Chat now with support
Chat with Support

Active Roles 7.6 - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft Office 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use
About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain Scenario 2: Use a .csv file to update user accounts in an Active Directory domain Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization
Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Microsoft Azure Active Directory data supported out of the box

The next table lists the Microsoft Azure Active Directory object types supported by the Microsoft Azure AD Connector out of the box. The table also provides information about the operations you can perform on these objects by using the Microsoft Azure AD Connector.

 

Table 113: Supported objects and operations

Object

Read

Create

Delete

Update

User

Yes

Yes

Yes

Yes

Group

Yes

Yes

Yes

Yes

The next sections describe the attributes provided by the Microsoft Azure AD Connector. By using these attributes, you can read and/or write data related to a particular object in Microsoft Azure Active Directory.

In the next sections:

User object attributes

 

Table 114: User attributes

Attribute

Description

Supported operations

accountEnabled

Gets or sets whether the user account is enabled. Required for creating a user.

Read, Write

assignedLicenses

Gets the licenses assigned to the user.

Read

assignedPlans

Gets the plans assigned to the user.

Read

city

Gets or sets the user’s city.

Read, Write

country

Gets or sets the user’s country.

Read, Write

department

Gets or sets the user’s department.

Read, Write

dirSyncEnabled

Gets or sets whether the user was synchronized from the on-premises Active Directory Domain Services.

Read, Write

directReports

Gets the direct reports of the user.

Read

displayName

Gets or sets the user’s name in the address book. Required for creating a user.

Read, Write

facsimileTelephoneNumber

Gets or sets the user’s fax number.

Read, Write

givenName

Gets or sets the user’s given name.

Read, Write

jobTitle

Gets or sets the user’s job title.

Read, Write

lastDirSyncTime

Gets the time when the user was last synchronized with the on-premises Active Directory Domain Services.

Read

mail

Gets or sets the user’s primary e-mail address.

Read, Write

mailNickName

Gets or sets the user’s mail alias. Required for creating a user.

Read, Write

manager

Gets or sets the user’s manager.

Read, Write

memberOf

Gets group membership for the user.

Read

mobile

Gets or sets the user’s mobile phone number.

Read, Write

objectId

Gets the user’s unique identifier.

Read

objectType

Gets the object type.

Read

otherMails

Gets or sets other e-mail addresses of the user.

Read, Write

passwordPolicies

Gets or sets password policies applicable to the user.

Read, Write

passwordProfile

Gets or sets the user’s password profile. Required for creating a user.

Read, Write

physicalDeliveryOfficeName

Gets or sets the user’s office location.

Read, Write

postalCode

Gets or sets the user’s postal code.

Read, Write

preferredLanguage

Gets or sets the user’s preferred language.

Read, Write

provisionedPlans

Gets the user’s provisioned plans.

Read

provisioningErrors

Gets the errors encountered when provisioning the user.

Read

proxyAddresses

Not available

Read

state

Gets or sets the user’s state or province.

Read, Write

streetAddress

Gets or sets the user’s street address.

Read, Write

surname

Gets or sets the user’s surname.

Read, Write

telephoneNumber

Gets or sets the user’s telephone number.

Read, Write

thumbnailPhoto

Gets or sets the user’s thumbnail photo.

Read, Write

usageLocation

Not available

Read, Write

userPrincipalName

Gets or sets the user’s principal name (UPN). Required when creating a user.

Read, Write

Group object attributes

 

Table 115: Group attributes

Attribute

Description

Supported operations

description

Gets or sets the group’s description.

Read, Write

dirSyncEnabled

Gets whether the group was synchronized from the on-premises Active Directory Domain Services.

Read

displayName

Gets or sets the group’s display name. Required when creating a group.

Read, Write

lastDirSyncTime

Gets the time when the group was last synchronized with the on-premises Active Directory Domain Services.

Read

mail

Gets or sets the group’s e-mail address.

Read, Write

mailEnabled

Gets or sets whether the group is mail-enabled. Required when creating a group.

Read, Write

mailNickName

Gets or sets the group’s mail alias. Required when creating a group.

Read, Write

members

Gets or sets the group’s members.

Read, Write

objectId

Gets the group’s unique identifier.

Read

objectType

Gets the object type.

Read

provisioningErrors

Gets the errors encountered when provisioning the user.

Read

proxyAddresses

Not available

Read

securityEnabled

Gets or sets whether the group is a security group. Required when creating a group.

Read, Write

Configuring data synchronization with the SCIM Connector

With the SCIM Connector, you can configure inbound data synchronization connections for the following SCIM-based One Identity Starling Connect connectors:

  • PingOne

  • Workday HR

NOTE: Consider the following when planning to configure a connection with the SCIM Connector:

  • The SCIM Connector is tested to support the Starling Connect PingOne and Workday HR connectors. To configure a connection for import-based workflows to the SCIM 2.0-based SuccessFactors HR 8.0 or ServiceNow 2.0 Starling connectors, use the Generic SCIM Connector instead. For more information, see Configuring data synchronization with the Generic SCIM Connector.

  • The SCIM Connector supports only the standard schema of the SCIM protocol. It does not support extended schemas, and therefore cannot handle user-made custom attributes.

For the list of Active Roles Synchronization Service connector features that the SCIM Connector supports or does not support, see the following table.

Table 116: SCIM Connector – Supported features

Feature

Supported

Bidirectional synchronization

Specifies whether you can both read and write data in the connected data system.

No

Delta processing mode

Specifies whether the connection can process only the data that has changed in the connected data system since the last synchronization operation. This reduces the overall synchronization duration.

No

Password synchronization

Specifies whether you can synchronize user passwords from an Active Directory (AD) domain to the connected data system.

No

Secure Sockets Layer (SSL) data encryption

Specifies whether the connector can use SSL to encrypt data transmitted between Active Roles Synchronization Service and the connected data system.

Yes

For more information on the SCIM protocol, see the official SCIM site, or the following IETF RFC documents:

  • IETF RFC-7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements

  • IETF RFC-7643: System for Cross-domain Identity Management: Core Schema

  • IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating