Auto-provisioning setting for portal administrator accounts

The auto-provisioning setting for portal administrator accounts allows an administrator to authenticate to the MaaS360® Portal log in with corporate user directory credentials.

Auto-provisioning an administrator account

  1. From the Administrator Settings page, go to the Advanced settings.
  2. Enable the Configure Federated Single Sign-on setting and choose the Authenticate against Corporate User Directory authentication method.
  3. Enable Automatically create new Administrator accounts and update roles based on User Groups and enter the distinguished name for the user groups that you want to auto-provision.

For example, SSO User Group is an active directory user group. To auto-provision SSO User Group, choose SSO User Group from the User Groups drop-down list in the Automatically create new administrator accounts and update roles based on User Groups setting.

Auto-provision

User privileges in auto-provisioned user groups

All users that are members of an auto-provisioned user group are privileged as portal administrators.

Portal administrators can use the Custom login URL setting that is available in Administrator Settings > Advanced > Login Settings to log in to the MaaS360 Portal with their user name, domain, and login password.

For example, if the user kimsin is a member of the SSO User Group that is auto-provisioned, then the user kimsin is privileged as a portal administrator and can log in to the MaaS360 Portal by entering their credentials in the custom login URL.

You can also view all active user accounts with portal administrator privileges in the Search Administrators page.

Note: When a user account is no longer auto-provisioned and the portal administrator does not have privilege rights, the user cannot log in to the MaaS360 Portal. The credentials that are entered are either incorrect or the user account is not provisioned. The status for these types of user accounts is displayed as inactive in the Search Administrators page.

Deactivation of auto-provisioned administrator user accounts

MaaS360 uses the Cloud Extender® 2.94 module to fetch portal administrator account status from Active Directory (AD). With this module, you can deactivate auto-provisioned administrator accounts if the administrator user account is no longer in Active Directory (AD) or is not a member of an auto-provisioned group.

The following scenarios explain why an administrator account is deactivated:

Table 1. Scenarios for deactivation of auto-provisioned administrator accounts
Scenario Description
  • The user is moved from an auto-provisioned user group to a group that is not auto-provisioned.
  • The user is removed from an auto-provisioned user group.
  • The auto-provisioned user group is removed.
 With this scenario, if a user tries to log in to the MaaS360 Portal with AD, AD LDAP, or Open LDAP, the user account becomes inactive. The account becomes inactive because the user account is not a member of an auto-provisioned user group.

If a user is not logged in to the MaaS360 Portal, then the account is automatically mapped inactive when portal batch jobs runs periodically on the backend.

Note: When an auto-provisioned group is removed, all user accounts that are members of this group become inactive if users try to log in to the MaaS360 Portal with AD, AD LDAP, or Open LDAP or during periodic portal batch jobs.
The user account is deactivated or deleted from Active Directory (AD). In this scenario, if a user tries to log in to the MaaS360 Portal with AD, AD LDAP, or Open LDAP, the login authentication fails. However, the user account is not mapped as inactive. The user account is mapped as inactive only during the periodic portal batch jobs that run on the backend.