17 min read

The Journey to SSO, Part V: Onboarding and Offboarding Contractors automatically with SAML Single Sign On

By resolution on Apr 7, 2021 9:45:00 AM

Blogpost-display-image_Resolution Blog Series, Pt. 5Praecipio Consulting has partnered with our friends at resolutionan Atlassian Gold Marketplace Partner based in Germany that specializes in software development and network security, to bring you a series of blog posts about how to successfully implement single sign-on (SSO) with Atlassian tools. With more than 7 million users from 58 countries, resolution is the market leader for Atlassian Enterprise User Management Apps.

In the last article of these series on the journey to Atlassian SSO, we followed the steps of ACME, a company with large instances of Jira and Confluence on prem, planning a migration from AD FS to Azure AD.  

In particular, we had a detailed look at: 

  • How users from the Atlassian directories can be seamlessly migrated into Azure AD building a no code integration with User Sync 
  • How users can be mapped between Azure AD and the Atlassian applications even if usernames don’t match 
  • How to connect users from different organizations (ACME and CU.com, a consultancy firm) each with its own Identity Providers, both for authentication and provisioning purposes. 

In order to complete the setup, however, ACME needs to add some restrictions to CU.com users to answer the following questions:  

  • Who at CU.com must have accounts in ACME’s Jira and Confluence? 
  • How long should access be retained? 
  • How should access be revoked? 

Let’s look at how to automate the process for onboarding and offboarding consultants so that these are the answers: 

  • Who should have accounts? Only contractors assigned to active projects. 
  • How long should access be retained? Only for as long as the project is active. 
  • How should access be revoked? Automatically, as soon as the project concludes. 

How to provision only contractors assigned to active projects 

Let’s quickly recap what ACME needs to set up: 

Challenges 

  • Access to ACME’s Atlassian tools should only be granted to consultants who have been assigned to specific projects 
  • Consultants have a quick turnaround. It’s important to give them access quickly and deactivate them as soon as their assignments conclude. 
  • It’s also vital to ensure that consultants only occupy licenses of the Atlassian products while they´re on an active assignment. 

Implementation steps 

The approach has four steps 

  1. The group that gives consultants access will be operated from Contractor’s Okta and filtered in ACME’s User Sync connector. 
  2. Specific project permissions and roles in the Atlassian applications will be managed locally.  This has important implications, as the Okta and local group settings must coexist and not overwrite each other. 
  3. The synchronization between Okta and ACME will be scheduled to run every night (but users will also be updated when they login, eliminating waiting times entirely). 
  4. As a result of the synchronization, consultants who no longer are on active assignments will have both their access and their licenses revoked. 

Here’s the walkthrough: 

1. In the Okta User Sync connector configured in the section above, ACME adds a filter so that only consultants in a specific group are passed and enabled in Jira 
  • Go to User Sync > Azure AD Connector > Edit > Advanced Settings 
  • In Groups mandatory to sync a user, create a new entry group filter user sync
  • Add the group active-acme-jira-project Filter by active project
2. Now we need to tell User Sync which local groups may be added locally in Jira to these contractors. These are the groups that define what projects contractors have access to, and which roles they fall under.  

It's extremely important to add this information! Failing to do so results in removing access  to Jira projects:  

  •  every time the contractor logs in 
  •  with each user sync. 

However, we can protect groups in both contexts from the User Sync connector,  

  • To protect the groups in the connector, we go back to the Advanced Settings and add all the groups used to give permission to Contractor Unlimited consultants in the Keep these Groups field. Note that you can either include every group, or regular expressions, if there are any patterns. keep groups 
3. Now, we will schedule the synchronization at regular intervals to happen every morning at 3am using this cron expression: 0 0 2 ? * *schedule user sync with cron 
4. Finally, we will tell the connector to deactivate contractors who have finished their assignments so that they don't consume any licenses.  
  • In the cleanup behavior dropdown, select disable users. cleanup behavior disable users

What does this last step mean? Consultants will be automatically deactivated in Jira and Confluence following this process: 

  • When an assignment concludes, the consultant is removed from the active-acme-jira-project group 
  • At 3am, the user sync connector runs 
  • The user is removed from the active-acme-jira-project group in Jira, together with any other changes. 
  • As a consequence, the user is deactivated in Jira. 

