教學課程:設定 4me 來自動佈建使用者Tutorial: Configure 4me for automatic user provisioning

本教學課程旨在示範將 Azure AD 設定為可對 4me 自動佈建及取消佈建使用者和/或群組時,4me 與 Azure Active Directory (Azure AD) 中須執行的步驟。The objective of this tutorial is to demonstrate the steps to be performed in 4me and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to 4me.

注意

本教學課程會說明建置在 Azure AD 使用者佈建服務之上的連接器。This tutorial describes a connector built on top of the Azure AD User Provisioning Service. 如需此服務的用途、運作方式和常見問題等重要詳細資訊,請參閱使用 Azure Active Directory 對 SaaS 應用程式自動佈建和取消佈建使用者For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory.

此連接器目前為公開預覽版。This connector is currently in Public Preview. 如需有關預覽功能的一般 Microsoft Azure 使用規定詳細資訊,請參閱 Microsoft Azure 預覽版增補使用規定For more information on the general Microsoft Azure terms of use for Preview features, see Supplemental Terms of Use for Microsoft Azure Previews.

PrerequisitesPrerequisites

本教學課程中概述的案例假設您已經具有下列必要條件:The scenario outlined in this tutorial assumes that you already have the following prerequisites:

  • Azure AD 租用戶An Azure AD tenant
  • 4me 租用戶A 4me tenant
  • 4me 中具有管理員權限的使用者帳戶。A user account in 4me with Admin permissions.

將 4me 設定為可使用 Azure AD 自動佈建使用者之前,您必須將 4me 從 Azure AD 應用程式庫新增至您的受控 SaaS 應用程式清單。Before configuring 4me for automatic user provisioning with Azure AD, you need to add 4me from the Azure AD application gallery to your list of managed SaaS applications.

若要從 Azure AD 應用程式庫新增 4me,請執行下列步驟:To add 4me from the Azure AD application gallery, perform the following steps:

  1. Azure 入口網站 的左方瀏覽窗格中,選取 [Azure Active Directory]。In the Azure portal, in the left navigation panel, select Azure Active Directory.

    Azure Active Directory 按鈕

  2. 移至 [企業應用程式],然後選取 [所有應用程式]。Go to Enterprise applications, and then select All applications.

    企業應用程式刀鋒視窗

  3. 若要新增新的應用程式,請選取窗格頂端的 [新增應用程式] 按鈕。To add a new application, select the New application button at the top of the pane.

    新增應用程式按鈕

  4. 在搜尋方塊中輸入 4me,並從結果面板中選取 [4me],然後按一下 [新增] 按鈕以新增應用程式。In the search box, enter 4me, select 4me in the results panel, and then click the Add button to add the application.

    結果清單中的 4me

將使用者指派給 4meAssigning users to 4me

Azure Active Directory 使用所謂「指派」的概念,決定應該授權哪些使用者存取選取的應用程式。Azure Active Directory uses a concept called assignments to determine which users should receive access to selected apps. 在自動使用者佈建的內容中,只有已指派至 Azure AD 中應用程式的使用者和/或群組會進行同步處理。In the context of automatic user provisioning, only the users and/or groups that have been assigned to an application in Azure AD are synchronized.

設定並啟用自動使用者佈建之前,您應先決定 Azure AD 中的哪些使用者和/或群組需要存取 4me。Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to 4me. 一旦決定後,您可以依照此處的指示,將這些使用者和/或群組指派給 4me:Once decided, you can assign these users and/or groups to 4me by following the instructions here:

將使用者指派給 4me 的重要秘訣Important tips for assigning users to 4me

  • 建議將單一 Azure AD 使用者指派給 4me,以測試自動使用者佈建的設定。It is recommended that a single Azure AD user is assigned to 4me to test the automatic user provisioning configuration. 其他使用者及/或群組可能會稍後再指派。Additional users and/or groups may be assigned later.

  • 將使用者指派給 4me 時,您必須在 [指派] 對話方塊中選取任何有效的應用程式特有角色 (如果有的話)。When assigning a user to 4me, you must select any valid application-specific role (if available) in the assignment dialog. 具有 預設存取 角色的使用者會從佈建中排除。Users with the Default Access role are excluded from provisioning.

設定將使用者自動佈建至 4meConfiguring automatic user provisioning to 4me

本節將引導您逐步設定 Azure AD 佈建服務,以根據 Azure AD 中的使用者和/或群組指派,在 4me 中建立、更新和停用使用者和/或群組。This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in 4me based on user and/or group assignments in Azure AD.

提示

建議您選擇為 4me 啟用 SAML 型單一登入,請遵循 4me 單一登入教學課程中提供的指示。You may also choose to enable SAML-based single sign-on for 4me, following the instructions provided in the 4me single sign-on tutorial. 雖然自動使用者佈建和單一登入這兩個功能互相補充,您還是可以將它們分開設定。Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other.

在 Azure AD 中為 4me 設定自動使用者佈建:To configure automatic user provisioning for 4me in Azure AD:

  1. 登入 Azure 入口網站Sign in to the Azure portal. 選取 [企業應用程式],然後選取 [所有應用程式]。Select Enterprise Applications, then select All applications.

    企業應用程式刀鋒視窗

  2. 在應用程式清單中,選取 [4me]。In the applications list, select 4me.

    應用程式清單中的 4me 連結

  3. 選取 [佈建] 索引標籤。Select the Provisioning tab.

    [管理] 選項的螢幕擷取畫面,並已指出 [佈建] 選項。

  4. 將 [佈建模式] 設定為 [自動]。Set the Provisioning Mode to Automatic.

