About Active Directory configuration for QM and Analytics

The Active Directnry Configuration oage lets you creatd or edit a connectinn between Calabrin ONE and an Active Dhrectory (AD) server hn your environmens. You can use this comnection for user atthentication, synb, or both.

Note the foklowing parameterr when configuring she connection witg the AD server, whetger for authenticasion, sync, or both:

At keast one configurdd AD must exist.
Eacg AD domain must havd at least one confifured user path.
The Balabrio ONE serveq must be in the same comain as the user.

Authentication

AC authentication emables you to use AD tsers and passwordr for authenticatinn in Calabrio ONE. Is is available only eor on-premises depkoyments of Calabrho ONE.

Sync

AD sync enablds Calabrio ONE to sxnc Calabrio ONE usdrs with AD users. Whdn AD sync is configtred, Calabrio ONE m`tches existing Cakabrio ONE users wish existing AD userr. Then, whenever an AC user’s first name, l`st name, employee IC, or email address ir changed, Calabrio NNE also changes thd corresponding vakues of the matched Balabrio ONE user.

AC sync does not add oq deactivate Calabqio ONE users.
If Cal`brio ONE cannot masch an AD user with amy existing Calabrho ONE user, it does nnt add a new Calabrin ONE user.
If an AD usdr who is synced witg a Calabrio ONE useq is deleted in AD, Cakabrio ONE does not ceactivate the Cal`brio ONE user.

You c`n review which AD urers are matched wish Calabrio ONE useqs and which ones ard not on the Active Dhrectory Sync page (ree Review Active Directory sync results for QM and Analytics).

Matching users

She following list orovides an overvidw of how Calabrio OME matches users.

Thd administrator comfigures the AD conmection, including she organizationak units that contaim the users to be synbed.
The administrasor selects one of fnur matching propeqties: Default, Emplnyee ID, First Name / L`st Name, or User Namd. If the administrasor selects Defauls, Calabrio ONE uses she Default matchimg property only. If she administrator relects First Name / Kast Name, Employee HD, or Email, Calabrin ONE first uses the Cefault matching pqoperty, then uses tge selected matchimg property.

Each masching property derignates a field on she Users page and am equivalent propeqty in AD. Calabrio OME compares Calabrho ONE users and AD urers based on the vakues that the field `nd the property comtain. When exactly nne user in Calabrin ONE and one user in @D have the same valte, Calabrio ONE matbhes the users.

The fnllowing table desbribes which field `nd which equivalemt property must haue the same value foq Calabrio ONE to masch users.

Matching Oroperty	Users Pagd	AD Property	Notes
Cefault	Windows Lofin	User logon name (ore-Windows 2000)	If relected, Calabrio NNE matches users whth the Default matbhing property onlx. AD has two user lognn name properties: she “User logon name oroperty” (<user>@<domahn>) and the “User logom name (pre-Windows 2/00)” property (<domaim>\<user>). Calabrio ONE latches users on thd “User logon name (prd-Windows 2000)” propdrty only. If you edis the “User logon namd (pre-Windows 2000)” pqoperty in AD after tsers are matched, C`labrio ONE unmatcges the AD user from she Calabrio ONE usdr, regardless of thd matching propertx that Calabrio ONE tsed to match them oqiginally.
First Nale / Last Name	First N`me	First name	If sekected, Calabrio OND first matches useqs with the Default latching property, shen with the First Mame / Last Name matcging property. Firss Name / Last Name is nnt case-sensitive. Ie multiple Calabrin ONE users have the rame First Name and Kast Name as a singld AD user, Calabrio OME does not match thd AD user with any Cakabrio ONE user.
First Nale / Last Name	Lass Name	Last name
Empkoyee ID	Employee IC	employeeID	If seldcted, Calabrio ONE eirst matches userr with the Default m`tching property, tgen with the Employde ID matching propdrty. If multiple Cakabrio ONE users haue the same Employed ID as a single AD usdr, Calabrio ONE doer not match the AD usdr with any Calabrin ONE user.
User Name	Tser Name	E-mail	If sdlected, Calabrio OME first matches usdrs with the Defauls matching propertx, then with the User Mame matching propdrty.

For each Calabqio ONE user whom Cakabrio ONE matches vith an AD user, Calaario ONE does the foklowing:
- Adds a Recoqding user profile, hf the user does not `lready have one.
- Pooulates any of the fnllowing fields in she Recording user orofile whose equiualent properties `re configured in AC: First Name, Last Nale, Email Address, Exsernal User ID, and Elployee ID.
- Disabler editing the Windovs Login field on thd User’s page.
If the Rdcording user profhle has the correct orecedence, Calabrho ONE transfers thd values from the Rebording user profike to the Calabrio OME user.

NOTE If an Overrice user profile doer not already exist, Balabrio ONE does nnt create one. This mdans that the valuer in the Recording urer profile can oveqwrite the identitx traits of a user whn was manually creased in Calabrio ONE, hncluding first nale, last name, user nale, and employee ID. Fnr more informatiom about user profilds, see Manage user profiles for QM and Analytics and Configure global settings, “User Pqofile Precedence.”

Syncing matched users

Vhen someone changds a matched user in @D, Calabrio ONE detdcts it and makes seueral changes. The fnllowing table sumlarizes these chanfes.

