Learn more about the Centrify employee provisioning and single sign-on integration and how it can automatically sync employees into your Envoy directory.
To learn more about single sign-on, read Centrify’s SAML guide.
How does this integration work?
If your team uses Centrify for employee provisioning, you can use this integration to automatically keep your Envoy employee directory up to date. The SCIM push-based system treats the Centrify directory as your source of truth. When changes are made in Centrify, they push immediately to Envoy, so you don’t have to worry about the Envoy employee directory being out of sync.
Note: You can manually create new employees or add employees from other locations while maintaining your directory sync. This feature is helpful for contractors, temps or other people who may host visitors/receive deliveries but are not core team members. Learn more about manually adding employees.
A few notes on SCIM
The SCIM standard enables advanced provisioning in order to automate user lifecycle management for an application, including account creation, profile updates, authorization settings, and account deactivation.
Enabling the Envoy + Centrify integration
Note: You’ll need to have Centrify admin privileges to complete this integration. Either become an admin or ask your admin for help before completing these steps:
Step one: Prepare to enable the Envoy + Centrify employee provisioning integration (with SCIM)
Decide whether you’d like to sync all users to all locations or sync specific users per location. This will impact how you set up the integration.
Step two: Enable the Envoy + Centrify integration
- Go to your Integrations page.
- Under employee directory, find Centrify and click “Install.”
Step three: Choose an employee sync filter
After install, you have two options on how to sync employees to your directory. Choose the one that’s right for you:
Sync all employees: This is good for companies with one location, or if you prefer to have the same master Envoy employee directory at all locations within your company.
Sync specific employees per location: Choose this option if you’d like to sync certain employees to certain locations (i.e., creating different Envoy employee directories per location).
- You can filter employees by location in Envoy based on available filters like “City”. If your Centrify account does not currently have City as a field, you will need to add it as a Custom Field. Then you’ll need to manually map all users to the City field.
- To sync users per location, you’ll have to select “Sync specific users per location” in your Envoy dashboard.
Step four: Configure Centrify for SSO
- In your Centrify account, add a new custom app.
- Navigate to Service Provider Configuration in your custom app under SAML Response.
- Fill in the Single Sign-on instructions like the following and click Save:
- Navigate to Account Mapping and configure like the following:
- Back in the Envoy SAML configuration section, please insert your SSO fingerprint (calculated from your X.509 certificate) and identity provider SAML URL, then save.
Step five: Configure Centrify for SCIM directory syncing
Note: SSO configuration required for SCIM.
- In the Envoy dashboard under enabled integrations, click configure on Centrify and copy the Oauth Bearer Token.
- In your Centrify account, navigate to Provisioning, and paste the Bearer Token.
- Configure your provisioning tab like the following:
- SCIM URL: https://app.envoy.com/scim/v2
- Once complete, click on “Verify”.
- Navigate back to the Envoy Employee directory > All employees and refresh. Your employees should be syncing.
Regarding adding employees
- When updating or adding employees, Envoy will match based on the primary email address listed for the Centrify user. If the existing primary email address is not found in Envoy, a new employee record will be created for an existing employee to the Envoy employee directory.
Regarding employee contact information
- The primary email address and phone number listed in Centrify will be the email address and phone number listed in the Envoy employee directory. If a user does not have a primary email address in their Centrify profile, they will not be synced to the Envoy employee directory.