Bonus trick: With the right SAML setting, if the consultant logs into Jira after they have already been removed from the active group, the login will succeed but will also result in the deactivation. 

We reached our destination! 

Congratulations! You have finished the journey to Atlassian Single Sign-On! Hopefully by this time you are on your way to an implementation that will last for many years to come. 

The sample implementation in the last two articles has offered a selection of very popular options among Atlassian on prem customers. As you have seen, User Synchronization is very often a cornerstone of the implementation, since it permits to use the Identity Provider as a single source of truth to automate user on- and offboarding. At the same time, it’s compatible with multi-IdP setups and access provision to partner organizations. 

However, the example is just that – an example. And it might be very different to what you need to solve. 

How can we help you? 

If you have any doubts or need help with advanced technical issues, there are several next steps. 

  • Our friends at Praecipio Consulting will be happy to help you get up and running. We go way back with a long history of shared implementations.  
  • If you need help configuring the resolution SAML SSO application or the User Sync standalone that can be combined with the Data Center SAML, we provide free screenshare sessions every day. 

Excited to see you there, very soon! 

Topics: atlassian blog optimization practices security collaboration human-resource
4 min read

How Service Management Capabilities Improve Your Organization’s Employee Onboarding

By Joseph Lane on Mar 26, 2021 9:13:38 AM

Blogpost-display-image_How Service Management Capabilities Improve Your Organization’s Employee OnboardingHave you ever started work at a new organization as an eager new employee, only to find that you don’t have everything needed to “hit the ground running”? It might be that your laptop isn’t ready. Or you have a laptop but you’re missing a critical piece of software (or access to a critical online service). Of course, it’s not only the IT department that can fail to provide a new employee with what they need to be productive from day one. Human resources (HR) might have missed a new employee from the mandatory onboarding training course. Or the facilities team might have failed to arrange building access or to provide them with a suitably equipped place to work.

Alternatively, the issue might not be that these things are repeatedly missing on new employee arrival. Instead, it might be the necessary lead time has an unwanted business impact – that employees can’t start in their new role for two months while the manually-intensive employee onboarding process slowly grinds out what’s needed for them. Or it might be that recruiting managers need to waste their precious time “keeping on top of” all the various departments responsible for ensuring that their new employee can work productively from day one.

To help, this blog explains how Service Management can be used to improve employee onboarding operations and outcomes.

Why employee onboarding is a common issue

None of the above scenarios are ideal – for the new employee, the recruiting manager, and business operations – yet they still happen too frequently when the onboarding process and its many “splinter” sub-processes are manually intensive. It might be that the sheer complexity of all the moving parts, with multiple business functions needing to do “their bit,” causes the issue in terms of the logistics. Or it might be that the immediate lack of urgency for the individual tasks means that they’re a low priority in each business function’s work pipeline, such that some tasks unfortunately “slip through the cracks” when people are bombarded with a continuous flow of higher priorities. Or it might be that the high level of manual effort is the cause of organizational and provisioning mistakes being made.

As to how common onboarding issues are, a commonly-quoted employee onboarding statistic on the Internet – which is sadly from 2017 but still worth pointing to with an age caveat – is that:

Only “12% of employees strongly agree their organization does a great job of onboarding new employees.”

Source: Gallup, State of the American Workplace Report (2017)

Thankfully, Service Management – the use of IT service management (ITSM) principles, best practice capabilities, and technology to improve business function operations, services, experiences, and outcomes – offers a digital-workflow-based onboarding solution that’s commonly one of the first adopted use cases of Service Management within an organization.

Plus, the global pandemic has made employee onboarding more difficult

While onboarding has traditionally been problematic for organizations, the operational impact of the global pandemic has made the potential issues worse. First, because new employees might be remote workers, meaning that any failure to fully enable them on day one is now harder for them to work around. For example, using a spare office “capability” isn’t viable when you aren’t in an office. Second, some of the various business function employees charged with setting up new employees might be home working, which makes it harder for the manually intensive process flows to work across what are now both functional and locational divides.

How Service Management helps with employee onboarding

The ITSM principles, best practice capabilities, and technology employed within Service Management offer a platform for business-wide digital workflows and optimized operations and outcomes. The technology, in particular, helps in terms of making employee onboarding all three of “better, faster, cheaper” through:

  • Workflow automation and service orchestration
  • Service level monitoring, alerting, and notifications
  • New technology-enabled capabilities, such as AI-enabled intelligent automation
  • Self-service portals and other digital channels
  • Knowledge management enablement
  • Dashboards and reporting capabilities

More importantly, Service Management not only helps internal business function operations but also the intra-business-function operations that are a big part of employee onboarding – with the need processed by both HR and the invocation of services from other business functions.

Examples of Service Management at work in employee onboarding

The digital workflows required to get an employee road-ready and productive from their first day of work can be taken back to the initial need for a new employee to fill an existing or new role. The initial workflows can therefore cover all of the following:

  • The line manager notification of the need to recruit (to HR)
  • The approval of the recruitment
  • Job description creation and/or validation
  • The advertising of the role
  • The screening of candidates
  • The interviewing of candidates
  • The selection and notification of the successful candidate

You might argue that this is recruitment rather than onboarding but, in a truly digital environment, this can be an end-to-end workflow such that the successful candidate’s acceptance of the offer, perhaps after personal negotiations, triggers the next set of onboarding steps. These can include:

  • The HR team sourcing and populating the required information in the new employee's HR record
  • The legal team making the appropriate background checks, processing contract paperwork, and ensuring that other legal necessities are met
  • The HR team arranging employee benefits, which could include a company vehicle lease agreement via either the corporate procurement or fleet teams
  • The HR team arranging and maybe delivering the required onboarding training – that covers employee polices, IT usage, finance-related “how-tos,” etc. – plus any other immediate learning needs (physical and/or virtual)
  • The IT team ensuring that the required devices, software, and access permissions for the role are all provisioned in time for the employee’s start date
  • The facilities team sourcing and provisioning the required working environment for office-based working, home working, or both
  • The security or facilities team providing appropriate physical access permissions and means
  • The facilities team providing corporate car parking facilities if warranted

This list isn’t exhaustive, but it’s indicative of how starting the employee onboarding workflow(s) – perhaps via a self-service portal – can trigger the prioritized execution of a wide range of required processes and tasks across multiple business functions using automation and logic. Where the enabling technology not only monitors and manages task progression, but it also integrates with other systems (for record updating, ordering, and provisioning), seeks task-related approvals when needed, provides reminder notifications, and flags up delays and other onboarding issues for appropriate human intervention.

Why wouldn’t your organization want to automate the end-to-end employee onboarding process with digital workflows to save time and costs and to deliver a better employee experience? If you would like to find out more on how Service Management can improve your employee onboarding capabilities, reach out to the Praecipio Consulting team

Topics: blog service-management cost-effective human-resource itsm digital-transformation
2 min read

Jira Service Management for HR

By Courtney Pool on Jan 13, 2021 12:58:15 PM

Blogpost-display-image_Jira Service Management for HRIn November of 2020, Atlassian rebranded Jira Service Desk to Jira Service Management. With this rebranding, Atlassian sought to make one thing clear: JSM isn’t just for IT. In fact, any team who receives requests from others, whether from external or internal customers, can utilize JSM.

Similarly, IT Service Management (ITSM) doesn’t have to be just for IT either. IT organizations around the world benefit daily from applying ITSM principles and processes to their own organizations. Enterprise Service Management (ESM) sees this success and seeks to take it a step further, contending that ITSM practices can be applied even outside of IT teams, which allows for similar successes in other departments. JSM agrees, and it even has quick-starts in Atlassian Cloud for some business teams, including HR.

By now, you may have already read about the ITSM capabilities that can be leveraged by your HR department. You may even already have a few use cases in mind. At Praecipio Consulting, one of the most frequent JSM use cases that we encounter for HR is onboarding and offboarding. 

To start, you’ll want to be sure that you have one request form for onboarding and another for offboarding. One of the things that makes JSM great for non-tech teams is the ability to change display names for fields and add help text to forms, making it even easier for people who aren’t familiar with Jira to submit requests.

