Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Active Roles 8.1.3 - Synchronization Service Administration Guide

Table of Contents

Synchronization Service overview

Synchronization Service features and benefits

Bidirectional synchronization Delta processing mode Synchronization of group membership Windows PowerShell scripting Attribute synchronization rules Rule-based generation of distinguished names Scheduling capabilities Extensibility Azure BackSync configuration

Technical overview

Synchronization Service Capture Agent Connectors and connected data systems Sync workflows

Deploying Synchronization Service

Installing Synchronization Service Configuring Synchronization Service Configuring Azure BackSync

Configuring manual Azure BackSync Configuring automatic Azure BackSync Settings updated after Azure BackSync configuration operation Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync

Upgrade from Quick Connect and Synchronization Service

Transferring sync workflows from Quick Connect

Communication ports

Deploying Synchronization Service for use with AWS Managed Microsoft AD

Supported AWS Managed Microsoft AD deployment configuration Synchronization Service features and limitations when used with AWS Managed Microsoft AD Main steps of configuring Active Roles for AWS Managed Microsoft AD

Deployment requirements for AWS Managed Microsoft AD support Creating the AWS Managed Microsoft AD instance Creating the EC2 instance for Active Roles Joining the EC2 instance to AWS Managed Microsoft AD Creating the RDS instance for the Active Roles SQL Server Verifying connectivity between the EC2 and RDS instances Installing and configuring Synchronization Service for AWS Managed Microsoft AD

Getting started

Synchronization Service Console

Gear icon Sync Workflows tab Sync History tab Connections tab Mapping tab Password Sync tab Configuring diagnostic logging

How to synchronize identity data Synchronization Service Management Shell

Cmdlet naming conventions Getting help

Connections to external data systems

External data systems supported with built-in connectors

Working with Active Directory

Creating an Active Directory connection Modifying an Active Directory connection Communication ports required to synchronize data between two Active Directory domains Synchronizing user passwords between two Active Directory domains Synchronizing SID history of users or groups

Working with an AD LDS (ADAM) instance

Creating an AD LDS (ADAM) instance connection Modifying an existing AD LDS (ADAM) instance connection

Working with Skype for Business Server

Creating a new Skype for Business Server connection Modifying an existing Skype for Business Server connection Supported Skype for Business Server data Attributes required to create a Skype for Business Server user Getting or setting the Telephony option value in Skype for Business Server

Working with Oracle Database

Creating an Oracle Database connection Modifying an existing Oracle Database connection

Specifying connection settings for Oracle Database Configuring advanced settings for an Oracle Database or Oracle Database user account connection Specifying attributes to identify objects for Oracle Database

Sample SQL queries for working with an Oracle Database

Working with Oracle Database user accounts

Creating an Oracle Database user accounts connection Modifying an existing Oracle Database user account connection

Specifying connection settings for an Oracle Database user account connection Configuring advanced settings for an Oracle Database or Oracle Database user account connection

Sample SQL queries for working with Oracle Database user accounts

Working with Exchange Server

Creating a new connection to Exchange Server Modifying an existing connection to Exchange Server Exchange Server data supported out of the box

ActiveSyncMailboxPolicy object attributes AddressBookPolicy object attributes AddressList object attributes DistributionGroup object attributes DynamicDistributionGroup object attributes ExchangeServer object attributes GlobalAddressList object attributes Mailbox object attributes MailContact object attributes MailboxDatabase object attributes MailUser object attributes OfflineAddressBook object attributes OrganizationConfig object attributes OwaMailboxPolicy object attributes PublicFolder object attributes PublicFolderDatabase object attributes RoleAssignmentPolicy object attributes StorageGroup object attributes UmDialPlan object attributes UmMailboxPolicy object attributes

Scenario: Migrate mailboxes from one Exchange Server to another

Working with Active Roles

Creating an Active Roles connection Modifying an Active Roles connection

Working with One Identity Manager

Creating a One Identity Manager connection Modifying a One Identity Manager connection One Identity Manager Connector configuration file

Working with a delimited text file

Creating a delimited text file connection Modifying an existing delimited text file connection

Specify connection settings for a delimited text file connection Specify delimited text file format Schema Specify attributes to identify objects for a delimited text file connection

Working with Microsoft SQL Server

Creating a Microsoft SQL Server connection Modifying an existing Microsoft SQL Server connection

Specifying connection settings for a Microsoft SQL Server connection Specifying how to select and modify data for a Microsoft SQL Server connection Advanced Specifying attributes to identify objects for a Microsoft SQL Server connection

Sample queries to modify SQL Server data

Working with Micro Focus NetIQ Directory

Creating a Micro Focus NetIQ Directory connection Modifying an existing Micro Focus NetIQ Directory connection

Specifying connection settings for a Micro Focus NetIQ Directory connection Specifying naming attributes for a Micro Focus NetIQ Directory connection

Working with Salesforce

Creating a Salesforce connection Modifying an existing Salesforce connection Salesforce data supported for synchronization

