Setup

  • Azure AD Sync is an application that sits between Stratsys and Azure AD and enables a one way synchronization from Azure AD to Stratsys.
  • It has a swagger!

Prerequisite

  • In Stratsys:

  • The Azure AD license and groups meets the requirements (see first Note section).

Note

Make sure you have the correct urls for the correct environment. Platform urls in prodution have the format http://[application].svc.stratsys.com. Test urls looks like this https://[application].svc.test.stratsys.net .

Note

If you want to sync users that are already created in the platform, the new and the old user must have matching user name or e-mail. Otherwise, a new user will be created.

Create an organization

  1. Start by logging in to https://stratsys/companyCode > Administration > Organization and create your organization tree.
  2. This organization tree should mirror your Azure AD department structure. All departments in Azure AD needs to have a corresponding alias in Azure AD Sync. See Group and department mapping section.
../_images/StratsysOrganization.png

Fig. 1 Stratsys organization tree.

Tip

In this example the organization tree mirrors the Azure Demo Active Directory, which I will use throughout the documentation. Create your own demo here.

Generate a key

  1. Go to Platform Administration and click User Sync > Settings > Activate directory synchronization.
  2. Under Keys, write the Company code and click Generate token.
  3. Copy the key and store it in a safe place, since you won’t be able to retrieve it later.
  4. Copy the Azure Ad Sync Url , you will need it later.
../_images/GenerateToken.png

Fig. 2 Generate token.

Create and configure groups

Create

  1. The groups are created in Stratsys and configured in Azure AD Sync.
  2. After the groups are created in Stratsys, go to Groups and click Show non-external groups.
  3. There, all groups from Stratsys are listed. Select the groups you want to use and click Set to external.
../_images/AddGroupsFromStratsys.png

Fig. 3 Add group from Stratsys.

  1. The groups are listed as a prioritized list. When a user is assigned to a group, the priority determines if this group should be set as main membership or extra membership for this user. The user will get a new membership consisting of the new group and the same department as the main membership.
  2. Each group also has a department mapped to it. This acts as a fallback when a user is assigned an unexisting department (it might have been misspelled, or simply not created in Stratsys). So if the group is the main membership for the user, its configured department is used.

Configure

  1. Click on a group to see and edit its configuration.
  2. All groups in Azure AD needs to have a corresponding alias in Azure AD Sync. If a group doesn’t have an alias, the provisioning of this group will fail.
  3. The alias is the name of the corresponding Azure AD group. A group can have several aliases and hence map to several Azure AD groups.
  4. An alias must be unique.
../_images/EditGroup.png

Fig. 4 Edit group.

Configure departments

  1. Departments also needs to have a corresponding alias, just as groups.
  2. Departments does not, however, need to be explicitly selected for provisioning (set as external). Instead they are automatically imported from Stratsys.

Create an Azure AD application

  1. Go to https://portal.azure.com . Select Azure Active Directory > Enterprise applications > New application
  2. Select Non-gallery application > Enter a name of your choice, for example StratsysAdSync, and click Add.
  3. Go to Provisioning > Get started
../_images/StartProvisioningAAD.png

Fig. 5 New application in Azure AD.

  1. Pick Provisioning Mode Automatic
  2. Paste the Azure AD Sync url (1) previously copied from the platform administration.
  3. Paste the key (2) previously copied from the platform administration.
  4. Make sure the connection is correct by clicking Test connection (3). Azure should indicate that everything was fine (4).
  5. Press Save at the top of the page.
../_images/AddTokenToAAD.png

Fig. 6 Azure AD application configuration.

  1. Press Save at the top of the page.

Synhronize users and groups

1. Click Provisioning > Start provisioning. The synchronization will take a couple of minutes. 6. When the first cycle has finished you can see the outcome on the same page. Fig. 7 is an example of a not so successful run, since it has 19 errors. Check the logs under (1) and (2).

../_images/AzureInitialRun.png

Fig. 7 Azure initial cycle.

Synchronization done

  1. If no error was reported, you’re done!
  2. Return to the Platform Administration > User Sync > Groups.
  3. You will now see your synchronized groups. They are marked as provisioned and has a Modified at and Created at.
../_images/SynchronizedGroups.png

Fig. 8 Synchronized groups.

  1. Go to Users and make sure all users has been synchronized.