User provisioning with an Identity Provider (IdP)

Overview

Identity Providers (IdPs), such as Azure Active Directory or Okta, provide a directory of employees and can be used to manage employee app provisioning (for apps like Front). Front integrates with Identity Providers to enable automatic user provisioning, de-provisioning and group sync.


Supported Identity Providers

Identity Provider

User provisioning and de-provisioning

User accounts are blocked in Front when an Identity Provider de-provisions them

Create new user with teammate Template

Sync Group membership

Azure Active Directory

Okta

Google Workspace

   

OneLogin

Rippling

   

Gusto

   

Syncing Groups from an Identity Provider

Identity Providers allow you to create user groups based on criteria such as department, job title or project. When you integrate an Identity Provider with Front, it is possible to sync those groups to a teammate Group in Front.

When a group is pushed or assigned from an Identity Provider, a new teammate Group will be created in Front. However, if a teammate Group already exists in Front with the same name, the teammate Group in Front will now be synced to the group in the Identity Provider.

Identity Provider-managed Groups in Front

Once a Group is assigned to Front from an Identity Provider (IdP) like Okta, the teammate Group in Front will be classified as IdP-managed. A teammate Group can be created in Front and later become IdP-managed, if the group has the same name in the IdP and is pushed to Front. You can see if a teammate Group is IdP managed, by clicking on the Group and checking for a banner at the top of the page.

Once a Group is classified as IdP-managed, it will no longer be possible to edit the Group name and members inside Front. It is not possible to delete an IdP-managed Group in Front; it must be deleted or unassigned from the Identity Provider.

If you no longer wish to manage any Groups from your Identity Provider, and would like to manage them inside Front instead, you can disable teammate Group sync. To do this, navigate to your company settings, and then click on Teammates and go to the User provisioning tab.


Integrating an Identity Provider with Front

Instructions to implement the integrations with an Identity Provider can be found in the table above or in the Identity Provider’s help center. For all Identity Providers, you will first need to configure a Front API token to pass to the Identity Provider.

Configure a Front API token

Step 1

Click the gear icon on the top right of Front and into the Company settings tab, and select Teammates from the left menu. Click on the User provisioning tab.

Step 2

Click on New Token, and select the scope as Auto Provisioning.

Step 3

If you want to push groups from your Identity Provider to teammate Groups in Front, then from the User provisioning tab, then toggle on Enable Teammate Group Sync from your Identity Provider.

Step 4

Click on the token you created to copy it to your clipboard, and follow the Identity Provider’s instructions on where to save that token in the Identity Provider portal.


Pricing

This feature is available on the Scale plan. Some legacy plans with different names may also have this feature.

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 8 mths agoLast active
  • 461Views
  • 1 Following