Chat now with support
Chat mit Support

Active Roles 8.1.1 - Synchronization Service Administration Guide

Synchronization Service overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector Objects and operations supported by the SCIM Connector Example of using the Generic SCIM Connector for data synchronization
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Synchronizing complex multi-value objects from a SCIM source system

Data sync workflows that import data with a connection based on the Generic SCIM Connector can import all three types of SCIM 2.0-based data entries:

  • Simple attributes, that is, data entries with a single simple value. For example, a user ID specified in a single string is a simple attribute.

  • Complex single-value attributes, that is, data entries specified with several sub-attributes. For example, the following name attribute is a complex single-value attribute, specifying the name of an employee with three simple sub-attributes:

    "name": {
	"givenName": "Sam",
	"familyName": "Smith",
	"formatted": "Sam Smith"
	 },

    The value of complex single-value attributes is the sum of the sub-attribute values.

  • Complex multi-value attributes, that is, data entries with multiple complex values, each of them specified with several simple sub-attributes. For example, the following addresses attribute is a complex multi-value attribute, specifying several addresses, each of them being a complex value containing several simple sub-attributes:

    "addresses": [
	{
		"type": "work",
		"streetAddress": "22 Example Street",
		"region": "Springfield",
		"postalCode": "51487",
		"country": "United States",
		"primary": true
	},
	{
		"type": "home",
		"streetAddress": "12 Rue Exemple",
		"region": "Montreal",
		"postalCode": "46179",
		"country": "Canada"
	}
],

However, even though sync workflows using connections set with the Generic SCIM Connector can import all three of these value types, Active Roles Synchronization Service does not recognize complex single-value attributes and complex multi-value attributes, as they contain more values than what Active Roles Synchronization Service can identify for a single data entry by default.

To import complex single-value and multi-value attributes successfully, you can use the following methods:

  • For complex single-value attributes, you can map each individual sub-attribute of the complex single-value attribute to separate attributes in the target system. For example, in case of the name complex single-value attribute, you can map the givenName, familyName and formatted sub-attributes to separate name.givenName, name.familyName, and name.formatted attributes in the target system, respectively.

  • For complex multi-value attributes, you can use two methods:

    • When importing complex multi-value attributes, Active Roles Synchronization Service can take a single value (and its sub-attributes), map the sub-attributes to a set of target values (similarly to complex single-value attributes), then discard the rest of the complex values of the attribute.

      By default, Active Roles Synchronization Service takes the primary value of the complex multi-value attribute (marked with a specific primary sub-attribute). If no primary value is specified within the complex multi-value attribute, Active Roles Synchronization Service imports the first value (and its sub-attributes) only.

      NOTE: This method imports only the primary value (or the first value, if no primary value is specified). Active Roles Synchronization Service will discard all other values (and their sub-attributes).

    • If you map a complex multi-value attribute (such as the addresses attribute shown in the above example) when configuring a mapping rule for a workflow, you can configure an Active Roles Synchronization Service workflow to process and extract every value (and their sub-attributes) of the complex multi-value attribute with script-based attribute mapping.

      The following procedure will provide an example on how to apply such a PowerShell script to properly process the addresses complex multi-value attribute shown in this chapter.

To configure a custom PowerShell script for a workflow to import complex multi-value attributes

  1. In the Active Roles Synchronization Service, click Sync Workflow, then click the sync workflow that imports data from a SCIM-based source system (for example, the SuccessFactors HR to SQL Server workflow used in Creating a sync workflow for synchronizing data from a SCIM-based Starling Connect connector).

  2. Click the first step of the workflow (in the example SuccessFactors HR to SQL Server workflow, this is named Step 1 (Creation from SCIM Connection to SuccessFactors HR to SQL Connection).

  3. Under Creation Rules, to open the initial population rules, click Forward Sync Rule.

  4. In the Forward Sync Rule window, at the Source item setting, open the Attribute drop-down, and click PowerShell Script.

  5. In the PowerShell Script Editor, paste the following script example, and click OK:

    $addressesJsonArray = $srcObj["addresses"] | ConvertFrom-Json

if ($addressesJsonArray) {
  for ($i = 0; $i -lt $addressesJsonArray.Length; $i++) {
    if ($addressesJsonArray[$i].type -eq "work") {
      return $addressesJsonArray[$i].streetAddress + ", " + $addressesJsonArray[$i].region + ", " + $addressesJsonArray[$i].locality
	}
  }
}

    The example script contains the following key parts:

    • $srcObj refers to the source object that the script will act on.

    • $srcObj["addresses"] extracts the raw value of the addresses attribute. In this example, this attribute is a complex multi-value SCIM attribute, so the attribute value will be a JSON array.

    • $addressesJsonArray is a .NET array object containing the values of the complex multi-value attribute.

    The rest of the script performs the following steps:

    1. It checks that the array is valid.

    2. It traverses the elements of the array, and looks for the first element with a type sub-attribute with a work value.

    3. Once it finds an element with a work value type, it constructs a formatted string from the streetAddress, region and locality sub-attributes.

    4. It returns the results.

  6. Use the output to parse and extract the data into other target values in the target system.

Using connectors installed remotely

In some cases, you need to configure a connection to an external data system which is separated by a firewall from the computer running Synchronization Service. To implement this scenario, you can install an instance of Synchronization Service and built-in connectors on a remote computer and switch this Synchronization Service instance to remote mode. This will allow the Synchronization Service instance running in the local mode to communicate with the remotely installed instance and connectors via a single port.

Consider a scenario where you want to synchronize data between two Active Directory domains that are separated by a firewall. In this case, you can install one Synchronization Service instance in the local mode in the first domain, then deploy another Synchronization Service instance in the remote mode in the other domain. Then, ensure the firewall allows traffic on the port used for communications between the Synchronization Service instances.

Installing Synchronization Service and built-in connectors remotely

To use connectors remotely, you need to install Synchronization Service and built-in connectors on a required remote computer and switch the installed instance of Synchronization Service to remote mode. For more information on installing Synchronization Service, see Installing Synchronization Service.

To set Synchronization Service in remote mode

  1. Start the Synchronization Service Console.

  2. Follow the steps in the wizard that starts automatically to configure Synchronization Service.

  3. On the Service Account and Mode page, do the following and click Finish:

    • Enter the account under which you want Synchronization Service to run.

    • Select the remote mode for this instance of Synchronization Service.

Creating a connection using a remotely installed connector

To create a connection using a remotely installed connector

  1. Start the Synchronization Service Console.

  2. On the Connections tab, click Add connection.

  3. In the Connection name text box, type a descriptive name for the connection.

  4. From the Use the specified connector list, select the connector you want to use.

  5. Click to expand the Remote connector access element, and then use the following options:

    • Use remote connector: Select this check box to use the connector installed on a remote computer.

    • Connector host: Type the Fully Qualified Domain Name (FQDN) of the computer on which the Synchronization Service in the remote mode and the corresponding connector are installed.

    • Port: Type the port number on which you want the Synchronization Service to access the remote connector. By default, this is port 8080.

    • Connect using: Specify an account under which to access the remote connector. The account must be a local administrator on the computer where the remote connector is installed. Select one of the following:

      • Synchronization Service account: Allows you to access the remote connector using the account under which Synchronization Service is running locally.

      • Windows account: Allows you to type the user name and password of the account with which you want to access the remote connector.

    • Verify Settings: Click this button to verify that Synchronization Service can access the remote connector using the settings you have specified.

  6. Follow the instructions of the wizard to complete the connection creation.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen