Press "Enter" to skip to content
< Back

IAM Employee Provisioning

Employee Provisioning for IAM – Okta/Azure

In contrast to IDP-only “signin with” first-time linking process, under IAM, employees must be independently provisioned (i.e. linked to the externally managed user in the IAM directory) by a manager before they can access WhenToWork. In this case, employee user types are never prompted to enter a w2w login id and password.

New page at EMPLOYEES → Okta/Azure Employee Provisioning provides the tools needed to provision new or existing employees.

Grid with three views – New/Existing/Deleted

New – Added to IAM directory, but not yet linked to a w2w employee.

On the right of the list of ext users, there are two columns, Emp Action and Mgr Action. Click on either cell or both set a pending action to provision an existing w2w employee as either employee or manager or both, or to create and provision a new employee or manager.

All actions are executed by clicking on the Save button.

After provisioning changes are saved, affected users will henceforth appear in the “Existing” list.

Existing – Link exists between IAM directory and active w2w employee.

Shows employee status in the “Is Emp” and “Is Mgr” columns.

Provisioning links can be removed by selecting rows and clicking on “Unlink SSO”.

Modifications of provisioning for users in the Existing list can only be accomplished by first unlinking. Unlinking returns the user to the New list, wherein provisioning can be selectively added.

Final column “Last Login” displays an icon which indicates whether the user’s last login succeded or failed. Click on that cell for detail.

Deleted – w2w link exists for active w2w employee, but deleted/missing from external IAM directory.

Provisioning links can be removed by selecting rows and clicking on “Unlink SSO”.


Provisioning users is very slow.

If your user directory is very large, you may experience slow response when provisioning users. This condition can be improved by fashioning a Users Query Url with a filter that limits the result set to only the people that belong to your organization. Note the following example:
Consult Microsoft Graph API online docsfor information regarding query URL syntax: