Automated user and group provisioning
As your EMS team grows, you'll need to create user accounts, groups and group memberships in a scalable way.
EMS offers two solutions:
Just-in-time provisioning via SAML (SAML JIT).
LDAP sync tool.
Just-in-time provisioning via SAML (SAML JIT)
This is our recommended option because it:
requires no on-premise infrastructure because it's part of the Celonis EMS.
provisions membership and groups automatically the first time a user logs in.
updates group memberships continuously with every login.
gives users the productivity gains of single sign-on for automated user and group provisioning.
removes users via the User locking policy. (Updated features coming April)
There are some requirements for the identity provider:
Group support.
Application access management.
Groups need to be sent with the SAML claim.
LDAP sync tool DEPRECATED
This has been deprecated.
It's a separate Java application that needs on-premise infrastructure.
It synchronizes users and groups from any LDAP-capable source to the team. It can:
create team and group memberships for new users.
update existing users' group memberships.
remove users.
It selects users and groups via LDAP queries:
You'll need to maintain it when people join or leave the team.
Often scarce knowledge.
It requires an OpenLDAP-compatible data source.