# User Provisioning

## Overview

The self-provisioning connector is a directory connector that automatically creates and synchronizes a user based on the user's session token claims that contain claims from the OpenID Connect provider ID token. This feature is only compatible with an OpenID Connect authentication.

## Prerequisites <a href="#prerequisites-user-provisioning" id="prerequisites-user-provisioning"></a>

* Make sure to have a working WorkflowGen instance.
* Make sure to know the instance's IP address or its fully qualified name.
* Make sure to know the address of the instance.
* Make sure to have configured Okta or one of the other OIDC-compliant authentication methods ([Microsoft Entra ID](https://docs.advantys.com/docs/azure/azure-active-directory-authentication), formerly Azure Active Directory; [AD FS](https://docs.workflowgen.com/tech/10.0/adfs-integration/authentication); [Auth0](https://docs.workflowgen.com/tech/10.0/auth0-integration/authentication); or [Microsoft Identity Platform v2.0](https://docs.advantys.com/docs/azure/azure-active-directory-authentication)).

## WorkflowGen configuration <a href="#workflowgen-configuration-user-provisioning" id="workflowgen-configuration-user-provisioning"></a>

This section will guide you through the WorkflowGen configurations necessary to set up the self-provisioning feature with a directory.

### Step 1: Create a self-provisioning directory

This directory will contain all of the users that are not provisioned elsewhere. To create a self-provisioning directory, do the following:

1. On the **Directories** page in the WorkflowGen Administration Module, click **New directory**.<br>
2. Fill in the form:
   * **Name**: `SELF_PROVISONING`(or something else)
   * **Description:** A good description of the directory
   * **Directory connector:** `Self-provisioning` <br>

     ![](https://content.gitbook.com/content/2sHxsrPmYoHfTyABKAbS/blobs/2F9JTp83A83jXYYjuTZb/create-self-prov-dir-crop.png)<br>
3. Click **Save**.

### Step 2: Configure the user fields-to-claims mapping

Now that you've created a new directory with the self-provisioning connector, you need to define which claims are mapped to which WorkflowGen user field. To do this:

1. On the new directory's page, click **Edit mapping**.<br>

   ![](https://content.gitbook.com/content/2sHxsrPmYoHfTyABKAbS/blobs/I8hp3XrXTG4VQnhlGVvY/self-prov-dir-edit-mapping.png)<br>
2. To the right of the name of the WorkflowGen user field, enter the name of the claim in the session token that you want to map.<br>

   Here's an example of a session token generated by the `auth` node application from the Okta ID token connected with Google Apps:

   ```
    {
        "sub": "some.user@advantys.com",
        "iss": "https://<workflowgen_url>/auth",
        "aud": "https://<workflowgen_url>",
        "exp": 1535627127,
        "https://api.workflowgen.com/username": "some.user@advantys.com",
        "given_name": "Some",
        "family_name": "User",
        "nickname": "some-user",
        "name": "Some User",
        "picture":  "https://lh4.googleusercontent.com/path/to/photo.jpg",
        "gender": "male",
        "locale": "en",
        "updated_at": "1970-01-01T00:00:00Z",
        "email": "some.user@advantys.com",
        "email_verified": true,
        "nonce": "ffdd6d95-31e6-4466-84c4-43f8c0fbaae7",
        "iat": 1535591128
    }
   ```

   \
   These claims could be mapped in WorkflowGen like this:<br>

   ![](https://content.gitbook.com/content/2sHxsrPmYoHfTyABKAbS/blobs/yjNQWOQRWqG9pyQZesA8/self-prov-example-mapping-crop.png)<br>

   ✏️ **Note:** The **Username** and **Name** fields are required.<br>
3. Click **Save**.