Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Active Roles On Demand Hosted - Synchronization Service Administration Guide

Table of Contents

Synchronization Service Overview

About Synchronization Service Features and benefits

Bidirectional synchronization Delta processing mode Synchronization of group membership Windows PowerShell scripting Attribute synchronization rules Rule-based generation of distinguished names Scheduling capabilities Extensibility Azure Backsync Configuration

Technical overview

Synchronization Service Capture Agent Connectors and connected data systems Synchronization workflows and steps

Deploying Synchronization Service

Deployment steps

Step 1: Install Synhronization Service Step 2: Configure Synchronization Service Step 3: Configure Azure Backsync

Configuring automatic Azure BackSync Configuring manual Azure BackSync Settings updated after Azure backsync configuration operation Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync

Upgrade from Quick Connect

Limitations Upgrade steps

Communication ports

Getting started

Synhronization Service Administration Console

Sync Workflows tab Sync History tab Connections tab Mapping tab Password Sync tab Configuring diagnostic logging

Steps to synchronize identity data Management Shell

Cmdlet naming conventions Getting help

Connections to external data systems

External data systems supported out of the box

Working with Active Directory

Creating an Active Directory connection Modifying an existing Active Directory connection Communication ports required to synchronize data between two AD domains Synchronizing user passwords between two AD domains Synchronizing SID history of users or groups

Working with an AD LDS (ADAM) instance

Creating an AD LDS (ADAM) instance connection Modifying an existing AD LDS (ADAM) instance connection

Working with Skype for Business Server

Creating a new Skype for Business Server connection Modifying an existing Skype for Business Server connection Skype for Business Server data supported out of the box

User object attributes ArchivingPolicy object attributes ClientPolicy object attributes ClientVersionPolicy object attributes ConferencingPolicy object attributes DialPlanPolicy object attributes ExternalAccessPolicy object attributes LocationPolicy object attributes MobilityPolicy object attributes PersistentChatPolicy object attributes PinPolicy object attributes VoicePolicy object attributes LyncSettings object attributes

Attributes required to create a Skype for Business Server user Getting or setting the Telephony option value in Skype for Business Server

Working with Oracle

Working with Oracle Database

Creating an Oracle Database connection Modifying an existing Oracle Database connection Specify connection settings Advanced Specify attributes to identify objects Sample SQL queries

Sample SQL query 1 Sample SQLl query 2

Working with Oracle Database user accounts

Creating an Oracle Database user accounts connection Modifying an existing Oracle Database user account connection Specify connection settings Advanced Sample SQL queries

Sample SQL query 1 Sample SQL query 2

Working with Exchange Server

Creating a new connection to Exchange Server Modifying an existing connection to Exchange Server Exchange Server data supported out of the box

ActiveSyncMailboxPolicy object attributes AddressBookPolicy object attributes AddressList object attributes DistributionGroup object attributes DynamicDistributionGroup object attributes ExchangeServer object attributes GlobalAddressList object attributes Mailbox object attributes MailContact object attributes MailboxDatabase object attributes MailUser object attributes OfflineAddressBook object attributes OrganizationConfig object attributes OwaMailboxPolicy object attributes PublicFolder object attributes PublicFolderDatabase object attributes RoleAssignmentPolicy object attributes StorageGroup object attributes UmDialPlan object attributes UmMailboxPolicy object attributes

Scenario: Migrate mailboxes from one Exchange Server to another

Step 1: Configure a connection to Exchange Server Step 2: Create a new sync workflow Step 3: Configure a step to update MoveMailboxTo attribute value Step 4: Run your sync workflow

Working with Active Roles

Creating an Active Roles connection Modifying an Active Roles connection

Working with One Identity Manager

Creating a One Identity Manager connection Modifying a One Identity Manager connection One Identity Manager Connector configuration file

Working with a delimited text file

Creating a delimited text file connection Modifying an existing delimited text file connection

Specify connection settings Specify delimited text file format Schema Specify attributes to identify objects

Working with Microsoft SQL Server

Creating a Microsoft SQL Server connection Modifying an existing Microsoft SQL Server connection

Specify connection settings Specify how to select and modify data Advanced Specify attributes to identify objects

Sample queries to modify SQL Server data

How to insert an object into a table How to create a SQL Server account

Working with Micro Focus NetIQ Directory

Creating a Micro Focus NetIQ Directory connection Modifying an existing Micro Focus NetIQ Directory connection Specify connection settings Specify naming attributes

Working with Salesforce

Creating a Salesforce connection Modifying an existing Salesforce connection Salesforce data supported out of the box

