OnboardConnect

1. What is OnboardConnect?

OnboardConnect is a cloud-based student account provisioning platform designed for higher education IT departments. It automates the creation, update, and deactivation of student accounts in Active Directory (AD) and Azure AD based on enrollment data — eliminating manual work and reducing provisioning lag from days to minutes.

How it works

1. Data arrives — via SFTP file feed (CSV/XML) or Slate CRM enrollment events.
2. Rules evaluate — your configured Workflow rules match each student record and determine the correct action (create, update, disable, delete).
3. Provisioner executes — OnboardConnect's on-premise Agent applies the action in your AD environment.
4. Results are logged — every action is recorded in the Audit Log with actor, timestamp, and outcome.

Key capabilities

2. Your 90-Day Trial

Every new institution starts with a full 90-day trial. During the trial:

• All features are fully unlocked — no functionality is restricted.
• There are no student creation limits. You can provision as many accounts as you need to test the full workflow.
• No credit card or purchase order is required to start.
• A yellow banner appears in the portal showing how many days remain.

3. Initial Setup

After your account is provisioned by Zentrosoft, you will receive a login invitation email. Complete setup in this order:

3.1 Sign in for the first time

1. Click the link in your invitation email.
2. Set your password and complete your profile.
3. Sign in at your institution's OnboardConnect portal URL (e.g., app.onboardconnectapp.com).

3.2 Configure your AD connection

Go to Connections and add your Active Directory or Azure AD connection. You will need to install the OnboardConnect Agent on a server inside your network first — see On-Premise Agents.

3.3 Set up your data source

Connect at least one data source:

• SFTP — for SIS file exports. See SFTP File Feeds.
• Slate — for CRM-driven provisioning. See Slate CRM.

3.4 Create your first Workflow

Go to Workflows and create a rule that maps incoming student data to a provisioning action. See Workflows for details.

3.5 Run a test

Trigger a manual run with a test record to verify the end-to-end flow before enabling automatic polling.

4. Users & Roles

OnboardConnect uses role-based access control (RBAC). Each user is assigned a role that determines which portal sections and actions they can access.

Manage users from Settings → Users & Roles. See Users & Roles settings.

5. Dashboard

The Dashboard gives you a real-time snapshot of your provisioning environment.

KPI cards

Recent activity

The activity feed shows the last 10 provisioning events with student name, action taken, and result. Click any row to open the full Audit Log entry.

Job queue chart

A bar chart showing daily job volume (created, updated, disabled) for the past 14 days. Useful for identifying unusual spikes or drops in provisioning activity.

6. Students

The Students section is your searchable roster of all student records OnboardConnect has ingested and processed.

6.1 Student list

Use the search bar and filters to find students by:

• Name or email
• Student ID
• Enrollment status (active, inactive, graduated, withdrawn)
• Account status (provisioned, disabled, pending, error)
• Program or department

6.2 Student detail

Click any student row to open their detail view, which includes:

• Profile — name, email, student ID, program, enrollment status
• AD Account — current username, account enabled/disabled state, last synced
• Provisioning history — every action taken on this student with timestamps
• Active jobs — any in-progress or queued jobs

6.3 Manual actions

From the student detail page, authorized users can trigger manual actions:

7. Workflows

Workflows are the heart of OnboardConnect. Each workflow defines a set of conditions to match against incoming student data and an action to take when those conditions are met.

7.1 How workflows work

When a new student record arrives (via SFTP or Slate), the system evaluates each active workflow in order until one matches. The matching workflow's action is queued as a provisioning job.

7.2 Creating a workflow

1. Go to Workflows and click New Workflow.
2. Give the workflow a descriptive name (e.g., "New undergrad — create AD account").
3. Set the trigger: enrollment event type (new admit, re-enroll, withdrawal, graduation).
4. Add conditions to filter which students match (e.g., Program = "Undergraduate", Campus = "Main").
5. Choose the action: Create, Update, Disable, or Delete.
6. Configure account settings for Create actions: OU path, username format, group assignments, email domain.
7. Toggle Active and save.

7.3 Conditions

Each condition is a field/operator/value triple. Supported fields include:

Combine multiple conditions with AND (all must match) or OR (any must match).

