Identity Provider user provisioning considerations

Some limitations apply to user provisioning from an Identity Provider (IdP) into WFO.

Maximum supported email address length

The provisioning process inserts the email address for the user from the IdP into the WFO username attribute, which is limited to 120 characters maximum.

If the email address is more than 120 characters, synchronization for the user fails.

Characters not supported in First Name and Last Name attributes

The WFO First Name and Last Name attributes do not support the following characters:

[ ] < > " & ! ? ,

Restricted editing in WFO

The following fields are managed by the IdP and restricted to read-only in the WFO user interface:

• Under User Management Module that an administrator uses to create a profile for each employee in their organization., Security, Usernames:

  • Username

  • Status

• Under User Management, Employees, Profiles:

  • Last Name

  • First Name

  • Employee ID

  • Email Address

  • Work Phone

  • Cell Phone

  • Address Line 1

  • City

  • State

  • Zip Code

  • Country

Do not add users from the WFO user interface

When employees and users have been provisioned from the IdP, do not add users from the WFO user interface.

Authentication flow change

When users have been provisioned and the system is integrated into the cloud platform Predefined logical group of server roles installed together on a physical server., the authentication flow changes to two hops in the SAML authentication process.

Blank entries in the IDP server are not pushed to the WFO server

There are 14 fields that are managed on the IDP server and have read-only values in the WFO Usernames and Profiles page. If any of these fields are changed to blank (empty) entries in the IDP server, no change is pushed to the WFO server. In such a case, the value for the field in the WFO Usernames or Profiles page does not change. The field in WFO continues to have the same value that it had before the field was changed to blank on the IDP server.

Workaround

Instead of entering a blank value for a field in the IDP server, enter a convention such as "NA" or "Not applicable." Then "NA" or "Not applicable" appears in the field on the WFO Usernames or Profiles page.

Adding a new user who has the same email address (Username) as a user deleted from Azure Active Directory One of the main user authentication methods supported in the system, allowing customers to leverage Windows Authentication as the authentication mechanism in the system.

When provisioning users from Azure Active Directory (AAD) to WFO, a user’s email address is specified as the Username for the user. If a user is deleted from AAD, the user is not deleted from WFO. The deleted user has an inactive status in WFO. If you later try to add a new user with the same email address as the deleted user in the customer IDP, the new user is not added to WFO. Instead, the system updates the deleted user with the new user’s information in WFO. Also, all of the employee attributes for the deleted user are editable in WFO.

Workaround

To add a new user who has the same email address as a user who has been deleted from the AAD:

1. From WFO, manually delete the user who was deleted from the AAD.

   1. Go to User Management. Under Employees, select Profiles.

   2. In the Name column (left panel), select the user who was deleted from the AAD.

   3. Click the Delete button.

2. Create the new user in the IDP (with the same email address Username as the user that was deleted from AAD). The new user will be synced from the IDP to WFO.

Auditing of provisioning activity Core component of both schedules and time records in Workforce Management (WFM). When an employee performs any kind of work, activities specify the scheduled work and capture employee adherence to their schedule. not available

You cannot view provisioning activities in the Audit Viewer Tool that displays the list of audited actions that have occurred in the system..