User profile field integration with the third-party identity providers ThoughtFarmer supports (Azure AD, on-premise AD, Okta, Google Workspace) allow the ability to set who the data owner is on a per-field basis. You can either let the identity provider be the source of truth for that data, or let ThoughtFarmer own that data. Setting ThoughtFarmer as the data owner is useful for self-management of fields (e.g. phone, address, etc.) and pushing those changes out to the configured identity provider.
Please note that each identity provider will have their own set of permissions and scopes required to allow read and write access. Please reference the specific provider's ThoughtFarmer Employee Directory Connector (EDC) documentation for details. Only enable the minimal set of permissions required for your chosen configuration.
Identity provider-owned fields
When the third-party identity provider is the data owner, the mapped fields are considered read-only. It is recommended to configure the Admin panel: Users & security section > Template - profile details page so only admins can edit those fields. Otherwise, any changes users make to their profile will be overwritten by the next sync. Configure this by selecting the Only admin can edit checkbox when editing the profile field.
If you set fields as being owned by ThoughtFarmer, when users make changes to their profile, updates to those fields will be pushed to the configured provider just for that user at that time. There is no bulk sync push task that will overwrite all ThoughtFarmer-owned fields on the third-party side. Updates are only triggered by the individual profile page save.
To enable this on the ThoughtFarmer side the EDC must have write mode enabled.
As well, there should be fields that have been mapped where ThoughtFarmer is the data owner.
User attribute field mapping test
You can perform a test to see what user data is returned to ThoughtFarmer during a user sync, and how ThoughtFarmer interprets that data in relation to field mappings. This allows you to have a clear understanding of how data from the external user store syncs with the user fields in ThoughtFarmer. This feature is supported for Azure AD, Google and Okta only.
- Go to the Admin panel: Users & security section > Employee directory connector page.
- Click on the external user store whose field mapping sync you want to understand.
- Click on the User testing tab.
- Enter the username of the user whose data you want to load from the external user store.
- Click Load user.
Once the data loads, you will see the ThoughtFarmer fields listed with each corresponding piece of data from the external user store. This can help you understand how the information in the external user store is synced and understood by ThoughtFarmer.