Additional user object attributes for a Salesforce connection Additional group object attributes for a Salesforce connection

Scenario: Provisioning users from an Active Directory domain to Salesforce

Working with ServiceNow

Creating a ServiceNow connection Modifying an existing ServiceNow connection ServiceNow data supported for synchronization

Working with Oracle Unified Directory

Creating an Oracle Unified Directory connection Modifying an existing Oracle Unified Directory Server connection

Specifying connection settings for an Oracle Unified Directory connection Specifying naming attributes for an Oracle Unified Directory connection

Working with an LDAP directory service

Creating an LDAP directory service connection Modifying an existing Generic LDAP directory service connection

Specify connection settings for a Generic LDAP directory service connection Specify directory partitions for a Generic LDAP directory service connection Specify naming attributes for a Generic LDAP directory service connection Specify attributes to identify objects for a Generic LDAP directory service connection

Specify password sync parameters for LDAP directory service

Working with an OpenLDAP directory service

Creating an OpenLDAP directory service connection Modifying an existing OpenLDAP directory service connection

Specifying connection settings for an OpenLDAP directory service connection Specifying naming attributes for an OpenLDAP directory service connection

Working with IBM DB2

Creating an IBM DB2 connection Modifying an existing IBM DB2 connection

Specify connection settings for an IBM DB2 connection Specify how to select and modify data for an IBM DB2 connection Advanced Specify attributes to identify objects for an IBM DB2 connection

Working with IBM AS/400

Creating an IBM AS/400 connection Modifying an existing IBM AS/400 connection Additional considerations for an IBM AS/400 connection

Working with IBM RACF

Creating an IBM RACF connection Modifying an IBM RACF connection Example of mapping for dataset information Creating SQL database and table Povisioning datasets Updating datasets Deprovisioning datasets Working with TSO command

Working with MySQL database

Creating a MySQL database connection Modifying an existing MySQL database connection

Specifying connection settings for a MySQL database connection Specifying how to select and modify data for a MySQL database connection Advanced Specifying attributes to identify objects for a MySQL database connection

Working with an OLE DB-compliant relational database

Creating an OLE DB-compliant relational database connection Modifying an existing OLE DB-compliant data source connection

Specifying connection settings for an OLE DB-compliant relational database connection Specifying how to select data for an OLE DB-compliant relational database connection Advanced Specifying attributes to identify object for an OLE DB-compliant relational database connection

Working with SharePoint

Creating a SharePoint connection SharePoint data supported for data synchronization

AlternateURL object attributes ClaimProvider object attributes Farm object attributes Group object attributes Language object attributes Policy object attributes PolicyRole object attributes Prefix object attributes RoleAssignment object attributes RoleDefinition object attributes Site object attributes User object attributes Web object attributes WebApplication object attributes WebTemplate object attributes

Considerations for creating objects in SharePoint

Working with Microsoft 365

Creating a Microsoft 365 connection

Creating a Microsoft 365 connector with manual configuration Creating a Microsoft 365 connector with automatic configuration

Modifying a Microsoft 365 connection

Modifying the manual configuration settings of a Microsoft 365 connector Modifying the automatic configuration settings of a Microsoft 365 connector

Microsoft 365 data supported out of the box

ClientPolicy object attributes ConferencingPolicy object attributes Contact object attributes DistributionGroup object attributes Domain object attributes DynamicDistributionGroup object attributes ExternalAccessPolicy object attributes HostedVoicemailPolicy object attributes LicensePlanService object attributes Mailbox object attributes MailUser object attributes PresencePolicy object attributes SecurityGroup objects attributes SPOSite object attributes SPOSiteGroup object attributes SPOWebTemplate object attributes SPOTenant object attributes User object attributes VoicePolicy object attributes Microsoft 365 group attributes

Objects and attributes specific to Microsoft 365 services How the Microsoft 365 Connector works with data

Working with Microsoft Azure Active Directory

Creating a Microsoft Azure Active Directory connection

Creating a Microsoft Azure Active Directory connector with manual configuration Creating a Microsoft Azure Active Directory connector with automatic configuration Configuring an Azure application for a Microsoft Azure Active Directory connection using a script

Modifying a Microsoft Azure Active Directory connection

Modifying the manual configuration settings of a Microsoft Azure Active Directory connector Modifying the automatic configuration settings of a Microsoft Azure Active Directory connector

Microsoft Azure Active Directory data supported for synchronization

Microsoft Azure AD user attributes supported for data synchronization Microsoft Azure AD group attributes supported for data synchronization

Configuring data synchronization with the SCIM Connector

Objects and operations supported by the SCIM Connector Creating a SCIM connection with the SCIM Connector Viewing or modifying the settings of a SCIM Connector

Configuring data synchronization with the Generic SCIM Connector

Configuring the Generic SCIM Connector for Starling Connect connections Viewing or modifying the settings of a Generic SCIM Connector connection

Using connectors installed remotely

Installing Synchronization Service and built-in connectors remotely Creating a connection using a remotely installed connector

Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection

Synchronizing identity data

Creating a sync workflow Running a sync workflow

Running a sync workflow manually Running a sync workflow on a recurring schedule Disabling a sync workflow run schedule

Renaming a sync workflow Deleting a sync workflow Adding a creating step Creating an update step Creating a deprovisioning step Modifying an existing sync workflow step

General Options Source Target Creation Rules Deprovisioning Rules Updating Rules Step Handlers

Deleting a sync workflow step Changing the order of steps in a sync workflow Generating object names by using rules Modifying attribute values by using rules

Configuring a forward sync rule

Forward sync rule source item Forward sync rule target item

Configuring a reverse sync rule

Reverse sync rule source item Reverse sync rule target item

Configuring a merge sync rule

Using value generation rules

Configuring a rule entry

Using sync workflow step handlers Example: Synchronizing group memberships Example: Synchronizing multivalued attributes Using sync workflow alerts

Creating or editing a sync workflow alert Deleting a sync workflow alert Managing outgoing mail profiles

Outgoing mail profile settings

Mapping objects

How to map objects

Creating mapping pairs Creating mapping rules Change scope for mapping rules Running map operation

How to unmap objects

Automated password synchronization

How to automate password synchronization Managing Capture Agent

Installing Capture Agent manually Using Group Policy to install Capture Agent Uninstalling Capture Agent

Managing password sync rules

Creating a password sync rule Deleting a password sync rule Modifying settings for a password sync rule

Fine-tuning automated password synchronization

Configuring Capture Agent

Creating and linking a Group Policy object Adding an administrative template to Group Policy object Using Group Policy object to modify Capture Agent settings

Modifying Synchronization Service parameters Specifying a custom certificate for encrypting password sync traffic

Obtaining and installing a certificate Exporting the custom certificate to a file Importing certificate into certificates store Copying the certificate's thumbprint Providing the certificate’s thumbprint to Capture Agent Providing the certificate’s thumbprint to Synchronization Service

Using PowerShell scripts with password synchronization

Synchronization history

Viewing sync workflow history View mapping history Searching synchronization history Cleaning up synchronization history

Scenarios of use

Scenario: Create users from a .csv file to an Active Directory domain

Creating a sync workflow Adding a creating step Running the configured creating step Committing changes to Active Directory

Scenario: Using a .csv file to update user accounts in an Active Directory domain

Creating an updating step Running the configured updating step Committing changes to Active Directory

Scenario: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain

Creating a connection to One Identity Manager Configuring One Identity Manager modules, Custom Target System and Container Information Creating a workflow for provisioning Creating a provisioning step Specifying synchronization rules Running the workflow Committing changes to One Identity Manager Verify on One Identity Manager

Scenario: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario: Provisioning of groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization

Creating object mapping between a SCIM connection and an SQL connection Creating a sync workflow for synchronizing data from a SCIM-based Starling Connect connector Synchronizing complex multi-value objects from a SCIM source system

Developing PowerShell scripts for attribute synchronization rules

Accessing source and target objects using built-in hash tables

Using PowerShell script to transform passwords

Accessing source object password

Synchronization of group membership

Synchronization Service overview > Synchronization Service features and benefits > Synchronization of group membership

Synchronization Service allows you to ensure that group membership information is in sync in all connected data systems. For example, when creating a group object from an Active Directory domain to an AD LDS (ADAM) instance, you can configure rules to synchronize the Member attribute from the Active Directory domain to the AD LDS (ADAM) instance.

Windows PowerShell scripting

Synchronization Service overview > Synchronization Service features and benefits > Windows PowerShell scripting

The Management Shell component of Synchronization Service is an automation and scripting shell that provides a command-line management interface for synchronizing data between connected systems via the Synchronization Service.

The Management Shell is implemented as a Windows PowerShell snap-in that extends the standard Windows PowerShell functionality. The cmdlets provided by the Management Shell conform to the Windows PowerShell standards and are fully compatible with the default command-line tools that come with Windows PowerShell.

The Management Shell allows administrators to perform attribute or password synchronization operations by using Windows PowerShell scripts. For example, you can compose and run a Windows PowerShell script that assigns values to the target object attributes using the values of the source object attributes. For more information, see Using PowerShell script to transform passwords.

Attribute synchronization rules

Synchronization Service overview > Synchronization Service features and benefits > Attribute synchronization rules

With Synchronization Service, you can create and configure synchronization rules to generate values of target object attributes. These rules support the following types of synchronization:

Direct synchronization: Assigns the value of a source object attribute to the target object attribute you specify.
Script-based synchronization: Allows you to use a Windows PowerShell script to generate the target object attribute value.
Rule-based synchronization: Allows you to create and use rules to generate the target object attribute value you want.

Rule-based generation of distinguished names

Synchronization Service overview > Synchronization Service features and benefits > Rule-based generation of distinguished names

Synchronization Service lets you create flexible rules for generating the distinguished names (DNs) of objects being created. These rules allow you to ensure that created objects are named in full compliance with the naming conventions existing in your organization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center