지금 지원 담당자와 채팅
지원 담당자와 채팅

Active Roles 7.6.3 - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use
About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain Scenario 2: Use a .csv file to update user accounts in an Active Directory domain Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization
Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Settings updated after Azure backsync configuration operation

This section gives descriptions about the Azure App registration, connections, mappings, and workflow steps that are created automatically as a result of the Azure backsync configuration operation.

App registration

The Azure App is created automatically with the default name as ActiveRoles AutocreatedAzureBackSyncApp_V2.

NOTE: After the Azure App is registered in Azure, you must not delete or modify the application. The backsync operation will not work as expected in case you modify or delete the registered Azure App.

Sync Workflows

On the Synchronization Service Administration Console, click Sync Workflows to view the sync workflow named AutoCreated_AzureADBackSyncWorkflow_<tenant name> that is created as a result of the Azure BackSync configuration. The workflow displays the following synchronization update steps from Azure AD to Active Roles for users, groups, and contacts.

  • Step 1: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowUser_<tenant> for users.
  • Step 2: AutoCreated_UpdateFromAzureToARSForBackSyncWorkFlowGroup_<tenant> for groups.
  • Step 3: AutoCreated_UpdateFromO365ToARSForBackSyncWorkFlowContact_<tenant> for contacts.

NOTE:

  • Multiple tenants are supported in back-sync. The workflows can be identified using the name of the tenant.
  • The Forward Sync Rules to synchronize the following are automatically configured and displayed in the synchronization update steps for user and group:
    • Azure ObjectID property of a user or group is mapped to the Active Roles user or group edsvaAzureObjectID property.
    • The edsvaAzureOffice365Enabled attribute in Active Roles user or group is set to True.
    • The edsvaAzureAssociatedTenantId attribute in Active Roles user or group is set to Azure Tenant ID.
  • The Forward Sync Rule to synchronize the following are automatically configured and displayed in the synchronization update steps for contacts:

    • Azure ExternalDirectoryObjectID property of a contact is mapped to the Active Roles contact edsaAzureContactObjectId property.

    • The edsvaAzureOffice365Enabled attribute in Active Roles user or group is set to True.

    • The edsvaAzureAssociatedTenantId attribute in Active Roles user or group is set to Azure Tenant ID.
Connections

On the Synchronization Service Administration Console, click Connections to view the connections from Active Roles, Azure AD, and Office 365 to external data systems. The following connections are configured and displayed by default:

  • AutoCreated_ARSConnectorForBackSyncWorkFlow_<tenant>
  • AutoCreated_AzureADConnectorForBackSyncWorkFlow_<tenant>
  • AutoCreated_O365ConnectorForBackSyncWorkFlow_<tenant>

NOTE: Multiple tenants are supported in back-sync. The connection name can be identified using the name of the tenant.

Mapping

On the Synchronization Service Administration Console, click Mapping to view the Mapping rules which identify the users, groups, or contacts in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

On the Mapping tab, click a connection name to view or modify the mapping settings for the corresponding connection. The user, group, and contact mapping pair information is displayed by default as a result of the Azure BackSync configuration. For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • For more information to manage mapping pairs for the connections see the Mapping Tab section.

  • The mapping rules are created by default. Based on the environment, make sure that the default mapping rules identify the user or group uniquely. Else, make sure to correct the Mapping rule as required. In-correct mapping rules may create duplicate objects and the back-sync operation may not work as expected.

  • Initial configuration and execution of back-sync operation for Azure AD users ID and group ID is a one-time activity. If required, you can re-configure the Azure backsync settings which will override the previously configured backsync settings.

 

 

Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync

If the Azure tenant of your organization contains multiple Azure AD services, One Identity highly recommends to specify its GUID (also known as Tenant ID) when configuring Azure BackSync automatically.

For details on configuring Azure BackSync automatically, see Configuring automatic Azure BackSync.

The GUID of each Azure AD service is listed on the Microsoft Azure Portal.

To find the GUID (Tenant ID) of an Azure AD

  1. Log in to the Microsoft Azure Portal.

  2. Click Show portal menu.

  3. Click Azure Active Directory.

  4. In the Overview tab, under the Basic information heading, the value of the Tenant ID is the GUID (Tenant ID) of the Azure AD.

    TIP: If you have access to multiple Azure AD services, you can switch between them with Manage tenants.

Upgrade from Quick Connect

Upgrade from Quick Connect and Synchronization Service

If you have synchronization workflows configured and run by Quick Connect (predecessor of Synchronization Service), or earlier versions of Synchronization Service, then you can transfer those synchronization workflows to Active Roles and have them run by Synchronization Service.

You can transfer synchronization workflows from the following Quick Connect or Synchronization Service versions:

  • Quick Connect Sync Engine 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 6.1.0
  • Quick Connect Express for Active Directory 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, or 6.1.0
  • Quick Connect for Cloud Services 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, or 3.7.0
  • Quick Connect for Base Systems 2.2.0, 2.3.0, or 2.4.0
  • Synchronization Service 7.0, 7.1, 7.2, 7.3, or 7.4.x

Limitations

Synchronization Service is unable to run synchronization workflows that employ connections to the following systems:

  • ActiveRoles Sever 6.5
  • ODBC-compliant data source
  • OpenDS directory service
  • PeopleSoft HCM
  • Red Hat Directory Server
  • SAP Systems
  • Workday

If you need to synchronize data held in these systems, then you should continue using Quick Connect. This limitation is because not all connectors provided by Quick Connect are included with Synchronization Service.

IMPORTANT: Google Postini Services, IBM Lotus Domino, IBM Lotus Notes, Google Apps are removed as the mentioned systems reached End of Life.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택