In this article, you'll learn about the User Management section of your KSAT account settings. In the User Management section, you can update your user provisioning settings and your general user settings.
User Provisioning
In the User Provisioning section, you can edit your user provisioning settings. You have the ability to use Active Directory Integration (ADI) or SCIM to provision your users.
See below for more information about the settings in this section:
- Enable User Provisioning: Select this check box if you'd like to use Active Directory (AD) or SCIM to manage your users. After you select this check box and save your Account Settings, you'll have access to a new Provisioning subtab. To access this subtab in your console, navigate to Users > Provisioning.
- Test Mode: This check box is selected by default. We recommend that you keep this check box selected until you’re satisfied with the results of your sync. If you use test mode, you have the ability to view details about your sync and what actions would have occurred if test mode was disabled. To see these details, navigate to Users > Provisioning.
- ADI or SCIM: Select either ADI or SCIM to view the integration settings for that method.
-
Active Directory Integration Settings: Click ADI or expand this menu to see options for syncing with ADI.
- Show Group Domain: If your users are split between multiple domain sources, you can select this check box to add the root domain to each of the AD-synced group names in the KSAT console. Adding the root domain allows you to better organize your users.
-
ADI Sync Token: This is the unique account token that you'll need during the ADI installation process. If you’d like, you can click the Regenerate ADI token button to generate a new token.
Important:Please be aware that if you regenerate your ADI Sync token, you will not be able to sync your Active Directory until you update your Active Directory Sync Tool with the new sync token. We recommend that you only regenerate your ADI token to stop existing syncs from a tool that you don't know the location of. For more information about ADI, see our Active Directory Integration (ADI) Configuration Guide.
- View ADI Installation Guide: Click this button to see our Active Directory Integration (ADI) Configuration Guide. Be sure to read this guide before you install the tool.
- Download Active Directory Sync Tool: Click this button to download and install the ADI sync tool.
-
SCIM Settings: Click SCIM or expand this menu to see options for syncing with SCIM.
- Generate SCIM Token: Click this button to generate a new SCIM token. This token can only be viewed once, so you'll need to make sure to save the information before closing the window. If you regenerate a SCIM token, you'll need to be sure to update your identity provider with the most recent token.
- Tenant URL: Enter your tenant URL to connect KSAT with your identity provider.
- View Our SCIM Guide: Click this link to see our SCIM Configuration Guide.
User Provisioning Notifications
In the User Provisioning Notifications section, you can enable notifications to alert users if your organization doesn’t receive a user provisioning sync within a selected time frame. Notifications include an email alert and a banner at the top of the KSAT console.
See below for more information about the settings in this section:
- Enable User Provisioning Notifications: Select this check box to enable user provisioning notifications.
- Time Frame: Select the amount of time that should pass before alerting users that a user provisioning sync has not been received. For example, if you would like to be notified if a sync hasn’t been received in 48 hours, select 48 hours.
- Notification Recipients: Enter the email addresses of users you would like to receive notifications.
User Settings
In the User Settings section, you can edit user and admin permissions.
See below for more information about the settings in this section:
- Allow Users to Create Accounts: Select this check box to allow your users to create their own accounts. We recommend that you only enable this setting in special cases.
- Use Password-less Login: Select this check box to allow users to log in to the Learner Experience (LX) without entering a password. If you enable this setting, make sure to use training notifications that have the "password-less" tag. You can also create your own training notifications using our Password-less Link placeholders. For more information, see our How to Enable and Use Password-Less Logins article.
- Disable Password-less Login for Admins: Select this check box to disable password-less logins for admins.
- Expire Password-less Link After: If you have enabled password-less logins, this setting defines how long the password-less link will remain active for your users. This duration must be between one and 999 days.
- Require users to reset initial password set by admins: Select this check box to allow admins to set users' initial passwords and require users to change their passwords after their first login.
- Only Allow Console Sessions from One IP at a Time: Select this check box to allow admins to log in to separate instances of the console at the same time, as long as they log in from the same IP address. For more information, see our Session Settings Guide.
- Restrict Console Sessions to Specific IP Ranges: Select this check box to restrict admin and security role user sessions to the IP addresses entered below. You can either enter the IP addresses individually and separate them with commas, or you can enter a range of IP addresses. For example, you could enter an IP address range of 147.160.167.0/26. If you'd like to enter multiple IP ranges, you can separate each range with commas.
- Admin Session Timeout: Select the time period that you'd like admin account sessions to remain active. If the session is still inactive after this time period, admins will be logged out of their accounts. For more information, see our Session Settings Guide.
- User Session Timeout: Select the time period that you’d like LX sessions to remain active. If the session is still inactive after this time period, your users will be logged out of their accounts. For more information, see our Session Settings Guide.
- Minimum Password Length: Select the minimum length required for user passwords. You can choose between eight and 32 characters.
- Require MFA: Select whether Multi-factor authentication (MFA) is required for all users, just for admins, or not necessary for either group. MFA must be set up the next time they log in. For further instructions regarding restoring a user’s access when this setting is enabled, see the Unlocking a User’s Account section of our Enable Two-Factor or Multi-Factor Authentication on Your Account article.
- Remember Trusted Device: If enabled, users and admins only need to log in with MFA once per trusted device for the specified time period below.
- Remember Device for: Enter the number of days you want the system to remember MFA for your trusted device.