Chat now with support
Chat mit Support

Active Roles 8.1.1 - Synchronization Service Administration Guide

Synchronization Service overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector Objects and operations supported by the SCIM Connector Example of using the Generic SCIM Connector for data synchronization
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Microsoft Azure AD group attributes supported for data synchronization

The Microsoft Azure AD Connector of the Active Roles Synchronization Service supports the following Azure Active Directory (Azure AD) group attributes for data synchronization.

NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure AD Connector, consider that the following group attributes are currently not supported and cannot be queried via the Microsoft Graph API:

  • acceptedSenders

  • allowExternalSenders

  • autoSubscribeNewMembers

  • hasMembersWithLicenseErrors

  • hideFromAddressLists

  • hideFromOutlookClients

  • isSubscribedByMail

  • membersWithLicenseErrors

  • rejectedSenders

  • unseenCount

This means that although these group attributes are visible, they cannot be set in a mapping rule.

Table 101: Azure AD group attributes supported for data synchronization

Attribute

Description

Supported operations

description

Gets or sets the group description.

Read, Write

dirSyncEnabled

Gets whether the group was synchronized from the on-premises Active Directory Domain Services (AD DS).

Read

displayName

Gets or sets the display name of the group.

NOTE: This attribute is required when creating a group.

Read, Write

lastDirSyncTime

Gets the time when the group was last synchronized with the on-premises AD DS.

Read

mail

Gets or sets the e-mail address of the group.

Read, Write

mailEnabled

Gets or sets whether the group is mail-enabled.

NOTE: This attribute is required when creating a group.

Read, Write

mailNickName

Gets or sets the mail alias of the group.

NOTE: This attribute is required when creating a group.

Read, Write

members

Gets or sets the members of the group.

Read, Write

objectId

Gets the unique identifier of the group.

Read

objectType

Gets the object type of the group.

Read

provisioningErrors

Gets the errors encountered when provisioning the group.

Read

proxyAddresses

Gets the known address entries of the group.

Read

securityEnabled

Gets or sets whether the group is a security group.

NOTE: This attribute is required when creating a group.

Read, Write

Configuring data synchronization with the SCIM Connector

With the SCIM Connector, you can configure inbound data synchronization connections for the following SCIM-based One Identity Starling Connect connectors:

  • PingOne

  • Workday HR

NOTE: Consider the following when planning to configure a connection with the SCIM Connector:

  • The SCIM Connector is tested to support the Starling Connect PingOne and Workday HR connectors. To configure a connection for import-based workflows to the SCIM 2.0-based SuccessFactors HR 8.0 or ServiceNow 2.0 Starling connectors, use the Generic SCIM Connector instead. For more information, see Configuring data synchronization with the Generic SCIM Connector.

  • The SCIM Connector supports only the standard schema of the SCIM protocol. It does not support extended schemas, and therefore cannot handle user-made custom attributes.

For the list of Active Roles Synchronization Service connector features that the SCIM Connector supports or does not support, see the following table.

Table 102: SCIM Connector – Supported features

Feature

Supported

Bidirectional synchronization

Specifies whether you can both read and write data in the connected data system.

No

Delta processing mode

Specifies whether the connection can process only the data that has changed in the connected data system since the last synchronization operation. This reduces the overall synchronization duration.

No

Password synchronization

Specifies whether you can synchronize user passwords from an Active Directory (AD) domain to the connected data system.

No

Secure Sockets Layer (SSL) data encryption

Specifies whether the connector can use SSL to encrypt data transmitted between Active Roles Synchronization Service and the connected data system.

Yes

For more information on the SCIM protocol, see the official SCIM site, or the following IETF RFC documents:

  • IETF RFC-7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements

  • IETF RFC-7643: System for Cross-domain Identity Management: Core Schema

  • IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Supported SCIM Connector objects and operations

The following tables list the objects and operations supported by the SCIM Connector during data synchronization via the available SCIM protocol versions.

Table 103: Supported objects and operations for SCIM v2.0

Object

Read

Create

Delete

Update

Core user

Yes

Yes

Yes

Yes

Group

Yes

Yes

Yes

Yes

Enterprise

Yes

Yes

Yes

Yes

Table 104: Supported objects and operations for SCIM v1.1

Object

Read

Create

Delete

Update

User

Yes

Yes

Yes

Yes

Group

Yes

Yes

Yes

Yes

Creating a SCIM connection with the SCIM Connector

You can configure an Active Roles Synchronization Service connection to the PingOne and Workday HR connectors of Starling Connect with the SCIM Connector.

To configure a connection to a Starling Connect connector with the SCIM Connector

  1. In the Synchronization Service Console, open the Connections tab.
  2. Click Add connection, then use the following options:
    • Connection name: Type a descriptive name for the connection.

    • Use the specified connector: Select SCIM Connector.

  3. Click Next.

  4. On the Specify connection settings page, under SCIM settings, configure the following connection options:

    • SCIM version: Select the SCIM protocol version to use for the connection. The SCIM Connector supports protocol versions V2 and V1.1.

    • SCIM URL: Specify the the base URL of the Starling Connect connector to which you want to connect.

    • Authentication type: Select the authentication type. The SCIM Connector supports Basic, OAuth and API Key-based authentication. The contents of the Authentication parameters section are populated dynamically based on the authentication type you select in this setting.

  5. Under Authentication parameters, configure the applicable options:

    • If you use Basic authentication, provide a valid User name and Password.

      NOTE: The PingOne connector of Starling uses the API key as the User name and the API token as the Password.

    • If you use OAuth authentication, configure the settings applicable to the selected Grant type.

      Table 105: SCIM Connector OAuth authentication settings

      Grant type

      Setting

      Description

      password

      Token URL

      		Specify the URL of the token.

      User name

      		Specify the user name.

      Password

      		Specify the password.

      Client ID

      		Specify the client ID used for login.

      Client secret

      		Specify the client secret.

      client_credentials

      Token URL

      		Specify the URL of the token.

      Client ID

      		Specify the client ID used for login.

      Client secret

      		Specify the client secret.

      Bearer_Token

      Bearer token

      Specify the bearer token for the connection.

      NOTE: Connections using a bearer token have a time-limit, specified by the token provider. Once this time limit is reached, the connection ends. To establish a new connection session, you must create a new bearer token.

    • If you use API Key authentication, specify the API Key and Token for the connection.

  6. (Optional) To connect to the Workday HR connector of Starling with the configured SCIM Connector, select Load workday schema. Selecting this option will result in the configured SCIM Connector using the Workday schema instead of the standard SCIM schema.

    NOTE: Select Load workday schema only if you want to connect to the Workday HR connector of Starling. Attempting to connect to the PingOne connector with this setting enabled will result in the SCIM Connector failing to synchronize data.

  7. (Optional) To configure additional authentication parameters (such as a region ID or organization ID) for the SCIM Connector, click Add additional parameters. Then, use the Additional authentication parameters settings to specify additional Plain text parameters or Masked parameters. To save the parameters, click OK.

  8. To verify that the specified settings are correct, click Test Connection.

  9. To create the connection, click Finish.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen