This allows existing directories to be displayed.

The Status column shows whether the directory is Active or Inactive.

The SmartSync column shows the status of synchronization with SmartSync, where:

• Not configured: indicates that the directory setup in SmartSync has not been finished yet.
• Configured: indicates that Identity has successfully connected to SmartSync.
• Unavailable: indicates that the configuration of Identity with SmartSync has been completed, but the SmartSync server is not currently syncing.

Name
Name to identify the directory. 

Migrate from SmartSync?

• Yes: By enabling this option, all users and groups from the directory indicated in the Active Directory field will be migrated once the SmartSync configuration is finished. 
• No: By keeping the option disabled, the new Active Directory will be created without importing users and groups from the previous SmartSync.

Enable automatic user acceptance?

• Yes: By enabling this option, all users imported from this Active Directory by SmartSync will be automatically accepted and provisioned into this Identity context.
• No: By keeping the option disabled, all users imported from this Active Directory by SmartSync will be added to the Pending list until they are manually approved.

NOTE:
If you are adding the first AD, you will be presented with some general settings fields. For more details about each option, see the Change general settings item of this documentation.

User filter
Use the Active Directory variables to filter the users that will be synchronized. If the value has been incorrectly changed, click the  Restore default button to return to the original values.

Groups filter
Use the Active Directory variables to filter the groups that will be synchronized. If the value has been incorrectly changed, click the Restore default button to return to the original values.

NOTE:
The fields corresponding to the User filter and Groups filter must be filled in the LDAP format. When a filter is set for users and/or groups, SmartSync will recognize this parameter and import the users and groups into Identity based on the filter specified in these fields.

The filter fields are pre-filled with a default value, so no conditions need to be specified for import, allowing all users and groups to be imported.

Default value:

• Users filter: (&(objectClass=user)(objectCategory=person))
• Groups filter: (objectCategory=group)

For more details on creating filters, read the LDAP user import filters documentation.

A confirmation message is displayed, and the created directory appears in the directory list. The status Not configured is displayed in the SmartSync column, indicating that the configuration of the application that synchronizes with the Active Directory server needs to be completed. To install the application, download the SmartSync installer as follows.

Windows versions compatible with SmartSync can be found in the TOTVS Identity Portability Matrix. To learn more about the installation, visit the SmartSync technical documentation.

The generated token is displayed in the Token column of the respective directory. To copy it, click the generated token. 

This token must be provided when adding Active Directory to SmartSync. For more information, refer to the Add Active Directory item in the SmartSync documentation.

NOTE:
The one-time token is designed to provide SmartSync users with increased security for their credentials. Configuration in Active Directory using the token will only be done once to synchronize the Identity company and Active Directory. If a new token is generated, the old one will be invalidated, enhancing the security of the user's credentials.

When generating the token, an encryption key will also be transmitted, which will be used by SmartSync to read the information when the user logs into Identity.

NOTE:
The screens above may differ from what is shown, due to Microsoft Azure updates.

1. Sign in to the Microsoft Azure portal with an administrator account.

2. Open the Menu (three lines in the top left corner) and click the Azure Active Directory service. See image

3. On the left side options, click Enterprise Applications.  See image

4. Click em + New Application. See image

5. Choose the Application not found in the Gallery option. See image

6. Choose a name and create the app.

7. Select Configure single sign-on (mandatory). See image

8. Select SAML.

9. In the Basic SAML Configuration section, click the pencil icon to edit. See image

10. In the Identifier (Entity ID) field, type TotvsLabs. See image

11. In the Response URL (Assertion Consumer Service URL) field, enter the copied value that was obtained in Identity. See image

Here’s a tip!
This is the address: https://[COMPANY].fluigidentity.com/cloudpass/SAML/acs replacing the text “[COMPANY]” with the subdomain of your company from Identity.

12. In the SAML Authentication Certificate section, download the Federation Metadata XML file and save it. See image

13. On the left side menu, access Users and Groups and assign this app to the desired users/groups. See image

With this, Identity is ready to receive SSO login requests from the previously created Microsoft Azure SAML application.

Log in with any of the users you added to the SAML application and access the user applications page. In the application list, the previously created application that is configured for SSO login into Identity will be displayed.  See image

Click the previously created application and you will be logged in to Identity. On the initial login, this Microsoft Azure user will be created in Identity.

ATTENTION!
This user will be created in TOTVS Identity based on the information of the user already existing in Microsoft Azure. Starting now, you can log in to the Identity company using this Microsoft Azure user (by signing in to Microsoft Azure and clicking on the TOTVS Identity app that has been set up). This login from Microsoft Azure to Identity does not involve authentication with the local Active Directory using SmartSync. The login only involves Microsoft Azure and Identity.

LOCAL AD

Name
Directory name.

Enable automatic user acceptance?

Yes: By enabling this option, all users imported from this Active Directory by SmartSync will be automatically accepted and provisioned into this Identity context.

No: By keeping the option disabled, all users imported from this Active Directory by SmartSync will be added to the Pending list until they are manually approved for context by the company's management.

User filter
Use the Active Directory variables to filter the users that will be synchronized. If the value has been incorrectly changed, click the Restore default button to return to the original values.

Groups filter
Use the Active Directory variables to filter the groups that will be synchronized. If the value has been incorrectly changed, click the Restore default button to return to the original values.

NOTE:
The fields corresponding to the User filter and Groups filter must be filled in the LDAP format. When a filter is set for users and/or groups, SmartSync will recognize this parameter and import the users and groups into Identity based on the filter specified in these fields.

The filter fields are pre-filled with a default value, so no conditions need to be specified for import, allowing all users and groups to be imported.

Default value:

• Users filter: (&(objectClass=user)(objectCategory=person))
• Groups filter: (objectCategory=group)

For more details on creating filters, read the LDAP user import filters documentation.

AZURE AD

Name
Directory name.

Azure AD Identifier
SAML Authentication Certificate ID sent.

The available settings are:

Allow Active Directory credentials
Set whether users will be allowed to access the company in TOTVS Identity using Active Directory credentials (network e-mail and password).

Save Active Directory credentials in TOTVS Identity
By checking this option, Plugin-type applications can be configured to access using Active Directory credentials.

The available settings are:

Synchronize changes in Active Directory user status
By checking this option, users disabled in Active Directory will also be automatically disabled from the company in Identity. Status synchronization is performed via SmartSync.

Synchronize changes in the user status of TOTVS Identity
By checking this option, changes to user status in Identity must be synchronized to Active Directory. As such, users who are disabled in Identity will also be automatically disabled in Active Directory.

ATTENTION!
If there are ADs with no configuration in the context, the options Synchronize changes in the status of the Active Directory user and Synchronize changes in the status of the TOTVS Identity user remain disabled and cannot be checked.

The available settings are:

Allow password change
When this option is active, password changes for Active Directory may be made on the user's My profile page.

Save Active Directory password cache
When this option is active, a hash (which cannot be decrypted) of user passwords will be saved in TOTVS Identity, which provides faster authentication.

With deactivation, user synchronization is halted, and imported users are unable to use their Active Directory credentials to log in to Identity. 

Inactive directories are identified by the status Inactive. You can reactivate inactive directories at any time.

With the deletion, user synchronization is permanently halted, and imported users are unable to use their Active Directory credentials for authentication in TOTVS Identity. 

ATTENTION!
After deleting Active Directory, make sure you enable login with a personal password (via the Security tab). With this, users created from AD will still be able to access normally. Since users will no longer be bound to AD, they will need to authenticate with e-mail and password from Identity. However, since users do not yet have an Identity password, all users will need to reset their passwords through the login screen by selecting the "Forgot your Password" option. An email containing a link to reset the user's password will be sent.

Na parte superior é apresentada uma seção de informações sobre a sincronização entre o TOTVS Identity e o SmartSync:

Última sincronização com SmartSync
Apresenta a data e hora da última comunicação realizada entre SmartSync e Identity. O Identity identifica que o SmartSync está disponível com base no recebimento da comunicação no sentido SmartSync → Active Directory.

Versão do SmartSync
Informa a versão do SmartSync que está executando a sincronização entre Identity e o Active Directory.

Servidor do Active Directory
Endereço do servidor Active Directory, conforme configuração do SmartSync.

DN Raiz
Configuração do SmartSync que indica o diretório raiz utilizado para sincronização dos dados entre Identity e Active Directory.

Em seguida são apresentadas as abas Usuários e Grupos, que possibilitam a visualização de usuários e grupos importados no diretório escolhido. 

Existem três formas de aceitar usuário no Identity: um por um, usuários selecionados ou todos os usuários da lista.

Com isso, enquanto o aceite de usuários não é concluído, os usuários são apresentados na lista Processando.

Após concluir a ação, caso esteja tudo certo, o usuário passa a ser apresentado na lista de usuários aceitos com o indicativo . A partir do momento em que é aceito, o usuário importado é definido como Ativo e o acesso à empresa no TOTVS Identity está liberado. Os usuários passam a ser listados na página de Gerenciamento de Usuários. No perfil do usuário, os campos nome, sobrenome, e-mail, cargo e departamento são automaticamente preenchidos com os dados importados do Active Directory.

No momento do aceite do usuário, o Identity verifica se o e-mail importado já está cadastrado. Se já existir o e-mail no Identity, esse usuário será enviado para a lista de usuários rejeitados com o indicativo de , onde pode ser feita a alteração de e-mail do usuário. Para mais detalhes, consulte o item Corrigir usuário dessa documentação.

Existem duas formas de rejeitar usuário no Identity: um por um ou usuários selecionados.

Após concluir a ação, o usuário passa a ser apresentado na lista de usuários rejeitados com o indicativo .

Existem duas formas de excluir usuário importado: um por um ou usuários selecionados.

Após concluir a ação, o usuário excluído não é mais apresentado na lista de usuários rejeitados e nem será importado novamente.

Após a correção, o usuário passa a ser apresentado na lista de usuários pendentes com o e-mail alterado, e pode ser aceito para que o usuário seja criado no Identity.

Existem duas formas de aceitar grupo no Identity: um por um ou grupos selecionados.

Com isso, enquanto o aceite de grupos não é concluído, os grupos são apresentados na lista Processando.

Após concluir a ação, caso esteja tudo certo, o grupo passa a ser apresentado na lista de grupos aceitos com o indicativo . Os grupos importados do Active Directory e aceitos são listados junto aos demais grupos próprios do Identity na página de Gerenciamento de Grupos.

Existem duas formas de rejeitar grupos no Identity: um por um ou grupos selecionados.

Após concluir a ação, o grupo passa a ser apresentado na lista de grupos rejeitados com o indicativo .

O nome de um grupo do importado do Active Directory pode ser alterado no Identity para que, quando este grupo for aceito, ele seja criado com este novo nome de exibição.