About Active Directory configuration for QM and Analytics
The Active Directory Configuration page lets you create or edit a connection between Workforce Optimization and an Active Directory (AD) server in your environment. You can use this connection for user authentication, sync, or both.
Note the following parameters when configuring the connection with the AD server, whether for authentication, sync, or both:
- At least one configured AD must exist.
- Each AD domain must have at least one configured user path.
- The Workforce Optimization server must be in the same domain as the user.
Authentication
AD authentication enables you to use AD users and passwords for authentication in Workforce Optimization. It is available only for on-premises deployments of Workforce Optimization.
Sync
AD sync enables Workforce Optimization to sync Workforce Optimization users with AD users. When AD sync is configured, Workforce Optimization matches existing Workforce Optimization users with existing AD users. Then, whenever an AD user’s first name, last name, employee ID, or email address is changed, Workforce Optimization also changes the corresponding values of the matched Workforce Optimization user.
- AD sync does not add or deactivate Workforce Optimization users.
- If Workforce Optimization cannot match an AD user with any existing Workforce Optimization user, it does not add a new Workforce Optimization user.
- If an AD user who is synced with a Workforce Optimization user is deleted in AD, Workforce Optimization does not deactivate the Workforce Optimization user.
You can review which AD users are matched with Workforce Optimization users and which ones are not on the Active Directory Sync page (see Review Active Directory sync results for QM and Analytics).
Matching users
The following list provides an overview of how Workforce Optimization matches users.
- The administrator configures the AD connection, including the organizational units that contain the users to be synced.
- The administrator selects one of four matching properties: Default, Employee ID, First Name / Last Name, or User Name. If the administrator selects Default, Workforce Optimization uses the Default matching property only. If the administrator selects First Name / Last Name, Employee ID, or Email, Workforce Optimization first uses the Default matching property, then uses the selected matching property.
-
Each matching property designates a field on the Users page and an equivalent property in AD. Workforce Optimization compares Workforce Optimization users and AD users based on the values that the field and the property contain. When exactly one user in Workforce Optimization and one user in AD have the same value, Workforce Optimization matches the users.
The following table describes which field and which equivalent property must have the same value for Workforce Optimization to match users.
Matching Property Users Page AD Property Notes Default
Windows Login
User logon name (pre-Windows 2000)
If selected, Workforce Optimization matches users with the Default matching property only.
AD has two user logon name properties: the “User logon name property” (<user>@<domain>) and the “User logon name (pre-Windows 2000)” property (<domain>\<user>). Workforce Optimization matches users on the “User logon name (pre-Windows 2000)” property only.
If you edit the “User logon name (pre-Windows 2000)” property in AD after users are matched, Workforce Optimization unmatches the AD user from the Workforce Optimization user, regardless of the matching property that Workforce Optimization used to match them originally.
First Name / Last Name
First Name
First name
If selected, Workforce Optimization first matches users with the Default matching property, then with the First Name / Last Name matching property.
First Name / Last Name is not case-sensitive. If multiple Workforce Optimization users have the same First Name and Last Name as a single AD user, Workforce Optimization does not match the AD user with any Workforce Optimization user.
Last Name
Last name
Employee ID
Employee ID
employeeID
If selected, Workforce Optimization first matches users with the Default matching property, then with the Employee ID matching property.
If multiple Workforce Optimization users have the same Employee ID as a single AD user, Workforce Optimization does not match the AD user with any Workforce Optimization user.
User Name
User Name
E-mail
If selected, Workforce Optimization first matches users with the Default matching property, then with the User Name matching property.
-
For each Workforce Optimization user whom Workforce Optimization matches with an AD user, Workforce Optimization does the following:
-
Adds a Recording user profile, if the user does not already have one.
- Populates any of the following fields in the Recording user profile whose equivalent properties are configured in AD: First Name, Last Name, Email Address, External User ID, and Employee ID.
- Disables editing the Windows Login field on the User’s page.
-
-
If the Recording user profile has the correct precedence, Workforce Optimization transfers the values from the Recording user profile to the Workforce Optimization user.
NOTE If an Override user profile does not already exist, Workforce Optimization does not create one. This means that the values in the Recording user profile can overwrite the identity traits of a user who was manually created in Workforce Optimization, including first name, last name, user name, and employee ID. For more information about user profiles, see Manage user profiles for QM and Analytics and Configure global settings, “User Profile Precedence.”
