Manually adding O365 Users to Clio Operate
To add your O365 users to Clio Operate, open the application and go to the administration tool (Launchpad > Open Admin). Select “Users” and then “All” from the left-hand navigation – this will open the user list.
From the context ribbon, select “Add user”.
Complete the details about the user as needed and then click the “User Account” navigation at the bottom of the blade.
Mark the user as active, and not locked. Make sure to select the “Identity Provider” configured in the earlier step and set the “Identity Claim” to the UPN of the user in O365 (this will be their O365 email address). Fill in the remainder of the form and click Confirm, then Save.
At this point the user should be put into relevant teams to grant access to Clio Operate features.
Automatically provisioning O365 users to Clio Operate
Clio Operate supports the SCIM API and can be configured to accept provisioning requests from Azure Active Directory.
The following sections provide a guide on configuring Clio Operate for automated provisioning of users and teams.
Register SCIM Client App
Within the administration area, open the identity service management page. This can be found under Admin > Integrations > Manage Identity Service.
Select to Add App, and “Add client credentials application”
- Enter a Client name – (i.e. [Client] SCIM)
- Enter a Client ID – i.e. [Client]SCIM
- Enter a Client Secret – you can select the Randomise option to generate a random key
- Create a long-long lived access token – i.e. 5 years.
Next – open the client and select the option to provide you with a Bearer Token. You will need to provide this when configuring Azure AD.
Enable the SCIM Feature
Modeller > Global Features
-
Enable and configure the SCIM Feature
-
Add a new Provider
- Configure the SCIM Provider
- Identity Provider - select the Identity Provider (e.g. Azure AD) that will be providing users to Clio Operate.
USER CONFIGURATION
- Default User Type - users added from your identity provider are given a Clio Operate user type. This can be overridden by providing a mapping for a 'userType' from your AAD, but it is common for users to be added to a common low privilege user type.
- Manager Connection - some identity providers hold an organisations hierarchy/reporting line. This can be reproduced in Clio Operate, provided these users are also synchronised to Clio Operate.
GROUP CONFIGURATION
Where groups are used as containers in the identity provider, these groups become teams in Clio Operate. It is possible to assign permissions to these groups so that users in those groups have a basic set of Clio Operate permissions.
The alternative is to assign specific user types to users on provisioning or through manual action. Assigning users to specific types will add them to teams that would then have appropriate permissions.
- New Teams Organisation - Teams must belong to organisations. It is most common for teams to belong to your Organisation record.
- New Team Ods Type - Teams may also have their own 'type'. Clio Operate team types can be used for access control (ACL) or task allocation (POD). It is possible for AD groups to become teams within Clio Operate, that are then used for task allocation or access control.
Create an Enterprise Application
These steps will require you to be an Azure AD Administrator.
- Access your Azure AD management portal.
- Select Enterprise Applications
- Select to add a new Enterprise Application
- Select to create your own application
- Provide an application name (i.e. [Client] – ShareDo – SCIM [environment]) and select to Integrate any other application you don’t find in the gallery.
- Select Provisioning
- Select Automatic Provisioning
- Tenant URL – https://{ShareDo-url}/api/scim/{identity-provider}
- Secret Token – [Bearer Token from step 3.1]
Test the connection to ensure AAD can communicate with your Clio Operate instance.
Configure Mapping
When provisioning requests are made to create or update users or group, the payload provided can be customised to map properties from AAD to named properties of the payload provided in these requests.
The provisioning feature allows you to configure this mapping.
If the below mapping is provided then additional attributes such as contact details will be added with these actions.
Users
Once this User payload reaches Clio Operate, it is mapped to the following Clio Operate schema attributes.
Note that the default mapping in Azure AD for mail (email) is set to provide this as: emails[type eq 'work']
This needs to be updated to map mail to: emails[type eq 'email']
The following table defines the mapping from the SCIM 2.0 to the Clio Operate schema.
| scim attribute | Clio Operate ATTRIBUTE | NOTES |
|---|---|---|
| User Schema | ||
| id | ODS. SCIMId | SCIM id is held in a custom attribute on the ODS record |
| username | User.IdentityClaim | |
| Name.givenName | Person.firstName | |
| Name.middleName | Person.middleName | |
| Name.familyName | Person.Surname | |
| Name.displayName | Ods.ShortName | |
| Name.honorificPrefix | Person.Title | If the values cannot be mapped to the optionset then they are ignored |
| preferredLanguage | Person.PreferredLanguage | |
| Locale | Person.Timezone | |
| Active | User Profile Active | |
| birthdate | Person.dob | |
|
Emails
|
Contact Details |
Primary flag is used to indicate their primary email address. Type should map to the contact types defined |
| phoneNumbers | Contact Details | Type should map to the contact types defined |
| Addresses | Locations | |
| Groups | Team Membership | |
| Roles | Primary Team Role | The first role passed will be set as the role on the primary team |
| Enterprise User Schema Extension | ||
| employeeNumber | ODS. Reference | SCIM id is held in a custom attribute on the ODS record |
| Organisation | User.Organisation | |
| Manager | ODS Connections | Creates a connection |
Groups
When this payload reaches Clio Operate it is mapped to the following Clio Operate schema attributes.
| Groups Schema | ||
| externalId | ODS. SCIMId | SCIM id is held in a custom attribute on the ODS record |
| displayName | Team.Name | |
| members | Team Members | List of team members |
Enable Provisioning
When you configure the Enterprise Application for Provisioning, you will need to decide if you will synchronise the users and groups added to this Enterprise Application, or users and groups from the entire directory.
Sync only assigned users and groups
When you select users and groups added to this Enterprise Application, the provisioning feature will synchronise only the users and groups added to the users and groups area for this Enterprise Application.
Sync all users and groups
When you select the entire directory, the provisioning feature will synchronise all users and groups in Azure Active Directory.
Finally, you need to enable Provisioning
Testing your identity synchronisation configuration
Once configured, you can test your identity synchronisation configuration by creating users and groups in the directory or adding them to the Enterprise Application.
However, this process is not synchronous, and the background process does not provide immediate feedback on a provisioning request.
To address this, there is a feature within Azure AD to manually run the provisioning of a user or group on demand.
Selecting this option allows you to have Azure AD synchronise the user or group immediately.
