connector uses the Aurion APIs. UNIFYConnect will need a Security User in Aurion to access the APIs. The checklist below contains information about the permissions required.

Reading information from Aurion uses the Aurion querying system. UNIFY can supply a query that will work for most Aurion implementations. To retrieve the information, UNIFYConnect uses the QUERY functions in the Aurion API.

To update Employee and Security Users, the API methods for updating and creating are used. This means what fields can be written to are limited to the fields available in the API.

Find out more at our UNIFYBroker/Aurion documentation.

Microsoft Active Directory

UNIFYConnect uses LDAP/SSL to communicate with Microsoft Active Directory. See Networking about how this is secured.

Microsoft Entra ID

UNIFYConnect uses the GRAPH APIs to communicate with Entra ID (formerly Azure Active Directory).

Networking

UNIFYConnect will only use secure channels to communicate.

  • TLS 1.3 or higher connections are preferred.
  • If we need to communicate within your network, there are two options:
    • Virtual Private Network (VPN). There are some limitations to this, contact us to discuss.
    • A UNIFYConnect agent. This can be run on a server inside your network, and can be firewalled to only contact those services needed.

Cloud only

flowchart LR UNIFYUNIFYConnectAssure Aurion AAD[Entra ID] UNIFYConnect-->|Aurion API|Aurion UNIFYConnect-->|GRAPH|AAD

Active Directory with VPN

flowchart LR UNIFYConnect Aurion subgraph Enterprise VPN AD[Active Directory] end UNIFYConnect-->|Aurion API|Aurion UNIFYConnect-->|LDAPS|VPN VPN-->|LDAPS|AD

Active Directory with Agent

flowchart LR UNIFYConnect Aurion subgraph Enterprise Firewall UAAgent[UNIFYConnect Agent] AD[Active Directory] end UNIFYConnect-->|Aurion API|Aurion UAAgent-->|REST|Firewall Firewall-->|REST|UNIFYConnect UAAgent-->|LDAPS|AD

There are other combinations available, just contact us to find out how we can connect.

Security

Find out more about how we handle security in the FAQ.

Functionality

Using Aurion as the Authoritative Source or “Point of Truth”, the following functionality is offered:

  • Automated On-Boarding and Off-Boarding
  • Active Directory/Entra ID (formerly Azure Active Directory) Account Creation
  • Account automatically created in Active Directory based upon employee creation in Aurion and nominated Aurion information synchronised to the relevant Active Directory/Entra ID (formerly Azure Active Directory) account. (Includes updating Manager and Direct Reports relationships in Active Directory based upon the Employee’s Position.)

Schema

erDiagram AUR_EMP ||--|| UNIFYConnect : syncs AUR_SecUser ||--|| UNIFYConnect : syncs AD_User ||--|| UNIFYConnect : syncs AUR_EMP { string PersonNumber string EmployeeNumber string GivenNames string PreferredName string Surname date DateCommenced date TerminationTimeStamp string Manager string Company string Department string JobTitle string WorkAddress phone StreetAddress phone MobileNumber email EmailAddress } AUR_SecUser { string PersonNumber string OSUSerId } UNIFYConnect { string PersonNumber string EmployeeNumber string GivenNames string PreferredName string Surname date DateCommenced date TerminationTimeStamp string Manager string Company string Department string JobTitle string WorkAddress phone StreetAddress phone MobileNumber email EmailAddress } AD_User { guid objectGuid date accountExpires string cn string company string department string displayName string ActiveDirectoryPersonDn string employeeID string employeeNumber string givenName string initials AD_User manager string ActiveDirectoryPersonObjectClass string physicalDeliveryOfficeName string sAMAccountName string sn string title string userPrincipalName email mail }

Lifecycle Management

sequenceDiagram UNIFYConnect->>Aurion Query API: Execute Query Aurion Query API->>UNIFYConnect: Query results opt Employee Started UNIFYConnect->>AD/Entra ID: Create account UNIFYConnect->>Aurion SecUser API: Create Security User end opt Employee Changed UNIFYConnect->>AD/Entra ID: Update account end opt Employee Terminated UNIFYConnect->>AD/Entra ID: Disable account end UNIFYConnect->>AD/Entra ID: Query AD/Entra ID->>UNIFYConnect: Query results opt Contact details changed UNIFYConnect->>Aurion PERS_EMP API: Update contact details end

Customisations

This is limited to

  • Additional fields can be read from Aurion, provided a modified Aurion Query can be supplied. These fields can be written directly to a field on Active Directory objects with no transformations.
  • Additional fields can be written to Aurion, provided these fields already exist in the SEC_USER and EMP_PERS APIs. Refer to your Aurion documentation for which fields are included in those API calls.
  • Additional fields can be read/written from Active Directory/Entra ID (formerly Azure Active Directory), provided they are on the user object, and either available through AD LDAP or Entra ID GRAPH.

