Configure Workplace by Facebook user provisioning

As an administrator, once you've set up SSO, your next step is to set up automated user provisioning to authorize, create, modify, or delete your users' identity once in G Suite, and have the changes to that identity reflected in Workplace by Facebook.

Set up user provisioning for the Workplace by Facebook application
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Workplace by Facebook application.
  4. Select User provisioning.
  5. Under User provisioning, click Set up user provisioning.

    In the Authorize window, you're asked for an Access Token. This is a one-time step. If you've authorized Google in the past, your Workplace by Facebook application won't ask for approval again. However, if you've revoked access and haven't reauthorized since, you'll be asked for authorization.

  6. Open a new browser tab and sign into your Workplace by Facebook administrator account.
  7. In Workplace, navigate to the Admin Panel page (accessible from a menu in the top right corner), then to the Integrations tab.
  8. Select Custom integration.
  9. Enter a relevant name (for example “G Suite as IdP”) and description.
  10. If you want users to be invited upon creation, check the box below Manage Accounts.
  11. Click the Create Access Token button, then copy the displayed access token.
  12. Return to the Admin console browser tab and paste the Access Token in the Authorize dialog box.
  13. Click Next.
  14. Enter https://www.facebook.com/scim/v1/ in the Provide endpoint URL field.
  15. Click Next.
  16. In the Map attributes dialog box:
    1. Next to the selected Cloud Directory attribute, click the Down arrow Down Arrow to map to the corresponding Workplace by Facebook attribute. Attributes marked with (*) must be mapped.
    2. Click Next.
  17. (Optional) In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    1. Click the underscore and begin typing your group name. 
      A list of available groups appears.
    2. Selecting one adds it and opens another underscore to use to add another. Add more groups, if necessary. 
    3. To remove any group you've added, click Edit Edit next to it.
  18. Once you’re done, click Finish.
  19. Review the information in the Provisioning summary dialog box, then click OK.
  20. At the top right of the gray box, click Edit Service Compose.

  21. Click Activate provisioning.
    Note: If you added groups using the Set provisioning scope dialog box you must choose a scope or the Activate Provisioning button remains grayed out. You must set the app to On for everyone or On for some organizations and refresh the page before activating provisioning. If the app is set to Off, this choice is grayed out.
  22. In the confirmation dialog box, click Activate.  
Re-authorizing user provisioning for the Workplace by Facebook application

If you reset your access token or delete the application, you should reauthorize user provisioning for the Workplace by Facebook application.

  1. Sign in to the Workplace by Facebook application as an administrator.

  2. In Workplace by Facebook, navigate to the Admin Panel page (accessible from a menu in the top right corner), then to the Integrations tab.

  3. Select Custom integration.
  4. Enter a relevant name (for example “G Suite as IdP”) and description.
  5. Assign the app "Manage Accounts" permissions.
  6. Click the Create Access Token button and copy the displayed access token.
  7. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  8. Go to Apps SAML apps.

  9. Click the Workplace by Facebook application.

  10. Select Re authorize app.

  11. Paste the copied access token into the text box on the G Suite admin console window that asks for the token.

  12. Click Save.  

Display user provisioning

Once provisioning is enabled, Google begins collecting usage information. Next to User Provisioning, you see the usage information section. There aren't any numbers next to the event names until you enable provisioning.

The following event names provide the usage information for the last 30 days:

  • Users created
  • Users suspended
  • Users deleted
  • User failures

For more information, see Monitor user provisioning.

Edit provisioning scope

You may want to restrict the scope of provisioning to members of groups you define.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Workplace by Facebook application.
  4. Select User provisioning.
  5. Under User provisioning, click Edit provisioning scope.
  6.  In the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define:
    1. Click the underscore and begin typing your group name. 
      A list of available groups appears.
    2. Selecting one adds it and opens another underscore to use to add another. Add more groups, if necessary. 
    3. To remove any group you've added, click Edit Edit next to it.
  7. Once you’re done, click Finish.
  8. The next time you click Edit provisioning scope under User provisioning, the groups you added appear in the Set provisioning scope window. If you've turned on the Workplace by Facebook application for a set of organizational units, the provisioning scope will be restricted to those users in the added groups who are also members of those organizations.
Deactivate user provisioning

To disable user provisioning for the Workplace by Facebook application without losing all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Workplace by Facebook application.
  4. Select User provisioning.
  5. Under User provisioning, click Deactivate provisioning.
  6. In the Deactivate provisioning dialog box, click Deactivate.
Define deprovisioning timeframes

To define how long de-provisioning actions should be delayed before taking effect:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Workplace by Facebook application.
  4. Select User provisioning.
  5. Under User provisioning, click Edit deprovisioning config.
  6. In the Deprovisioning configuration dialog box, select one or more of the following options to define how long deprovisioning actions should be delayed before taking effect:
    1. When an app is turned off for the user, suspend their account, soft delete their account, or both, after the number of days you choose

      A suspended account is temporarily unavailable until it's restored.

      A soft deleted account can be restored without data loss up to 7 days after deletion.
    2. When a user is suspended on Google, suspend their account, soft delete their account, or both, after the number of days you choose.
    3. When a user is deleted from Google, suspend their account, soft delete their account, or both, after the number of days you choose.

      ​​The amount of time before deprovisioning takes effect can be set to within 24 hours, after 1 day, after 7 days, or after 30 days.

      The default for each is to suspend the account within 24 hours. Always set the amount of time before deleting a user's account to more than the amount of time before suspending a user's account.
  7. Click Save.
Remove user provisioning

To disable user provisioning for the Workplace by Facebook application and remove all the configuration information:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML Apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Click the Workplace by Facebook application.
  4. Select User provisioning.
  5. Under User provisioning, click Delete provisioning.
  6. In the Delete provisioning config dialog box, click Delete to de-activate user provisioning and remove all the configuration information. 

    Existing users on Workplace by Facebook are not deprovisioned.
Was this helpful?
How can we improve it?