As onboarding and offboarding are typically handled by multiple teams and individuals, you can also utilize an app to auto-generate subtasks for each Request or Issue Type on issue creation. This is also possible in Jira Core and Jira Software, of course, but having this driven by a request created through the portal means that a user can set it in motion with more ease than they would be able to otherwise.

Queues are another JSM feature that will be helpful for your HR team once a request is submitted. You could set queues up for just onboarding and offboarding, or you could even go deeper, having queues that differentiate between full-time employees, part-time employees, and contractors, as an example. Queues can be set to run on anything you’re collecting in your form.

Once a request comes in, you’ll benefit from the Service Level Agreements, or SLAs, that JSM can apply. SLAs can be set based on any number of criteria, so your HR team can easily track if they’re meeting expected targets, as well as have another way to prioritize their work. For example, a high-priority offboarding will need more attention than onboarding that’s more than a week out, so the SLAs can be set accordingly, with more time afforded to less pressing tasks.

Onboarding and offboarding are common needs in every HR department, but these same features can be applied to most HR tasks you can think of, like PTO requests, asking for assistance with benefits, or even recognizing a colleague.

The rebranding of JSM is a message to all teams, in all companies, that service tools are not just for IT. They can be a huge benefit to many teams, and HR is a great place to start. 

At Praecipio Consulting, we offer a wide range of services for HR teams (or any team, for that matter) looking to use best-in-class ITSM tools. Reach out today and let us know how we can help you make the most out of JSM

Topics: human-resource itsm jira-service-management
4 min read

Provide the Digital Transformation Your HR Department Needs

By Joseph Lane on Dec 28, 2020 1:56:00 PM

Blogpost-display-image_It’s Time to Provide the Digital Transformation Your HR Department NeedsThe COVID-19 crisis has changed the world forever, from how we interact with others in our personal lives to the more complicated requirements of business operations. These changes have evidenced the need to accelerate the corporate digital transformation strategies that have previously been slow in execution.

Now, as your human resources (HR) department assists your organization in rebounding from the adverse impact of the crisis on operations and revenues, there’s much that needs to be done to ensure that your traditional practices can quickly evolve to the higher needs of the “new normal.”

Surviving the long tail of the COVID-19 crisis

At the height of the crisis, with people working from home or perhaps not working at all, there was an immediate need for new IT services and support practices to ensure that working employees could still work effectively and remain safe. For many organizations, “mountains were moved” in quickly creating the technology-based ways of working needed to keep things going. And employees hopefully appreciated the potentially new IT capabilities that enabled their remote working – both in terms of their personal productivity and the need to collaborate with others when working within business processes.

Now, with some employees returning to offices and others continuing to work remotely – at least in the short term – there’s a need to formalize and improve upon the “emergency” capabilities that helped your organization through the crisis. There’s also likely a need to respond to the mandated budget cuts that come as a result of the initial and ongoing effect of the crisis on company sales and revenues. Plus, the move to homeworking, in particular, has further increased the importance of employee experience and the need for organizations to maximize employee productivity.

In light of all these needs, and potential pressures, your HR department likely needs new ways of working that remove – or at least minimize – the reliance on manual practices, that while always potentially inefficient, are now difficult to operate in a distributed working environment.

Leveraging technology and service management principles to digitally transform

While digital transformation might seem like something that’s focused on technology and data, it’s ultimately about new ways of working and driving successful people change. So, while this blog covers the improvement possibilities available through the greater use of technology and IT service management (ITSM) best practices, there’s still the need to apply organizational change management tools and techniques to what might feel like a daunting change to many.

In terms of quickly transforming your manually-reliant operations, your organization’s IT department might already have the necessary ingredients for improvement at its fingertips. Through an approach it calls “Enterprise Service Management” – “the use of proven ITSM capabilities to improve other business function operations, services, and outcomes” – with this providing a backbone for the required back-office digital transformation in HR and other business functions. In fact, at a business-level, “back-office digital transformation” is a better term for this approach to leveraging technology and service management principles outside of IT.

Even before the crisis highlighted the many failure points of the traditional reliance on manual operations, IT organizations had already bought into the business benefits of enterprise service management – with the 2019 ITSM.tools Future of ITSM Survey finding that two-thirds of organizations either had or were planning to develop an ESM strategy.