User object additional attributes Group object additional attributes

Scenario: Provisioning users from an Active Directory domain to Salesforce

Step 1: Configure a connection to source Active Directory domain Step 2: Configure a connection to Salesforce Step 3: Create a new synchronization workflow Step 4: Configure a workflow step Step 5: Run your workflow

Working with ServiceNow

Creating a ServiceNow connection

Step 1: Configure ServiceNow Step 2: Create a new connection to ServiceNow

Modifying an existing ServiceNow connection ServiceNow data supported out of the box

Working with Oracle Unified Directory

Creating an Oracle Unified Directory connection Modifying an existing Oracle Unified Directory Server connection

Specify connection settings

Specify naming attributes

Working with an LDAP directory service

Creating an LDAP directory service connection Modifying an existing Generic LDAP directory service connection

Specify connection settings Specify directory partitions Specify naming attributes Specify attributes to identify objects

Specify password sync parameters for LDAP directory service

Working with IBM DB2

Creating an IBM DB2 connection Modifying an existing IBM DB2 connection

Specify connection settings Specify how to select and modify data Advanced Specify attributes to identify objects

Working with IBM AS/400

Creating an IBM AS/400 connection Modifying an existing IBM AS/400 connection Specify connection settings Additional considerations

Working with an OpenLDAP directory service

Creating an OpenLDAP directory service connection Modifying an existing OpenLDAP directory service connection

Specify connection settings Specify naming attributes

Working with IBM RACF connector

Creating a IBM RACF connection Modifying a IBM RACF connection Example of Mapping for Dataset Information Create SQL Database and Table Provisioning Datasets Updating datasets Deprovisioning datasets Running TSO command

Working with TSO command

Working with MySQL database

Creating a MySQL database connection Modifying an existing MySQL database connection

Specify connection settings Specify how to select and modify data Advanced Specify attributes to identify objects

Working with an OLE DB-compliant relational database

Creating an OLE DB-compliant relational database connection Modifying an existing OLE DB-compliant data source connection

Specify connection settings Specify how to select data Advanced Specify attributes to identify objects

Working with SharePoint

Creating a SharePoint connection SharePoint data supported out of the box

AlternateURL object attributes ClaimProvider object attributes Farm object attributes Group object attributes Language object attributes Policy object attributes PolicyRole object attributes Prefix object attributes RoleAssignment object attributes RoleDefinition object attributes Site object attributes User object attributes Web object attributes WebApplication object attributes WebTemplate object attributes

Considerations for creating objects in SharePoint

Working with Microsoft Office 365

Creating a Microsoft Office 365 connection Modifying a Microsoft Office 365 connection Microsoft Office 365 data supported out of the box

ClientPolicy object attributes ConferencingPolicy object attributes Contact object attributes DistributionGroup object attributes Domain object attributes DynamicDistributionGroup object attributes ExternalAccessPolicy object attributes HostedVoicemailPolicy object attributes LicensePlanService object attributes Mailbox object attributes MailUser object attributes PresencePolicy object attributes SecurityGroup object attributes SPOSite object attributes SPOSiteGroup object attributes SPOWebTemplate object attributes SPOTenant object attributes User object attributes Attributes Related to License Plans and Services Other attributes VoicePolicy object attributes Office 365 group attributes

Objects and attributes specific to Microsoft Office 365 services How Microsoft Office 365 Connector works with data Modern Authentication

Installing EXO PowerShell module Upgrade from 7.3.x or 7.4.x to the latest version Working with Modern Authentication

Working with Microsoft Azure Active Directory

Creating a Microsoft Azure Active Directory connection

Step 1: Configure an application in Microsoft Azure Active Directory Step 2: Create a connection to Microsoft Azure Active Directory

Modifying a Microsoft Azure Active Directory connection Microsoft Azure Active Directory data supported out of the box

User object attributes Group object attributes

Working with SCIM

Creating a SCIM connection Modifying a SCIM connection Additional authentication parameters Supported objects and operations

Using connectors installed remotely

Steps to install Synchronization Service and built-in connectors remotely Creating a connection using a remotely installed connector

Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection

Synchronizing identity data

Getting started with identity data synchronization Managing sync workflows

Creating a sync workflow Running a sync workflow

Running a sync workflow manually Running a sync workflow on a recurring schedule Disabling a sync workflow run schedule

Renaming a sync workflow Deleting a sync workflow

Managing sync workflow steps

Adding a creating step Creating an updating step Creating a deprovisioning step Modifying a step