7.4 Actions

7.5 Username format

For Create actions, define the username template using field tokens:

{first_initial}{last_name}           → jsmith
{first_name}.{last_name}            → john.smith
{first_name}.{last_name}{grad_year} → john.smith25
{student_id}                        → 1234567

OnboardConnect automatically appends a numeric suffix (jsmith2, jsmith3) if the generated username already exists in AD.

7.6 Reordering workflows

Drag and drop workflow rows to change evaluation order. Changes are saved immediately.

7.7 Testing a workflow

Use the Test button on any workflow to run it against a sample student record without executing any real actions. The test result shows which step would be taken and why.

8. Connections

Connections define the external systems OnboardConnect communicates with. Each connection type has its own configuration panel.

8.1 Active Directory connection

Configure in Connections → Active Directory. Requires the OnboardConnect Agent to be installed on-premise. See Active Directory / LDAP.

8.2 SFTP connection

Configure in Connections → SFTP. Provide the host, port, credentials, and file path pattern. See SFTP File Feeds.

8.3 Slate connection

Configure in Connections → Slate. Requires a Slate API key and webhook endpoint setup. See Slate CRM.

8.4 Connection health

Each connection card shows a status indicator:

• Connected — last test passed within the last hour
• Degraded — connected but recent errors detected
• Disconnected — connection test failing
• Unconfigured — not yet set up

Click Test Connection on any card to run an immediate health check.

9. Audit Log

The Audit Log is an immutable record of every provisioning action and administrative change in your OnboardConnect account.

9.1 What is logged

• Every student provisioning action (create, update, disable, delete) with outcome
• Manual actions triggered by portal users
• Workflow changes (created, modified, deleted, reordered)
• Connection configuration changes
• User invitations, role changes, and removals
• Settings changes
• SFTP file processing events
• Agent connection and disconnection events

9.2 Reading log entries

Each entry shows:

9.3 Filtering and searching

Filter the audit log by date range, actor, event type, student name/ID, and result (success/failure). Export filtered results to CSV for compliance reporting.

10. Reports

The Reports section provides pre-built reports and lets you save custom filtered views.

10.1 Built-in reports

10.2 Saved reports

Apply filters to any report and click Save Report to save your filter configuration. Saved reports appear in the Saved tab and can be re-run at any time or scheduled for periodic email delivery.

10.3 Exporting

Every report can be exported as CSV. Click Export CSV at the top of any report view.

11. Usage

The Usage section shows your annual student account creation consumption against your plan limit.

Reading the usage dashboard

If you are approaching your limit, contact solutions@zentrosoft.com to discuss increasing your limit or upgrading your plan.

12. Settings — User Provision

Configure global provisioning behavior that applies to all workflows.

12.1 Default OU path

The default Active Directory Organizational Unit where new accounts are created. Individual workflows can override this value.

OU=Students,OU=Users,DC=university,DC=edu

12.2 Email domain

The email domain appended to generated usernames (e.g., @university.edu). Used to construct the primary email address and UPN for new accounts.

12.3 Default password policy

Choose how initial passwords are set for new accounts:

• Random — a secure random password is generated and emailed to the student's personal email.
• Student ID — the student's ID number is used as the initial password (requires a forced reset at first login).
• Fixed — a fixed initial password you define (not recommended for production).

12.4 Disable delay

When a student withdrawal is received, you can configure a grace period (in days) before the account is actually disabled. This prevents accidental lockouts from brief administrative enrollment gaps.

12.5 Notifications

Configure email notifications for provisioning events:

• New account created — send welcome email to student
• Account disabled — notify student and/or IT staff
• Provisioning errors — alert specific IT staff addresses

13. Settings — Users & Roles

13.1 Inviting users

1. Go to Settings → Users & Roles.
2. Click Invite User.
3. Enter the user's work email and select their role.
4. Click Send Invite. The user receives an email with a setup link valid for 48 hours.

13.2 Managing existing users

From the user list, you can:

• Change a user's role
• Suspend a user (blocks login, preserves account)
• Reactivate a suspended user
• Remove a user entirely
• Resend an invitation that hasn't been accepted

13.3 Custom roles

In addition to the built-in roles, Owners can create custom roles with fine-grained permission sets. Click New Role, name it, and toggle individual permissions on or off.

14. Settings — SSO

OnboardConnect supports SAML 2.0 single sign-on for staff portal logins. SSO is configured per institution.