Any customisations outside of this may either be made by a short engagement or by using UNIFYConnect instead. Please contact us to discuss.

Requirements Checklist

Software

  • Directories:
    • Microsoft Active Directory 2008 or later; or
    • Microsoft Entra ID (formerly Azure Active Directory)
  • Aurion v10.1.2.04 MR1 or later

Configuration

Aurion SecUser account

A Security User must be created to permit UNIFYConnect/Aurion to communicate with the Aurion server. This account can be created by your organisation’s Aurion administrators. The following must be completed:

  • SecUser account created
  • Aurion SecUser granted permissions to use the following APIs:
    • QUERY_TO_XML
    • EMP_UPDATE_PERS
    • PERSON_ADD
    • SEC_USER_ADD
    • SEC_USER_UPDATE
    • EMP_SCHED_EMP
  • End-point details are known, including any valid certificate chains required for SSL.

Correlation IDs

The UNIFYConnect/Aurion service will provision a new AD account for an Aurion HR employee record on synchronisation if an existing AD account cannot first be matched to that employee record. This match requires the use of a correlation ID or breadcrumb on the AD account, such as the employeeID AD user property recommended by UNIFY. This property must already exist in AD and contain the unique Aurion person number for every employee record that must be matched to an existing AD account.

Please contact UNIFY for your options should this not be already set up.

Directories

Choose which of the two directory options suits you best.

Active Directory

This section is for those that are connecting the service to Active Directory.

UNIFYConnect must have an account on Active Directory with permissions to create, modify and disable accounts. It must also be aware of the SSL certificate used by the LDAPS end-point on the nominated Active Directory server.

  • An Active Directory account with appropriate permissions has been created for use by UNIFYConnect/Aurion
  • Connectivity must be arranged for the Active Directory. The two preferred options are a VPN, or the UNIFYConnect agent.
  • UNIFYConnect must have a valid certificate chain. Therefore, either the Active Directory end-point SSL certificate is from a Windows Trusted Certificate Authority, or UNIFY Solutions must be supplied with a public Certificate Authority root certificate.

Entra ID

To connect to your Entra ID (formerly Azure Active Directory), you will need to create an App Registration with a ClientID and ClientSecret. The permissions granted to this App Registration are User.ReadWrite.All and Group.ReadWrite.All, or Directory.ReadWrite.All.

Dependencies

Active Directory

In any enterprise Active Directory installation, attribute values maintained on user objects are usually used to drive enterprise policy. This may include but not be limited to the following:

  • Use of automation (e.g. in login scripts) to map user home drives and user profile paths to managed network resources/file shares;
  • Use in dynamic distribution lists (e.g. Exchange Dynamic Lists) to leverage user attributes to address emails to collections of users;
  • Use in other policy to drive membership of other AD groups, such as security groups or groups; and
  • Calculation of license (CAL) counts based on the number of active employee records, for example.

With the implementation of synchronisation rules in UNIFYConnect, some of the properties used in policy such as the above will now be mastered (authoritative) in Aurion HR. This implies that any downstream dependencies must be in alignment with the new data source for all mapped and synchronised properties, and that attempts to alter the synchronised attributes directly in AD post implementation may be undone in subsequent synchronisation cycles.

Additionally, in order for UNIFYConnect to provision new AD accounts that meet various uniqueness, GAL visibility and security policy criteria, rules have been built into the solution to initialise the following special attributes:

  • Email address
  • Windows Login Name (pre Windows 2000 format)
  • User Principal Name
  • Common Name
  • Display Name

Given that there will always be scenarios where name clashes occur in an environment which cannot be resolved without some form of human intervention, the synchronisation model is designed to allow these specific values to be changed manually directly in AD post provisioning, and for these to persist despite future synchronisation cycles. The initial values set by the solution are determined according to UNIFY’s accumulated best practice and experience, and that this model has been adopted for this solution to deliver the best, most manageable outcome within budget.

Aurion

A typical Aurion deployment will incorporate policy, in the form of workflow, based on employee attribute values changing. One example might be the changing/setting of an email address resulting in a notification being sent to that target.

Any Aurion workflows which may be initiated as a result of email updates must be understood and adjusted if required to avoid the initiation of unwanted emails, particularly when these occur for large numbers of updates which has the potential to occur in the initial synchronisation steps following deployment.

Disaster Recovery

We are pretty confident in our solution. It has run large enterprises identity systems for years. However, it is always a good idea to plan for the slight risk of something going wrong.

For both your directory and your Aurion, you need to make sure you have valid disaster recovery plans that work. We will check with you before we complete the installation.

Copyright ©2024 UNIFY Solutions Trust Center