Creating and maintaining user access for Pronestor Workspace in organizations can be made a lot easier by allowing access to be controlled by your Azure AD and using your organization's normal privilege grant flow.
By setting up Single Sign On with Office 365 and Azure AD, your organization can grant access to your employees without having to also create users in Pronestor Workspace.
Setting up Single Sign On
Setting up Single Sign On for Pronestor Workspace is easy.
But before you start, please contact Helpdesk@pronestor.com, so we can set up the reply URL on Pronestors Azure. It won't work without that step.
- Administrator access to your Azure AD
- Administrator access to Pronestor Workspace
- An Azure AD security group for Pronestor Workspace administrators
- An optional Azure AD security group for Pronestor Workspace bookers
First, you need to contact Pronestor Helpdesk to let them know you would like them to enable Office 365 SSO for your solution.
Once they have enabled it, you will need to connect your Azure AD to Pronestor Workspace. To be able to do that, you will have to have administrative privileges in both your Azure AD and in Pronestor Workspace.
Setting up the Connection in Workspace
To connect your Azure AD to Pronestor Workspace, you need to go to Admin Settings and chose the Settings menu. You will now see a section called Azure AD Authentication. Press the Connect link to start setting up SSO.
You will be asked to begin the Azure AD Admin Consent process.
After pressing Begin Onboarding, you will be met by the Azure AD Authentication challenge you already know from other sites such as office.com. Throughout the onboarding process, you will be asked a number of times to authenticate yourself like this. This is because we are asking for permissions to read data from your Azure AD.
You will be asked to accept the privileges we ask for.
These are “Sign in and read user profile”, which we use to authenticate the user and read information displayed in Pronestor Workspace, and “Read all groups”, which is used to allow you to restrict access to Pronestor Workspace based on Azure AD groups.
The information we read from the user profile is
- Full name
- E-mail address
- AD Groups
Once you have given your Administrator consent, we have access to your Azure AD with the privileges shown, and we can finish the setup process.
You will have to tell us what Azure AD group holds your Pronestor Workspace administrators. You will also be asked if you wish to restrict access from your Azure AD tenant to Pronestor Workspace based an Azure AD group. If you do not restrict booker access to an AD group, all active users in your Azure AD will be allowed to use Pronestor Workspace.
After this step is completed, we are able to authenticate users from your Azure AD. The first time a user tries to log into Pronestor Workspace they will have to click the Log In With SSO button and after that they will just be logged in using SSO.
The SSO integration is not a Synchronization of users. Users will be created when they first log into Pronestor Workspace. When you remove users from your Azure AD, they will no longer be able to log into Pronestor Workspace.