General Options tab Source tab Target tab Creation Rules tab Deprovisioning Rules tab Updating Rules Tab Step Handlers tab

Deleting a step Changing the order of steps in a sync workflow Generating object names by using rules Modifying attribute values by using rules

Configuring a forward sync rule

Source item Target item

Configuring a reverse sync rule

Source item Target item

Configuring a merge sync rule

Using value generation rules

Configuring a rule entry

Using sync workflow step handlers Example: Synchronizing group memberships Example: Synchronizing multivalued attributes Using sync workflow alerts

Creating or editing a sync workflow alert Deleting a sync workflow alert Managing outgoing mail profiles

Outgoing mail profile settings

Mapping objects

About mapping objects Steps to map objects

Step 1: Create mapping pairs Step 2: Create mapping rules Step 3 (optional): Change scope for mapping rules Step 4: Run map operation

Steps to unmap objects

Automated password synchronization

About automated password synchronization Steps to automate password synchronization Managing Capture Agent

Installing Capture Agent manually Using Group Policy to install Capture Agent Uninstalling Capture Agent

Managing password sync rules

Creating a password sync rule Deleting a password sync rule Modifying settings of a password sync rule

Fine-tuning automated password synchronization

Configuring Capture Agent

Step 1: Create and link a Group Policy object Step 2: Add administrative template to Group Policy object Step 3: Use Group Policy object to modify Capture Agent settings

Configuring Active Roles Synchronization Service Specifying a custom certificate for encrypting password sync traffic

Step 1: Obtain and install a certificate Step 2: Export custom certificate to a file Step 3: Import certificate into certificates store Step 4: Copy certificate’s thumbprint Step 5: Provide certificate’s thumbprint to Capture Agent Step 6: Provide certificate’s thumbprint to Synchronization Service

Using PowerShell scripts with password synchronization

Example of a PowerShell script run after password synchronization

Synchronization history

About synchronization history Viewing sync workflow history Viewing mapping history Searching synchronization history Cleaning up synchronization history

Scenarios of use

About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain

Step 1: Create a sync workflow Step 2: Add a creating step Step 3: Run the configured creating step Step 4: Commit changes to Active Directory

Scenario 2: Use a .csv file to update user accounts in an Active Directory domain

Step 1: Create an updating step Step 2: Run the created updating step Step 3: Commit changes to Active Directory

Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain

Step 1: Create connection to One Identity Manager Step 2: Configure One Identity Manager modules, Custom Target System and Container Information Step 3: Create Workflow for Provisioning Step 4: Create Provisioning Step 5: Specify the synchronization rules Step 6: Execute Workflow Step 7: Commit changes to One Identity Manager Step 8: Verify on One Identity Manager

Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain

Appendix A: Developing PowerShell scripts for attribute synchronization rules

Accessing source and target objects using built-in hash tables

Appendix B: Using a PowerShell script to transform passwords

Accessing source object password

Using PowerShell scripts with password synchronization

Optionally, you can configure the Synchronization Service to run your custom PowerShell script before, after, or instead of the password synchronization operation. To do so, create a connection handler. For instructions, see Using connection handlers.

Example of a PowerShell script run after password synchronization

#---- Specify the SMTP Server name in your organization ----
$SmtpServer = "smtpServerName"
$smtp = new-object system.net.mail.smtpClient($SmtpServer)
$mail = new-object System.Net.Mail.MailMessage
# ---- Set the sender mail ----
$mail.From = "yourmail@mydomain.com"
# ---- Set the destination mail ----
$mail.To.Add("Administrator@mydomain.com")
# --- Specify the message subject ----
$mail.Subject = "Password was changed"
# ---- Set the message text ----
$body = "The passwords were synchronized for the following object pair: "
$body = $body + $srcObj.Name + "->" + $dstObj.Name
$mail.Body = $body
# ---- Send mail ----
$smtp.Send($mail)

Description: After the password synchronization is complete, this script sends a notification email message informing the administrator that the specified object password has been modified in the target connected system. The message provides the names of the source Active Directory object and its counterpart in the target connected system.

Synchronization history

About synchronization history

Synchronization Service Administration Console provides the Synchronization History feature that allows you to view the details of completed sync workflow runs, password sync rule runs, and map and unmap operations.

The synchronization history also helps you troubleshoot synchronization issues by providing information on the errors that were encountered during sync workflow runs, password sync rule runs, or map and unmap operations.

You can also selectively clean up entries from the synchronization history.

To access the synchronization history, use the Sync History tab in the Synchronization Service Administration Console.

In this chapter:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center