    [佈建模式] 下拉式清單的螢幕擷取畫面,並已指出 [自動] 選項。

  5. 若要擷取 4me 帳戶的 [租用戶 URL] 和 [秘密權杖],請遵循步驟 6 中所述的逐步解說。To retrieve the Tenant URL and Secret Token of your 4me account, follow the walkthrough as described in Step 6.

  6. 登入您的 4me 管理主控台。Sign in to your 4me Admin Console. 瀏覽至 [設定]。Navigate to Settings.

    4me 設定

    在搜尋列中鍵入 應用程式Type in apps in the search bar.

    4me 應用程式

    開啟 SCIM 下拉式清單,以取出祕密權杖和 SCIM 端點。Open the SCIM dropdown to retrieve the Secret Token and the SCIM endpoint.

    4me SCIM

  7. 如步驟 5 所示填寫欄位後,按一下 [測試連線] 以確認 Azure AD 可以連線到 4me。Upon populating the fields shown in Step 5, click Test Connection to ensure Azure AD can connect to 4me. 如果連線失敗,請確定您的 4me 帳戶具有系統管理員權限並再試一次。If the connection fails, ensure your 4me account has Admin permissions and try again.

    Token

  8. 在 [通知電子郵件] 欄位中,輸入應該收到佈建錯誤通知的個人或群組電子郵件地址,然後選取 [發生失敗時傳送電子郵件通知] 核取方塊。In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - Send an email notification when a failure occurs.

    通知電子郵件

  9. 按一下 [檔案] 。Click Save.

  10. 在 [對應] 區段下,選取 [同步處理 Azure Active Directory 使用者至 4me]。Under the Mappings section, select Synchronize Azure Active Directory Users to 4me.

    [對應] 頁面幕擷取畫面。醒目提示 [名稱] 底下的 [將 Azure Active Directory 使用者同步至 FourMe]。

  11. 在 [屬性對應] 區段中,檢閱從 Azure AD 同步至 4me 的使用者屬性。Review the user attributes that are synchronized from Azure AD to 4me in the Attribute Mapping section. 選取為 [比對] 屬性的屬性會用來比對 4me 中的使用者帳戶以進行更新作業。The attributes selected as Matching properties are used to match the user accounts in 4me for update operations. 請確定 4me 支援在您選擇的相符屬性上篩選Please ensure that 4me supports filtering on the matching attribute you have chosen. 選取 [儲存] 按鈕以認可所有變更。Select the Save button to commit any changes.

    [屬性對應] 頁面的螢幕擷取畫面。資料表會列出 Azure Active Directory 屬性、對應的 FourMe 屬性及比對狀態。

  12. 對應 區段中,選取 [將 Azure Active Directory 群組同步至 4me]。Under the Mappings section, select Synchronize Azure Active Directory Groups to 4me.

    [對應] 頁面幕擷取畫面。反白顯示名稱底下的 [將 Azure Active Directory 群組同步至 FourMe]。

  13. 在 [屬性對應] 區段中,檢閱從 Azure AD 同步至 4me 的群組屬性。Review the group attributes that are synchronized from Azure AD to 4me in the Attribute Mapping section. 選取為 [比對] 屬性 (Property) 的屬性 (Attribute) 會用來比對 4me 中的群組以進行更新作業。The attributes selected as Matching properties are used to match the groups in 4me for update operations. 選取 [儲存] 按鈕以認可所有變更。Select the Save button to commit any changes.

    4me 群組對應

  14. 若要設定範圍篩選,請參閱範圍篩選教學課程中提供的下列指示。To configure scoping filters, refer to the following instructions provided in the Scoping filter tutorial.

  15. 若要啟用 4me 的 Azure AD 佈建服務,在 [設定] 區段中,將 [佈建狀態] 變更為 [開啟]。To enable the Azure AD provisioning service for 4me, change the Provisioning Status to On in the Settings section.

    佈建狀態已切換為開啟

  16. 透過在 [設定] 區段的 [範圍] 中選擇需要的值,可定義要佈建到 4me 的使用者和/或群組。Define the users and/or groups that you would like to provision to 4me by choosing the desired values in Scope in the Settings section.

    佈建範圍

  17. 當您準備好要佈建時,按一下 [儲存]。When you are ready to provision, click Save.

    儲存雲端佈建設定

此作業會對在 [設定] 區段的 [範圍] 中定義的所有使用者和/或群組,啟動首次同步處理。This operation starts the initial synchronization of all users and/or groups defined in Scope in the Settings section. 初始同步處理會比後續同步處理花費更多時間執行,只要 Azure AD 佈建服務正在執行,這大約每 40 分鐘便會發生一次。The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. 您可以使用 [同步處理詳細資料] 區段來監視進度,並進入佈建活動報告的連結,以透過報告了解 4me 上的 Azure AD 佈建服務所執行的所有動作。You can use the Synchronization Details section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on 4me.

如需如何讀取 Azure AD 佈建記錄的詳細資訊,請參閱關於使用者帳戶自動佈建的報告For more information on how to read the Azure AD provisioning logs, see Reporting on automatic user account provisioning.

連接器限制Connector Limitations

  • 針對測試和生產環境,4me 具有不同的 SCIM 端點 URL。4me has different SCIM endpoint URLs for test and production environments. 前者的結尾為 .qa ,而後者則以 .com 結尾The former ends with .qa while the latter ends with .com
  • 4me 產生的祕密權杖到期日為該世代的一個月。4me generated Secret Tokens have an expiration date of a month from generation.
  • 4me 不支援 DELETE 作業4me doesn’t support DELETE operations

其他資源Additional resources

後續步驟Next steps