1. Help Center
  2. Administrator Features
  3. Single Sign-On (SSO) & Directory Sync

Directory sync overview

What is Directory Sync? Should your organization use Directory Sync? How difficult is it to set up?

What is Directory Sync? 

Most companies have some sort of internal system that tracks all of their employees & the department or division where they work. Commonly these are referred to as Human Resource Information Systems (HRIS) or Identity Provider (IdP) systems. 

Directory Sync is a feature that allows an organization to easily sync all of their HRIS data with other applications or software. There’s a couple distinct technologies that fall under the umbrella of the Directory Sync product but at the core is a technology standard called System for Cross-domain Identity Management or SCIM. You’ll often see it written with the version of the standard e.g. SCIM 1.1 or SCIM 2.0.

Why would a business want to use Directory Sync? 

When setting up a new app or system for use within a company, inevitably there comes a point where all of the users need to be invited. This is really simple if there are only 10 people; less so when it’s 100, and progressively gets more difficult. Did everyone accept the invite and set up their account? Are all the names/emails/team/roles/etc. correct? 

What about when someone leaves an organization? Some poor administrator will need to go through a list of all a company's apps and make sure the departed employee’s access is revoked. 

In applications where accurate team assignments are critical to the functionality of the app (like Tactic!) things get even more complicated. What happens when an organization goes through a reorg? What about when an employee transfers to a different division or moves to live next to a different office location? 

Instead of relying upon manual intervention by an admin or relying upon individual employees to make timely updates, Directory Sync provides an automated mechanism where all of the changes discussed above are handled automatically and within seconds of the data being updated. 

💡 Directory Sync is built with one single purpose in mind: to make an admin’s life easier.

How to set up Directory Sync in Tactic?

Prerequisites

 To set up Directory Sync, an organization will need three things: 

  1. They will need to have at least one enterprise URL that they can prove ownership & list within Tactic. Typically this is the URL at the end of an email address
  2. They will need admin access to their identity provider’s admin portal 
  3. They will need admin access to their Tactic account

Steps

1. Log in to your Tactic account (account must have admin role)

2. Navigate to Settings -> Organization Settings

3. Click on the “Authentication” tab

organization_url

Screenshot of the Tactic Organization Settings page

 

4. Enter all of the enterprise URL's that users created by the sync will have in their email address in the "Authorized Domains" section. Separate each URL with a comma eg: gettactic.com, trytactic.com

🚧 Since Directory Sync & SSO are typically set up together, the enterprise URL's are nearly, in almost all cases the URL's that you want to be forwarded to your authentication provider. See our Single Sign-On article for more details. 

5. Once the email URL or URLs (most organizations only have one) have been saved, click on the "Directory Sync" tab

6. Scroll down the list of available identity provider. If you see your provider on the list, click on the “Get Started” button

💡 If you do not see your provider, don’t worry. You may still be able to set up Directory Sync via the generic “SCIM 1.1” or “SCIM 2.0” options. You will need to check if your provider allows for generic SCIM connections. If so, you can use those options.

7. Once you’ve clicked “Get Started” this will open a new tab to the self-service portal.

 

directory_sync_setup

Screenshot of the Tactic Directory Sync self-service portal

 

8. The self-service portal will walk you through each step in the process, providing you with screenshots. Any information that needs to be entered can be input directly in the portal wizard.

directory_sync_step_1

Screenshot of Step 1 in the SCIM 2.0 setup process

Post Setup

Once Directory Sync has been set up, there should now be users & teams populated within the Tactic app. Sometimes the initial import process can take a few hours to finish, depending both on the volume of records and the constraints of the HRIS system. In most cases, it will only take a few minutes. 

After confirming all users & accounts have accurately been synced to Tactic, it’s time to finish any desk or office assignments, start creating recurring meetings with teams invited as attendees, or any other setup tasks that require accurate user & team information.

FAQ

What Directory Sync identity providers does Tactic work with? 

We’re always adding new providers but currently the list includes: 

  • Google Workspace
  • Azure Active Directory SCIM
  • Okta SCIM 1.1
  • Okta SCIM 2.0
  • OneLogin SCIM
  • Workday
  • Bamboo HR
  • Breathe HR
  • People HR
  • Rippling
  • Gusto
  • CyberArk SCIM
  • Hibob
  • PingFederate SCIM
  • JumpCloud SCIM
  • SCIM 2.0
  • SCIM 1.1

What if my identity provider is not on the list? 

First and foremost, send an email to support@gettactic.com so we can get it added to our product roadmap! Also, that's why the "SCIM 1.1" and "SCIM 2.0" options are on the list. If your provider has SCIM compliant endpoint, you can use those options (use 2.0, if available) for the setup and it still should work. If you're seeing any funny business, again please reach out and someone on our team will try to help.

Can I use Directory Sync without Single Sign-On (SSO)? 

It is possible to use Directory Sync without SSO but we highly recommend using them together. We purposefully try to make both SSO and Directory Sync affordable since it makes everyone’s experience with Tactic better. If you use Directory Sync without SSO, essentially it will allow for up-to-date information but onboarding will still be a bit of a hurdle. You will need to contact your Tactic customer success manager or work with the Tactic support team to coordinate a welcome email that will allow each employee to claim their pre-created account. The alternative to a welcome email is asking all employees to trigger an email reset via the “Forgot my password” link on the login page. Additionally, if the employee's email address is updated within the HRIS system, you will need to create a support ticket to have the email used for the user’s email login to be changed as well.

How does data get passed from the HRIS system to Tactic? 

Once you’ve set up the SCIM connection between Tactic and your Identity Provider System (IdP) or HRIS, updates are sent to a Tactic API endpoint by your IdP every time there is a registered change. These updates are processed by Tactic and reflected within your account as quickly as we receive them.

What are the permissions required by Tactic to access an IdP system? 

This will vary depending on the system you’re trying to sync with but generally SCIM endpoints are fairly well documented by each respective IdP. If you have questions specifically about what is required for your specific system, typically the best place to start is your IdP system’s documentation.