Businessmap Single Sign-On integration is an excellent way for companies to centralize user management, i.e., provisioning.
SAML 2.0 effectively outsources part of the user provisioning to your IdP as initial identification and SSO capabilities, while the SCIM can take care of your users' central management. You can easily add new users, rename or change emails, and, or remove users centrally. You can scale this by using groups of users in your IdP or applying the changes in batches. All IdP changes will be automatically transferred to your Businessmap account.
Unfortunately, the SCIM has different implementation and all Identity providers do not uniquely cover it, so you still need to adjust to the specifics for your IdP and do some extra user management in Businessmap, but here are the main configuration steps you need to know.
2. User Provisioning
To set up automatic user provisioning, your Identity Provider must support the SCIM (System for Cross-domain Identity Management) standard.
If so, you can enable automatic provisioning of users via SCIM in the Businessmap SSO settings.
Under the User Provisioning section in the SSO integration panel, once the slider is activated, you have two Credential parameters:
- Tenant or SCIM Base URL - This URL is called automatically from your IdP to notify Businessmap when modifications of your users are done.
- Secret or SCIM Bearer Token - Used to securely connect your IdP to your Businessmap account.
Copy these credentials and place them in your IdP configuration panel. See the articles at the bottom for some of the most common IdPs that we support.
Adding new users to your organization:
When there are new people joining your organization, they are usually registered within your IdP and assigned individually or in most cases via some set of groups to the accompanied Provisioning Applications like Businessmap. When this happens, the IdP sends a signal to our SSO / SCIM integration with meta information about the user and Businessmap will automatically create the user in your Businessmap Account. Same way as if you have manually invited the user, the system will send an invitation email to the user email with a link for logging to the Businessmap account. The user is not active and does not consume license seat until the first login.
Even if your IdP doesn't support SCIM, as long as users are allowed to access Businessmap through your SAML 2.0 IdP settings, we provide the option to create new Businessmap users upon their first login automatically.
If that option is not enabled and you don't have the provisioning setup, you would need to first register , send a Businessmap email invitation from your Businessmap Account, so that the user will be able to log in to the system using the SSO flow.
Note: Once users are invited and successfully logged in via SSO, they will not be assigned to any workspaces or boards. The Account Owner or Workspace Managers should assign the newly registered users to the appropriate workspaces and boards. We found as a best practice for the end-user experience of large organizations using SSO Integration to create Company Dashboard assigned to the Global Businessmap Team, with a text widget, listing your company Workspace Managers or Contacts within the organization. This way users can directly contact the responsible people and ask for access to their boards and workflows.
Enabling SCIM provisioning and how this affects existing Businessmap users:
If a user has had an account in Businessmap before the SSO integration is configured and uses the same email in your IdP, their user profiles will be automatically mapped. This means the user will now log in through the IdP but will continue using the same user profile in Businessmap.
If, however, the user uses one email for logging into Businessmap, but they are registered with another email in the Identity Provider, after turning on the provisioning the integration will create a new user account in Businessmap with the IdP email of the user!
IMPORTANT: If you use User Groups to manage the people in your IdP that are assigned to the Provisioning Application, once you turn the integration on, the IdP will start synchronizing one by one all users from your assigned Groups into Businessmap. If those users are not registered in Businessmap, you might end up sending many invitation emails to users from that group as automatically registering and inviting them to join Businessmap. If this is not the required behavior, there should be a an option at the IdP Provisioning configuration to switch off new users/create events and use only update and remove user events.
Updating users in Businessmap with provisioning:
With the provisioning enabled, if a user's email is centrally changed, the modification will be done in Businessmap as well.
Note: Businessmap uses the user email as unique identified for login and mapping between the user from your IdP and the user in Businessmap, so only email modifications are supported.
If the users are required to login by your IdP, with their Usernames, or Company ID Numbers, or any other special property, these have no impact on Businessmap upon modifications.
Removing users from Businessmap with provisioning:
With the provisioning enabled, if a user is centrally removed from the IdP (deleted, unassigned from the application or a group, disabled, blocked, etc.) a signal is sent to the SSO Provisioning Integration and the system will disable the user in Businessmap as well, revoking it's access.
Disabling a user profile is reversible, and if the user is expected to require access to Businessmap at a later stage, their profile can be re-enabled centrally from your IdP.
Deleting a user profile in Businessmap is permanent and irreversible, that's why even if the user is permanently removed at your IdP, it is only disabled in your Businessmap account. Disabled users free up license seats and at any point of time the Account Owner could delete the user in Businessmap permanently.
Note: Deleting user in Businessmap will anonymize all previously assigned cards and performed actions because of the GDPR regulations. If re-invited old/deleted user it will be added as a fully new one to the system.
Note: If the Account Owner disable or delete the user profile directly in Businessmap, but not in the IdP, on the next sync, the user will be created / invited again inside Businessmap!
3. IdP Configurations
Each IdP should have a Provisioning Configuration section for adding the required two parameters for the integration: SCIM Base URL and SCIM Bearer Token. These names could be called differently depending on the IdP.
For detailed instructions on how to configure SSO and user provisioning, check out our dedicated articles on some of the most common Identity Providers:
Microsoft Entra ID - How to Set Up SAML Single Sign-Оn with Microsoft Entra ID?