How digital transformation will help your HR department

Whether it’s through the adoption of an enterprise service management approach or via another route to organizational improvement, the use of service management principles and the associated enabling technology will make your HR department all three of “better, faster, and cheaper.”

Examples of the ITSM capabilities that can be leveraged by your HR department include:

  • Automated workflows for issue handling and request fulfillment – saving time and costs, and providing a better employee experience.
  • Knowledge management – augmenting the knowledge of HR staff and providing the foundation for employee self-help, making for better, faster, and cheaper HR services.
  • Self-service and self-help – empowering employees to help themselves via a now-expected, consumer-like capability. It also reduces the demand-based pressures on your HR support capability.
  • Problem management for repeat issue minimization – preventing common issues altogether rather than simply trying to remedy them more swiftly.
  • Greater insight into performance and improvement – with it easier to gain the visibility required for better decision making when work is no longer trapped inside personal email accounts and spreadsheets.
  • The use of newer technologies such as artificial intelligence (AI) to improve across all three of better, faster, and cheaper.

Common HR digital transformation use-case scenarios

All of these proven ITSM capabilities, and others, can be successfully employed by HR departments to improve their service and support capabilities, the employee experience, and business outcomes.

Common examples of HR practices that are already benefitting from service management and digital transformation – perhaps via an enterprise service management approach – include:

  • Employee query and case handling
  • Recruitment
  • Employee on-boarding and off-boarding
  • Learning and development
  • Payroll and employee benefit administration
  • Demand planning.

Using service management best practices and an ITSM tools, there’s no limit to how your HR practices can be improved to deliver the better, faster, and cheaper ways of working that are needed in the “new normal.”

At Preacipio Consulting, we can help your organization take advantage of the opportunities of digital transformation and enterprise service management to HR: Reach out, we'd love to help.

Topics: service-management human-resource itsm digital-transformation covid-19
2 min read

It's About People...

By Amanda Babb on Apr 3, 2018 11:00:00 AM

Clients and potential clients ask us what sets us apart from other Atlassian Solution Partners. While I hate answering this question as I have good relationships with people from other Solutions Partners, I love the answer we have at Praecipio Consulting. 

We're people people. The relationship is the most important thing to our success. While we're working on the cutting edge of technology every day with every client, at the end of every day and every engagement, we're still focused on the people. The goal of every engagement is to make life just a little easier on the people through good process, well practiced. 

We're officially wrapping a nine-week engagement this week with a long-term client. This particular client has come back to us several times throughout my career here at Praecipio Consulting. The relationship and trust we've built with these folks have gone a long way to establishing both business and personal relationships around not only mutual interests but genuine caring about each other as people. 

This week, though, I was humbled by the other people I appreciate, but often overlook. When you stay at the same hotel for ~ two months, you get to know the staff as well. In particular, two employees stood out to me, not only for their excellent customer service, but their own openness and willingness to have conversations, debates, asking how the project team is doing, accommodating last minute changes, and making sure we were taken care of in whichever small ways they could. It's about the people and these two people showed us that what we drive with our clients is the right thing to do. 

Today was particularly poignant as this was my last night at this hotel. As a small gesture of my appreciation, I bought a simple bouquet and split it to give each of them a thank you for taking care of the project team. Not only taking care of the project team, but during a particularly arduous week, taking goofy pictures, discussing Netflix series, sharing their excitement of going to a Cavs game for the first time, or the excitement of the premiere of Black Panther. To put it plainly, they treated us like people...not consultants. 

At the end of the day, it's about people. It's about our day-to-day interactions with people that make what we do so amazing. Good days or bad days, people are people: interacting as a person and not as a title can bring great things to clients and friends. I, for one, am super proud to know these two amazing gentlemen and sincerely thank them for all they do!

Topics: praecipio-consulting blog teams human-resource

Praecipio Consulting is an Atlassian Platinum Partner

This means that we have the most experience working with Atlassian tools and have insight into new products, features, and beta testing. Through our profound knowledge of Atlassian environments and their intricacies, we can guide your organization as you navigate these important changes.

atlassian-platinum-solution-partner-enterprise

In need of professional assistance?

WE'VE GOT YOUR BACK

Contact Us