This allows existing directories to be displayed.

The Status column shows whether the directory is Active or Inactive.

The SmartSync column shows the status of synchronization with SmartSync, where:

• Not configured: indicates that the directory setup in SmartSync has not been finished yet.
• Configured: indicates that Identity has successfully connected to SmartSync.
• Unavailable: indicates that the configuration of Identity with SmartSync has been completed, but the SmartSync server is not currently syncing.

Name
Name to identify the directory. 

Migrate from SmartSync?

• Yes: By enabling this option, all users and groups from the directory indicated in the Active Directory field will be migrated once the SmartSync configuration is finished. 
• No: By keeping the option disabled, the new Active Directory will be created without importing users and groups from the previous SmartSync.

Enable automatic user acceptance?

• Yes: By enabling this option, all users imported from this Active Directory by SmartSync will be automatically accepted and provisioned into this Identity context.
• No: By keeping the option disabled, all users imported from this Active Directory by SmartSync will be added to the Pending list until they are manually approved.

NOTE:
If you are adding the first AD, you will be presented with some general settings fields. For more details about each option, see the Change general settings item of this documentation.

User filter
Use the Active Directory variables to filter the users that will be synchronized. If the value has been incorrectly changed, click the  Restore default button to return to the original values.

Groups filter
Use the Active Directory variables to filter the groups that will be synchronized. If the value has been incorrectly changed, click the Restore default button to return to the original values.

NOTE:
The fields corresponding to the User filter and Groups filter must be filled in the LDAP format. When a filter is set for users and/or groups, SmartSync will recognize this parameter and import the users and groups into Identity based on the filter specified in these fields.

The filter fields are pre-filled with a default value, so no conditions need to be specified for import, allowing all users and groups to be imported.

Default value:

• Users filter: (&(objectClass=user)(objectCategory=person))
• Groups filter: (objectCategory=group)

For more details on creating filters, read the LDAP import filters documentation.

A confirmation message is displayed, and the created directory appears in the directory list. The status Not configured is displayed in the SmartSync column, indicating that the configuration of the application that synchronizes with the Active Directory server needs to be completed. To install the application, download the SmartSync installer as follows.

Windows versions compatible with SmartSync can be found in the TOTVS Identity Portability Matrix. To learn more about the installation, visit the SmartSync technical documentation.

The generated token is displayed in the Token column of the respective directory. To copy it, click the generated token. 

This token must be provided when adding Active Directory to SmartSync. For more information, refer to the Add Active Directory item in the SmartSync documentation.

NOTE:
The one-time token is designed to provide SmartSync users with increased security for their credentials. Configuration in Active Directory using the token will only be done once to synchronize the Identity company and Active Directory. If a new token is generated, the old one will be invalidated, enhancing the security of the user's credentials.

When generating the token, an encryption key will also be transmitted, which will be used by SmartSync to read the information when the user logs into Identity.

NOTE:
The screens above may differ from what is shown, due to Microsoft Azure updates.

1. Sign in to the Microsoft Azure portal with an administrator account.

2. Open the Menu (three lines in the top left corner) and click the Azure Active Directory service. See image

3. On the left side options, click Enterprise Applications.  See image

4. Click em + New Application. See image

5. Choose the Application not found in the Gallery option. See image

6. Choose a name and create the app.

7. Select Configure single sign-on (mandatory). See image

8. Select SAML.

9. In the Basic SAML Configuration section, click the pencil icon to edit. See image

10. In the Identifier (Entity ID) field, type TotvsLabs. See image

11. In the Response URL (Assertion Consumer Service URL) field, enter the copied value that was obtained in Identity. See image

Here’s a tip!
This is the address: https://[COMPANY].fluigidentity.com/cloudpass/SAML/acs replacing the text “[COMPANY]” with the subdomain of your company from Identity.

12. In the SAML Authentication Certificate section, download the Federation Metadata XML file and save it. See image

13. On the left side menu, access Users and Groups and assign this app to the desired users/groups. See image

With this, Identity is ready to receive SSO login requests from the previously created Microsoft Azure SAML application.

Log in with any of the users you added to the SAML application and access the user applications page. In the application list, the previously created application that is configured for SSO login into Identity will be displayed.  See image

Click the previously created application and you will be logged in to Identity. On the initial login, this Microsoft Azure user will be created in Identity.

ATTENTION!
This user will be created in TOTVS Identity based on the information of the user already existing in Microsoft Azure. Starting now, you can log in to the Identity company using this Microsoft Azure user (by signing in to Microsoft Azure and clicking on the TOTVS Identity app that has been set up). This login from Microsoft Azure to Identity does not involve authentication with the local Active Directory using SmartSync. The login only involves Microsoft Azure and Identity.

LOCAL AD

Name
Directory name.

Enable automatic user acceptance?

Yes: By enabling this option, all users imported from this Active Directory by SmartSync will be automatically accepted and provisioned into this Identity context.

No: By keeping the option disabled, all users imported from this Active Directory by SmartSync will be added to the Pending list until they are manually approved for context by the company's management.