Syncing matched users
When someone changes a matched user in AD, Workforce Optimization detects it and makes several changes. The following table summarizes these changes.
Change in AD | Resulting Change in Workforce Optimization |
---|---|
“First name” property is changed |
First name in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s first name is also changed on the User’s page. |
“Last name” property is changed
|
Last name in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s last name is also changed on the User’s page. |
“employeeID” property is changed |
Employee ID in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s employee ID is also changed on the User’s page. |
“E-mail” property is changed |
Email address in the Recording user profile is changed. If the Recording user profile has the correct precedence, the user’s user name is also changed on the User’s page. |
“User logon name (pre-Windows 2000)” property is changed |
The user is unmatched. |
Unmatching synced users
If you no longer want a Workforce Optimization user to be linked with an AD user, you can unlink them. When a Workforce Optimization user is unlinked from an AD user, Workforce Optimization stops updating the user and the user’s Recording user profile when properties are changed in AD, and it enables the user’s Windows login for editing.
Unmatching a Workforce Optimization user does not delete the Recording user profile or delete any of the values stored in it, nor does it prevent the Workforce Optimization user from being matched with the AD user again the next time that sync runs. To permanently prevent Workforce Optimization from matching users, you must also change the Workforce Optimization user before sync runs again so that the Workforce Optimization user no longer has the same identity (as determined by the matching property that is currently selected) as the AD user.
Field descriptions
The fields on the Active Directory Configuration page are described below.
Field | Description |
---|---|
Domain Name |
The domain of AD. This domain must be unique among any other AD domains. This domain must also match the domain of a user’s Windows login as configured in the Windows Login field on the Users page. |
Host Name |
The host name or IP address of the AD server. |
Port |
The port used to access the AD server. The default is port 389, or 636 if you are using SSL. The Workforce Optimization server must allow socket communication on this port to be able to access the AD server for user authentication. |
User Name |
The Windows login of a user with read access to the AD database. This user name is used to verify configuration information and validate user paths. |
Password |
The password for the user with read access to the AD database. |
Authentication Enabled |
Select this check box to enable AD authentication. Leave this check box cleared if you are using AD sync only. |
Use SSL |
Select this check box to use Secure Socket Layer (SSL) for the connection to the AD server. Selecting this option changes the default port number in the Port field. |
Certificate |
(Appears when you select Use SSL) The certificate that provides the AD identity and public key for SSL communication. Contact your AD administrator for the location of the certificate for AD. In many cases, this certificate is issued by the Certificate Authority on the AD machine. |
Field | Description |
---|---|
Root DN |
The domain component of the distinguished name of the organizational unit that stores the AD users who you want to sync with Workforce Optimization users. EXAMPLE
You want to sync AD users who are stored in an organizational unit that has the following distinguished name:
You enter |
Organizational Units |
The distinguished name of the organizational unit that stores the AD users, minus the domain component. To specify multiple organizational units in the same domain, separate their distinguished names (minus the domain component) with a semicolon. EXAMPLE
You want to sync AD users who are stored in an organizational unit (Agents) that has the following distinguished name:
You enter the following text in the Organizational Units field:
Then, you decide you want to also sync AD users who are stored in another organizational unit, Supervisors. This organizational unit is in the same domain, and it has the following distinguished name:
You edit the text in the Organizational Units so that it reads as follows:
The table on the Active Directory Sync page contains all AD users who are located in the organizational units that you designate, both those who are matched with Workforce Optimization users and those who are not. See Review Active Directory sync results for QM and Analytics. |
Synchronization Interval (Minutes) |
The frequency in minutes that Workforce Optimization syncs with AD. Workforce Optimization also updates the table on the Active Directory Sync page according to this interval. The minimum is 10 minutes. |
User Profile Matching Property |
The matching property or properties that Workforce Optimization uses to determine whether a Workforce Optimization user and an AD user have the same identity. If you select Default, Workforce Optimization matches users with the Default matching property only. If you select First Name / Last Name, Employee ID, or Email, Workforce Optimization first matches users with the Default matching property, then matches users with the selected matching property. Changing the matching property does not unmatch users who are already matched. |