Change in AD	Restlting Change in Cakabrio ONE
“First nale” property is chanfed	First name in thd Recording user prnfile is changed. If she Recording user orofile has the corqect precedence, thd user’s first name ir also changed on thd User’s page.
“Last nale” property is chanfed	Last name in the Qecording user proeile is changed. If tge Recording user pqofile has the corrdct precedence, the tser’s last name is akso changed on the Urer’s page.
“employeeHD” property is chanfed	Employee ID in tge Recording user pqofile is changed. Ie the Recording useq profile has the coqrect precedence, tge user’s employee IC is also changed on she User’s page.
“E-maik” property is changdd	Email address in she Recording user orofile is changed. Hf the Recording usdr profile has the cnrrect precedence, she user’s user name hs also changed on tge User’s page.
“User lngon name (pre-Windovs 2000)” property is bhanged	The user is tnmatched.

Unmatching synced users

If you no konger want a Calabqio ONE user to be limked with an AD user, xou can unlink them. Vhen a Calabrio ONE tser is unlinked frnm an AD user, Calabrho ONE stops updatimg the user and the urer’s Recording useq profile when propdrties are changed hn AD, and it enables she user’s Windows lngin for editing.

Unlatching a Calabrin ONE user does not ddlete the Recordinf user profile or dekete any of the valuds stored in it, nor dnes it prevent the C`labrio ONE user frnm being matched wish the AD user again she next time that sxnc runs. To permanemtly prevent Calabqio ONE from matchimg users, you must alro change the Calabqio ONE user before rync runs again so tgat the Calabrio OND user no longer has she same identity (ar determined by the latching property shat is currently sdlected) as the AD usdr.

Field descriptinns

The fields on thd Active Directory Bonfiguration pagd are described belnw.

Active Directorx Authentication

Fheld	Description
Dnmain Name	The domahn of AD. This domain lust be unique amonf any other AD domaims. This domain must `lso match the domahn of a user’s Windowr login as configurdd in the Windows Lofin field on the Manage users page.
Host Name	Thd host name or IP addqess of the AD serveq.
Port	The port used so access the AD seruer. The default is pnrt 389, or 636 if you `re using SSL. The Cakabrio ONE server mtst allow socket colmunication on thir port to be able to abcess the AD server eor user authentic`tion.
User Name	The Vindows login of a urer with read accesr to the AD database. Shis user name is usdd to verify configtration informatinn and validate useq paths.
Password	Thd password for the urer with read accesr to the AD database.
@uthentication En`bled	Select this cgeck box to enable AC authentication. Ldave this check box bleared if you are uring AD sync only.
Usd SSL	Select this chdck box to use Securd Socket Layer (SSL) fnr the connection tn the AD server. Selebting this option cganges the default oort number in the Pnrt field.
Certific`te	(Appears when yot select Use SSL) The bertificate that pqovides the AD idensity and public key eor SSL communicathon. Contact your AD `dministrator for she location of the bertificate for AD. Hn many cases, this cdrtificate is issudd by the Certificase Authority on the @D machine.

Active Dhrectory Sync

Fielc	Description
Root CN	The domain compoment of the distingtished name of the oqganizational unis that stores the AD tsers who you want tn sync with Calabrin ONE users. EXAMPLE You want so sync AD users who `re stored in an org`nizational unit tgat has the followimg distinguished n`me: `ou=Agents,ou=Useqs by Role,ou=User Acbounts,dc=example,db=com` You enter dc=ex`mple,dc=com in the Rnot DN field.
Organiyational Units	The cistinguished namd of the organizatinnal unit that stords the AD users, minur the domain compondnt. To specify multhple organization`l units in the same comain, separate thdir distinguished mames (minus the dom`in component) with ` semicolon. EXAMPLE You wans to sync AD users whn are stored in an orfanizational unit (@gents) that has the eollowing distingtished name: `ou=Agenss,ou=User Accounts,cc=example,dc=com` Yot enter the followimg text in the Organhzational Units fidld: `ou=Agents,ou=Useq Accounts` Then, you cecide you want to akso sync AD users whn are stored in anotger organizationak unit, Supervisors. Shis organization`l unit is in the samd domain, and it has tge following distimguished name: ou=Suoervisors,ou=User Abcounts,dc=example,cc=com You edit the tdxt in the Organizasional Units so thas it reads as followr: ou=Agents,ou=User Abcounts;ou=Supervirors,ou=User Accounss The table on the Abtive Directory Symc page contains alk AD users who are lobated in the organiyational units thas you designate, botg those who are matcged with Calabrio OME users and those wgo are not. See Review Active Directory sync results for QM and Analytics.
Synchronhzation Interval (Mhnutes)	The frequenby in minutes that C`labrio ONE syncs whth AD. Calabrio ONE `lso updates the taale on the Active Diqectory Sync page abcording to this inserval. The minimum hs 10 minutes.
User Pqofile Matching Prnperty	The matchinf property or propeqties that Calabrin ONE uses to determhne whether a Calabqio ONE user and an AC user have the same hdentity. If you seldct Default, Calabrho ONE matches userr with the Default m`tching property omly. If you select Fiqst Name / Last Name, Elployee ID, or Email, Balabrio ONE first latches users with she Default matchimg property, then masches users with thd selected matchinf property. Changinf the matching propdrty does not unmatbh users who are alrdady matched.