14.1 Configure SAML SSO

1. Go to Settings → SSO.
2. Download the OnboardConnect Service Provider metadata XML.
3. Upload it to your identity provider (Okta, Azure AD, ADFS, or other SAML 2.0 IdP).
4. Copy the IdP metadata URL or paste the IdP metadata XML into OnboardConnect.
5. Map the required attributes: email, first_name, last_name.
6. Click Test SSO to verify the configuration before enabling.
7. Toggle Enable SSO.

15. Settings — Developer

15.1 API keys

Generate API keys to authenticate requests to the OnboardConnect REST API from your own scripts or systems.

1. Go to Settings → Developer.
2. Click New API Key, name it descriptively (e.g., "Banner integration").
3. Copy the key immediately — it will not be shown again.

15.2 Webhooks

Configure an HTTPS endpoint to receive real-time event notifications. OnboardConnect sends a POST request with a JSON payload for every provisioning event.

Available webhook events:

• student.provisioned — new account created
• student.updated — account attributes updated
• student.disabled — account disabled
• student.deleted — account removed
• job.failed — provisioning job failed
• agent.disconnected — on-premise Agent went offline

Payloads are signed with an HMAC-SHA256 signature using your webhook secret. Verify the X-OC-Signature header on every received request.

15.3 Webhook signature verification

// Node.js example
const crypto = require('crypto');
const signature = req.headers['x-oc-signature'];
const body = req.rawBody; // raw JSON string
const expected = crypto
  .createHmac('sha256', process.env.OC_WEBHOOK_SECRET)
  .update(body)
  .digest('hex');
if (signature !== expected) return res.status(401).end();

16. Integration — Active Directory / LDAP

OnboardConnect connects to your on-premise AD through the OnboardConnect Agent — a lightweight service that runs inside your network and receives encrypted provisioning instructions from the cloud.

16.1 Install the Agent

1. Go to Settings → Agents and click Download Agent.
2. Copy your Agent token — you will need it during installation.
3. Run the installer on a Windows Server 2016+ machine with network access to your domain controllers. The machine does not need to be internet-facing.
4. Paste the Agent token when prompted. The Agent registers with OnboardConnect and appears as Online in the portal.

16.2 Agent requirements

16.3 High availability

Install the Agent on two servers for redundancy. OnboardConnect automatically load-balances and fails over between healthy agents. Both agents must use the same tenant token.

16.4 AD service account permissions

The Agent runs as a Windows service under a dedicated AD service account. Grant the account Create, Delete, Modify permissions on the target OUs, and Reset Password rights if you use OnboardConnect password resets.

17. Integration — SFTP File Feeds

OnboardConnect can pull enrollment data files from your SIS via SFTP on a schedule.

17.1 Configure SFTP

1. Go to Connections → SFTP.
2. Enter the SFTP hostname, port (default 22), username, and either a password or SSH private key.
3. Set the file path pattern (e.g., /exports/enrollment_*.csv). Wildcards are supported.
4. Set the polling interval: every 15 minutes, hourly, or daily.
5. Configure the file format: CSV or XML, and map the required columns to OnboardConnect fields.
6. Click Test Connection to verify access and preview the latest file.
7. Toggle Polling Active to enable automatic ingestion.

17.2 Required CSV columns

17.3 File run history

View every file that has been processed from Connections → SFTP → File Runs. Each run shows the file name, processing time, records ingested, and any errors.

18. Integration — Slate CRM

OnboardConnect integrates with Technolutions Slate to provision accounts when admission decisions are made.

18.1 How the integration works

When a student's application status changes in Slate (e.g., "Admit" decision released), Slate sends a webhook event to OnboardConnect. OnboardConnect evaluates your Workflow rules and provisions the account accordingly.

18.2 Configure the Slate connection

1. Go to Connections → Slate.
2. Copy the OnboardConnect webhook URL.
3. In Slate, navigate to Database → Configure → Webhooks and add a new webhook pointing to that URL.
4. Select the triggers: typically Decision Released and optionally Enrollment Confirmed.
5. Copy the Slate webhook secret back into OnboardConnect for signature verification.
6. Configure the field mappings to align Slate fields with OnboardConnect student fields.
7. Click Test Webhook to send a sample event and verify end-to-end.

18.3 Field mappings

Map Slate payload fields to OnboardConnect student fields from Connections → Slate → Field Mappings. You can create custom mappings for any Slate field OnboardConnect should use in workflow conditions.

19. On-Premise Agents

The OnboardConnect Agent is a lightweight Windows service that bridges the cloud platform with your on-premise Active Directory environment.

19.1 Viewing agent status

Go to Settings → Agents (accessible via the portal under Connections) to see all registered agents and their current status. A healthy agent shows a green "Online" badge and a recent heartbeat timestamp.

19.2 Agent logs

On the agent host machine, logs are written to C:\ProgramData\OnboardConnect\Agent\logs\. Log rotation happens daily with a 30-day retention.

19.3 Updating the agent

The Agent checks for updates automatically. When a new version is available, it downloads and restarts itself with no manual intervention required. You can disable auto-update from the agent configuration file if your change-control process requires manual approval.

19.4 Revoking an agent

To decommission an agent, click Revoke from the agent list. The agent will immediately stop accepting provisioning jobs. Uninstall the agent service from the host machine afterward.

20. Plans & Limits

All plans include unlimited workflow rules, connections, audit log access, reports, API calls, and portal users. The only variable is the annual new-account creation limit.

To upgrade your plan or increase your limit mid-year, contact solutions@zentrosoft.com.

21. API & Webhooks

OnboardConnect exposes a REST API at https://api.onboardconnectapp.com/api/tenant/. All requests must include an API key in the Authorization header.

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

21.1 Common endpoints

Full API reference documentation is available at docs.onboardconnectapp.com/api.

22. FAQ

How long does provisioning take after an SFTP file is picked up?

Typically under 2 minutes from file ingestion to account creation in AD. Actual time depends on the number of records in the file and Agent response time.

What happens if the Agent goes offline?

Provisioning jobs queue up in the cloud. When the Agent comes back online, it processes all queued jobs in order. No jobs are lost. You will receive an email alert if the Agent is offline for more than 15 minutes.

Can I run multiple SFTP file sources?

Yes. You can configure multiple SFTP connections pointing to different servers or file paths. Each connection has its own polling schedule and file format settings.

Does OnboardConnect store student passwords?

No. Passwords are generated momentarily during the provisioning job and set directly in AD via the Agent. OnboardConnect never persists password values.

Can I use OnboardConnect with Azure AD only (no on-prem AD)?

Yes. Azure AD provisioning uses the Microsoft Graph API directly from the OnboardConnect cloud — no Agent installation required. Select "Azure AD" as the connection type in Connections.

How do I test a workflow without affecting real accounts?

Use the Test button on any workflow to simulate evaluation against a sample student record. No actual provisioning jobs are created during a test.

What does "Founder" mean on my account?

Founder status is granted to early institutional partners who signed with Zentrosoft during the product's launch phase. Founders receive a negotiated discount on their annual contract price. Founder status has no effect on features or limits.

23. Support

OnboardConnect includes a built-in support ticket system so your IT team can request help, report issues, and track progress — all without leaving the portal.

23.1 Opening a support ticket

1. In the portal sidebar, click Support.
2. Click + New Ticket in the top-right corner.
3. Enter a concise Subject describing the issue.
4. Select a Priority:
   • Low — non-urgent question or enhancement request
   • Normal — general issue, no immediate impact on provisioning
   • High — provisioning is degraded or partially broken
   • Urgent — provisioning is completely stopped; production outage
5. Write your message in the Message field. Include relevant details: affected students, error messages, job IDs from the Audit Log, and steps to reproduce.
6. Click Submit Ticket. The Zentrosoft support team is notified immediately by email.

23.2 Tracking your tickets

The Support page lists all tickets your institution has submitted, sorted by most recent first. Each ticket shows:

23.3 Ticket statuses

23.4 Replying to a ticket

Click any ticket row to open the conversation thread. You can read all previous messages and post a reply in the text field at the bottom. Click Send Reply to submit. The support team is notified by email of your reply.

Replies are disabled once a ticket is Closed. To report the same issue again, open a new ticket.

23.5 Notifications

Email notifications are sent automatically:

• When you submit a ticket, the Zentrosoft support team receives an email notification.
• When the support team replies, you receive an email at the address associated with your portal account.
• When the ticket status changes (e.g., marked Resolved), you receive an email notification.

23.6 Direct email support

You can also reach the Zentrosoft solutions team directly at solutions@zentrosoft.com. For production-impacting incidents, mark your subject line with [URGENT]. Using the in-portal ticket system is preferred as it keeps all communication and context in one place.