User filter
Use the Active Directory variables to filter the users that will be synchronized. If the value has been incorrectly changed, click the Restore default button to return to the original values.

Groups filter
Use the Active Directory variables to filter the groups that will be synchronized. If the value has been incorrectly changed, click the Restore default button to return to the original values.

NOTE:
The fields corresponding to the User filter and Groups filter must be filled in the LDAP format. When a filter is set for users and/or groups, SmartSync will recognize this parameter and import the users and groups into Identity based on the filter specified in these fields.

The filter fields are pre-filled with a default value, so no conditions need to be specified for import, allowing all users and groups to be imported.

Default value:

• Users filter: (&(objectClass=user)(objectCategory=person))
• Groups filter: (objectCategory=group)

For more details on creating filters, read the LDAP import filters documentation.

AZURE AD

Name
Directory name.

Azure AD Identifier
SAML Authentication Certificate ID sent.

The available settings are:

Allow Active Directory credentials
Set whether users will be allowed to access the company in TOTVS Identity using Active Directory credentials (network e-mail and password).

Save Active Directory credentials in TOTVS Identity
By checking this option, Plugin-type applications can be configured to access using Active Directory credentials.

The available settings are:

Synchronize changes in Active Directory user status
By checking this option, users disabled in Active Directory will also be automatically disabled from the company in Identity. Status synchronization is performed via SmartSync.

Synchronize changes in the user status of TOTVS Identity
By checking this option, changes to user status in Identity must be synchronized to Active Directory. As such, users who are disabled in Identity will also be automatically disabled in Active Directory.

ATTENTION!
If there are ADs with no configuration in the context, the options Synchronize changes in the status of the Active Directory user and Synchronize changes in the status of the TOTVS Identity user remain disabled and cannot be checked.

The available settings are:

Allow password change
When this option is active, password changes for Active Directory may be made on the user's My profile page (documentation in Portuguese language).

Save Active Directory password cache
When this option is active, a hash (which cannot be decrypted) of user passwords will be saved in TOTVS Identity, which provides faster authentication.

With deactivation, user synchronization is halted, and imported users are unable to use their Active Directory credentials to log in to Identity. 

Inactive directories are identified by the status Inactive. You can reactivate inactive directories at any time.

With the deletion, user synchronization is permanently halted, and imported users are unable to use their Active Directory credentials for authentication in TOTVS Identity. 

ATTENTION!
After deleting Active Directory, make sure you enable login with a personal password (via the Security tab). With this, users created from AD will still be able to access normally. Since users will no longer be bound to AD, they will need to authenticate with e-mail and password from Identity. However, since users do not yet have an Identity password, all users will need to reset their passwords through the login screen by selecting the "Forgot your Password" option. An email containing a link to reset the user's password will be sent.

At the top, there is a section providing information about the synchronization between TOTVS Identity and SmartSync:

Last sync with SmartSync
Displays the date and time of the last communication between SmartSync and Identity. Identity recognizes that SmartSync is available based on communication received from SmartSync → Active Directory.

SmartSync version
Informs the version of SmartSync that is running the synchronization between Identity and Active Directory.

Active Directory Server
Active Directory server address as configured by SmartSync.

Root DN
SmartSync configuration that indicates the root directory used to synchronize data between Identity and Active Directory.

Next, the Users and Groups tabs are presented, which allow you to view imported users and groups in the chosen directory.

There are three ways to accept users into Identity: one by one, by selected users, or by all users in the list.

With this, the users will appear in the Processing list until the user acceptance is finalized.

After completing the action, if all is in order, the user is added to the list of accepted users with the Accepted identifier. Once accepted, the imported user is set as Active, and access to the company in TOTVS Identity is released. Users are now listed on the User Management page. In the user profile, the first name, last name, e-mail, job title, and department fields are automatically filled in with the data imported from Active Directory.

At the time of user acceptance, Identity checks to see if the imported e-mail is already registered. If the e-mail already exists in Identity, said user will be sent to the list of rejected users with the Error identifier, where the user's e-mail can be changed. For more details, see the Fix User item in this documentation.

There are two ways to reject users in Identity: one by one or selected users.

After completing the action, the user is added to the list of rejected users with the Rejected identifier.

There are two ways to delete imported users: one by one or selected users.

After the action is complete, the deleted user will no longer appear in the list of rejected users and will not be re-imported.

When you hover over the Fix button, a tooltip will appear with the error that occurred.

All the fields relating to the user are displayed for editing (first name, last name, e-mail address and status).

After the fix, the user is shown in the list of pending users with the fixed information, and can now be accepted for the user to be created in Identity.

There are two ways to accept groups in Identity: one by one or in selected groups.

With this, the groups will appear in the Processing list until the group acceptance is finalized.

After completing the action, if all is in order, the group is added to the list of accepted groups with the Accepted identifier. Groups imported from Active Directory and accepted are listed alongside Identity's own groups on the Group Management page.

There are two ways to reject groups in Identity: one by one or selected groups.

After completing the action, the group is added to the list of rejected groups with the Rejected identifier.

The name of a group from the imported Active Directory can be changed in Identity so that when this group is accepted, it will be created with this new display name.