Using Active Directory to synchronize users with onVisit Online Følg
SCIM 2.0
Note: Since 2023 onVisit has implemented SCIM 2.0 and it is highly recommended to use provisioning via SCIM 2.0 rather than AD Sync.
Read more about SCIM 2.0 with onVisit.
Terms used in this document
Employee
Any person working in your organization who needs to interact with onVisit in any way.
Visit recipient
Employees who will receive visitors and need to be available for lookup by guests as well as being alerted by guests’ arrival.
User
Employees who will need access to the onVisit Online web application.
onVisit Online web application
This is the online web interface accessed by your users through their browsers in order to access onVisit’s online features.
SelfRegistration application
This is the application running on a terminal on your premises that guests use to register their arrival.
UserSynchronization application
The focus of this document; this is the application that handles the synchronization of employee data from your Active Directory into onVisit Online.
Introduction
onVisit Online requires that the employees who are to be made available as visit recipients for guests are added to its database.
onVisit Online supports synchronization with your local Active Directory to generate an available visit recipient in onVisit for each of your employees to avoid having to manually keep your employee information up to date in onVisit Online.
For this to work, the UserSynchronization application needs to be installed locally on a machine/server that can reach your Active Directory and must be set up to run in the context of a user that can read the parts of the Active Directory tree you wish to synchronize with onVisit Online. The UserSynchronization application communicates with Active Directory via the LDAP protocol on port 389.
How it works
The UserSynchronization is set up as a scheduled task, typically set to run once every night. When the task triggers, it connects to the specified Active Directory and retrieves user objects from the specified OUs. It then connects to onVisit Online and adds or updates the appropriate information in the onVisit database. This connection is made via https and the information sent is encrypted.
Whenever a guest searches for a visit recipient from the SelfRegistration application, the information is retrieved from the online database, also via an encrypted https connection.
Note that the application will never write any information back to Active Directory, so any changes made to a visit recipient’s information via the onVisit Online web interface will be overwritten the next time the application runs.
System requirements
The machine running the UserSynchronization application must be Windows 7 or newer, or a Windows Server 2008 R2 or newer, and must fulfill the following criteria:
- Have Microsoft .Net Framework 4.6.1 (or newer) installed.
- Must be able to reach the Active Directory to be synchronized via LDAP (port 389) or port 636 for LDAPS.
- Must be able to connect to the onVisit Online server on the internet via SSL (port 443).
UserSynchronization ServiceUser
The scheduled task will need to run in the context of a user account that has read access to the Active Directory it shall synchronize with. It is therefore required that a service user is created and it is recommended that it is created with a password that never expires (provided such a service user account doesn’t already exist and can be used for this purpose).
If, for some reason, you need to use a user account that follows password policy rules, you will then be required to update the scheduled tasks whenever the password for that account changes, otherwise the synchronization will stop without warning.
Synchronization setup scenarios
The UserSynchronization can be set up to synchronize your entire Active Directory tree, just a single branch or a set of branches. If your organization is divided into different companies and this is reflected in onVisit Online, the UserSynchronization can be configured to synchronize different branches with the different companies registered in onVisit Online.
The default object filter UserSynchronization uses is objectCategory=person and objectClass=user, but can be changed to be more (or less) restrictive if needed.
Disabling visit recipients
Whenever an employee leaves the organization, the corresponding visit recipient in onVisit Online should also be disabled, preventing guests from registering a visit to an employee that is no longer available.
Whenever an account is disabled in Active Directory the UserSynchronization will automatically disable the corresponding visit recipient in onVisit Online.
In scenarios where accounts are not disabled in Active Directory, but moved to a separate branch indicating that the employee has left the organization, UserSynchronization can be configured to make sure that all visit recipients in onVisit Online corresponding to users in that particular branch will be disabled.
The UserSynchronization will not be able to disable corresponding visit recipients if an account is deleted from Active Directory, but the visit recipient can be manually deactivated through the onVisit Online web interface after the fact. If possible, it is a recommended practice to disable the Active Directory account for a few days (depending on how often the UserSynchronization is scheduled to run) before deleting the account.
Synchronized fields
Here follows a list of Active Directory properties read by the UserSynchronization application along with a description of how they are used by onVisit Online and the SelfRegistration application.
|
Active Directory property |
Usage in onVisit |
|
whenChanged |
Used to check if the employee has been updated since the last synchronization. |
|
givenName |
First name of the employee. Displayed in the visit recipient lookup in the SelfRegistration application. This field cannot be empty. |
|
sn |
Last name of the employee. Displayed in the visit recipient lookup in the SelfRegistration application. This field cannot be empty. |
|
mobile |
The employee’s mobile number. Used for alerting the visit recipient when guests arrive. Can be displayed in the visit recipient lookup in the SelfRegistration application, if desired. |
|
|
The employee’s email address. Used for alerting the visit recipient when guests arrive. This field is required for employees that will need access to the onVisit Online web application. |
|
samaccountname |
This field, along with the domain specified in the configuration file for the UserSynchronization application, is used to uniquely identify the visit recipient in onVisit Online to be updated. |
|
telephoneNumber |
Alternative phone number that can be displayed when displaying visit recipient information in the onVisit Online web application. |
|
useraccountcontrol |
Used to determine whether the visit recipient in onVisit Online is active and able to receive guests. |
|
thumbnailPhoto |
Photo of the employee. Can be displayed in the visit recipient lookup in the SelfRegistration application, if desired. |
|
department/Custom Field |
Added to the visit recipients’ department field in onVisit Online. Can be displayed in the visit recipient lookup in the SelfRegistration application, if desired. This field can be customized in the configuration file for the UserSynchronization application |
Adding external employee photos
Employee photos can be added to onVisit even if they are not set as part of the thumbnailPhoto property in Active Directory. To accomplish this, simply place the photos in a folder on the machine running the scheduled task and give them a filename matching the employee’s domain and username with this format:
[UserDomain from config-file]-[samaccountname from Active Directory].[Image file-extension]
The path to the folder containing the pictures must then be added to the config-file for the UserSynchronization application.
Additionally, photos can be uploaded manually using the onVisit Online web application.
Related info: Install UserSync