itemit now supports integration with MS Azure Active Directory. If your organisation uses on-premises Active Directory you can set it up to synchronise data with Azure Active Directory and connect it to itemit.
You can select User Groups in Active Directory and assign them roles and access with itemit. Those users will then be able to login using their Active Directory credentials and access all the normal itemit features.
itemit Active Directory settings
Open https://web.itemit.com and login to your itemit workspace as an administrator.
Click the Settings button in top right corner and select "Active Directory Integration" on the left menu.
Click the "Connect" button.
4. You will see a popup named "Connect to Azure Active Directory" appear.
Microsoft Azure settings
In a second browser tab or window open the Microsoft Azure website: https://portal.azure.com
Log into your administrator organisation account and select "View" in "Manage Azure Active Directory" section. If you don't see this option, search for "Azure Active Directory" and select that instead.
3. You will new see your organisation Active Directory overview page. On the left side, select "App registrations" and then click "New registration" on top.
4. Enter an application name, for example "itemit" then below in "Supported account types" select "Accounts in this organizational directory only" and click "Register".
5. After registration completed, you will see the application overview page. Select "API permissions" on the left side.
6. In the "API permissions" page, select "Add a permission". You will need to select and then grant a number of permissions, so itemit can get Active Directory users and groups data from your organisation directory.
7. In the add permissions pane select "Microsoft Graph" then "Delegated permissions" and then search and select the following delegated permissions:
User.Read
email
offline_access
profile
These permissions are required for successful login of an Active Directory user into itemit, using their Active Directory login and password.
β
8. After selecting the 4 delegated permissions above, select "Application permissions" on top and then search and select following application permissions:
Directory.Read.All
Group.Read.All
User.Read.All
And finally select "Add permissions" in the bottom.
9. If everything has been successful, you will see the following list of permissions.
10. Click "Grant admin consent for ... " and approve. Make sure you have Status "Granted for ..." for each of permissions.
11. Now you will need to add a secret key, so itemit can securely communicate with Active Directory. Select "Certificates & secrets" on the left side and then "New client secret".
12. Enter description for a new secret, for example, "itemit secret" and select the maximum expiry date of 24 months. Click "Add".
13. Important! After your new secret is created copy and securely save its "Value" as you won't be able to see it again.
14. Now you will need to setup app Authentication so Active Directory users will be able to login using their accounts on the itemit website and mobile apps.
Select "Authentication" on the left side and then select "Add a platform" in platform configurations.
14.1. (optional) If you don't need your users to login on web.itemit.com you can skip this step in "Configure platforms" select "Single-page application".
Then in "Redirect URIs" enter "https://web.itemit.com" and click "Configure".
If everything is correct you should see the same section "Single-page application" as below.
14.2 (optional) If you don't need your users to login on the itemit Android app you can skip this step.
Click "Add a platform" and select "Android" in "Mobile and desktop applications" section.
Please enter following details, then click "Configure":
Package name: com.redbite.itemit
Signature hash: WDAkVt0lK9Nob+82mOBkFKs1ieU=
14.3 (optional) If you don't need your users to login on the itemit iOS app you can skip this step
Click "Add a platform" and select "iOS / macOS" in "Mobile and desktop applications" section.
Please enter Bundle ID: com.redbite.redthings then select "Configure" and "Done".
Once done go back to "Overview" section on the left side.
Now you are ready integrate Active Directory with your itemit workspace!
15. Open web.itemit.com and copy and paste your application's "Application (client) ID" to "Client ID" field in itemit website (step 3)
"Directory (tenant) ID" to "Tenant ID" and your client secret value (from step 13) to "Client Secret". Finally enter your Active Directory domain name (you can find it in your Active Directory overview page as "Primary domain") and click "Connect".
If all of the settings were correct you will see a success window popup appear:
Now you can select an Active Directory group with users you want to give access to itemit.
Important! Currently we only support synchronisation by groups. Your Active Directory will need groups with assigned users in order to sync those users to itemit.
In the next step select itemit role and access for members of that AD group. Same as sharing to itemit users, you can share whole workspace or just a subset: collection/location.
You should see "Synchronisation Completed" popup if everything went successfully.
Newly added group will also appear in the section below with group name, role and access description.
If you want to add additional groups, you can select "Add New Group" and repeat the process.
Important!
To be successfully imported into itemit, the Active Directory user must have First name, Last name and email set in their user profile in Active Directory. Users that are missing any of these properties will be ignored.
Active Directory users can only be in one group in the workspace at the same time. If you are synchronising another group which has the same user, the group will be synchronised except for that user, and you will get an error message informing you which user wasn't synchronised.
Important!
Currently there is an automatic synchronisation of users in groups which runs every midnight (UTC time).
If you make any changes in your Active Directory groups (remove or add members) and want to see changes in itemit, you will need to go to itemit web portal Settings -> Active Directory Integration and resync affected groups so itemit can get all the changes.
Imported AD users have limited rights compared to normal users.
They can't:
edit their own data
create personal workspace
leave shared workspace
share a workspace or been shared with other workspace (other than been shared via AD configuration)
manage AD configuration
Personalised Active Directory shortcut URL for login
In order to simplify process of Active Directory users login into itemit, we support itemit configured domain name as a URL query parameter: https://web.itemit.com/?domain=domainName or https://web.itemit.com/login?domain=domainName
So, for example, if your Active Directory domain name is redbite.com, then shortcut URL for login will be https://web.itemit.com/?domain=redbite.com or https://web.itemit.com/login?domain=redbite.com
You can share such URLs to your Active Directory users and they won't need to type in domain name during login to itemit.
Common Q&A:
Q: How can I remove a single AD user from itemit?
A: In order to remove a single AD user you will need to go to your MS Active Directory integration and remove the specified user from the relevant group which you added to itemit. After that, you will need to synchronise the same group in itemit and this user will be removed from itemit.
Q: How can I remove a whole AD group?
A: In itemit open "Active Directory Integration" in "Settings", find the group that you want to remove and click remove icon. Type "REMOVE" in the popup window and click remove. This will remove the group and all of it's users from itemit.
Q: How can I update/change permissions of the users in AD Group?
A: Directly updating AD group permissions within itemit is not possible. Instead, you will need to remove the group first and then re-add this group back, selecting new permission levels at this point.
Q: My AD synchronisation was working fine, but recently stopped working. What can be the reason?
A: If you haven't made any changes in your Microsoft Active Directory integration, then it could be that your secret has expired. Please follow steps 11-13 of this integration guide to create a new secret and copy the new secret value (not secret ID). After that, open your "Active Directory Integration" in itemit website in "Settings", select "Edit Configuration" and enter new client secret there. After you have saved configuration with a new client secret, try to synchronise it to see if the problem is solved. If this has not solved the problem, please reach out to the itemit team at [email protected].
Q: What happens when an AD User is deleted from itemit?
A: When an AD user is deleted from itemit, they will no longer be able to log into itemit or access the system. They will no longer appear in the users list. Their name will still be assigned to any items they were assigned to, so they will need to be removed from these where applicable. Their name will also still appear in relevant History sections if they have performed any actions with items. Their names will still appear as associated with any comments they previously left on items. If you would like their name removed for GDPR purposes, please contact us at [email protected].