Chat now with support
Chat with Support

Active Roles 8.0 LTS - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Configuring data synchronization with the Office 365 Connector
Creating a Microsoft 365 connection Viewing or modifying a Microsoft 365 connection Microsoft 365 data supported for data synchronization
ClientPolicy object attributes supported for Microsoft 365 data synchronization ConferencingPolicy object attributes supported for Microsoft 365 data synchronization Contact object attributes supported for Microsoft 365 data synchronization DistributionGroup object attributes supported for Microsoft 365 data synchronization Domain object attributes supported for Microsoft 365 data synchronization DynamicDistributionGroup object attributes supported for Microsoft 365 data synchronization ExternalAccessPolicy object attributes supported for Microsoft 365 data synchronization HostedVoicemailPolicy object attributes supported for Microsoft 365 data synchronization LicensePlanService object attributes supported for Microsoft 365 data synchronization Mailbox object attributes supported for Microsoft 365 data synchronization MailUser object attributes supported for Microsoft 365 data synchronization PresencePolicy object attributes supported for Microsoft 365 data synchronization SecurityGroup object attributes supported for Microsoft 365 data synchronization SPOSite object attributes supported for Microsoft 365 data synchronization SPOSiteGroup object attributes supported for Microsoft 365 data synchronization SPOWebTemplate object attributes supported for Microsoft 365 data synchronization SPOTenant object attributes supported for Microsoft 365 data synchronization User object attributes supported for Microsoft 365 data synchronization VoicePolicy object attributes supported for Microsoft 365 data synchronization Microsoft 365 Group attributes supported for Microsoft 365 data synchronization Changing the display names of synchronized Microsoft 365 licenses and services
Objects and attributes specific to Microsoft 365 services How the Office 365 Connector works with data
Configuring data synchronization with the Microsoft Azure AD Connector Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use
About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain Scenario 2: Use a .csv file to update user accounts in an Active Directory domain Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization
Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Microsoft Azure AD user attributes supported for data synchronization

The Microsoft Azure AD Connector of the Active Roles Synchronization Service supports the following Azure Active Directory (Azure AD) user attributes for data synchronization.

NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure AD Connector, consider that the following user attributes are currently not supported and cannot be queried via the Microsoft Graph API:

  • aboutMe

  • birthday

  • contacts

  • hireDate

  • interests

  • mySite

  • officeLocation

  • pastProjects

  • preferredName

  • responsibilites

  • schools

  • skills

This means that although these user attributes are visible, they cannot be set in a mapping rule.

Table 114: Azure AD user attributes supported for data synchronization

Attribute

Description

Supported operations

accountEnabled

Gets or sets whether the user account is enabled.

NOTE: This attribute is required when creating a user.

Read, Write

assignedLicenses

Gets the licenses assigned to the user.

Read

assignedPlans

Gets the plans assigned to the user.

Read

city

Gets or sets the user city.

Read, Write

country

Gets or sets the user country.

Read, Write

department

Gets or sets the user department.

Read, Write

dirSyncEnabled

Gets or sets whether the user was synchronized from the on-premises Active Directory Domain Services (AD DS).

Read, Write

directReports

Gets the direct reports of the user.

Read

displayName

Gets or sets the user name in the address book.

NOTE: This attribute is required when creating a user.

Read, Write

facsimileTelephoneNumber

Gets or sets the user fax number.

Read, Write

givenName

Gets or sets the given name of the user.

Read, Write

jobTitle

Gets or sets the user job title.

Read, Write

lastDirSyncTime

Gets the time when the user was last synchronized with the on-premises AD DS.

Read

mail

Gets or sets the primary e-mail address of the user.

Read, Write

mailNickName

Gets or sets the mail alias of the user.

NOTE: This attribute is required when creating a user.

Read, Write

manager

Gets or sets the manager of the user.

Read, Write

memberOf

Gets the group membership of the user.

Read

mobile

Gets or sets the mobile phone number o the user.

Read, Write

objectId

Gets the unique identifier of the user.

Read

objectType

Gets the object type of the user.

Read

otherMails

Gets or sets other e-mail addresses for the user.

Read, Write

passwordPolicies

Gets or sets password policies applicable to the user.

Read, Write

passwordProfile

Gets or sets the password profile of the user.

NOTE: This attribute is required when creating a user.

Read, Write

physicalDeliveryOfficeName

Gets or sets the office location of the user.

Read, Write

postalCode

Gets or sets the postal code of the user.

Read, Write

preferredLanguage

Gets or sets the preferred language of the user.

Read, Write

provisionedPlans

Gets the provisioned plans of the user.

Read

provisioningErrors

Gets the errors encountered when provisioning the user.

Read

proxyAddresses

Gets the known address entries of the user.

Read

state

Gets or sets the state or province of the user.

Read, Write

streetAddress

Gets or sets the street address of the user.

Read, Write

surname

Gets or sets the family name of the user.

Read, Write

telephoneNumber

Gets or sets the telephone number of the user.

Read, Write

thumbnailPhoto

Gets or sets the thumbnail photo of the user.

Read, Write

usageLocation

Gets or sets the usage location, that is the geographical location where the user is located and operating from.

Read, Write

userPrincipalName

Gets or sets the user principal name of the user.

NOTE: This attribute is required when creating a user.

Read, Write

Microsoft Azure AD group attributes supported for data synchronization

The Microsoft Azure AD Connector of the Active Roles Synchronization Service supports the following Azure Active Directory (Azure AD) group attributes for data synchronization.

NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure AD Connector, consider that the following group attributes are currently not supported and cannot be queried via the Microsoft Graph API:

  • acceptedSenders

  • allowExternalSenders

  • autoSubscribeNewMembers

  • hasMembersWithLicenseErrors

  • hideFromAddressLists

  • hideFromOutlookClients

  • isSubscribedByMail

  • membersWithLicenseErrors

  • rejectedSenders

  • unseenCount

This means that although these group attributes are visible, they cannot be set in a mapping rule.

Table 115: Azure AD group attributes supported for data synchronization

Attribute

Description

Supported operations

description

Gets or sets the group description.

Read, Write

dirSyncEnabled

Gets whether the group was synchronized from the on-premises Active Directory Domain Services (AD DS).

Read

displayName

Gets or sets the display name of the group.

NOTE: This attribute is required when creating a group.

Read, Write

lastDirSyncTime

Gets the time when the group was last synchronized with the on-premises AD DS.

Read

mail

Gets or sets the e-mail address of the group.

Read, Write

mailEnabled

Gets or sets whether the group is mail-enabled.

NOTE: This attribute is required when creating a group.

Read, Write

mailNickName

Gets or sets the mail alias of the group.

NOTE: This attribute is required when creating a group.

Read, Write

members

Gets or sets the members of the group.

Read, Write

objectId

Gets the unique identifier of the group.

Read

objectType

Gets the object type of the group.

Read

provisioningErrors

Gets the errors encountered when provisioning the group.

Read

proxyAddresses

Gets the known address entries of the group.

Read

securityEnabled

Gets or sets whether the group is a security group.

NOTE: This attribute is required when creating a group.

Read, Write

Configuring data synchronization with the SCIM Connector

With the SCIM Connector, you can configure inbound data synchronization connections for the following SCIM-based One Identity Starling Connect connectors:

  • PingOne

  • Workday HR

NOTE: Consider the following when planning to configure a connection with the SCIM Connector:

  • The SCIM Connector is tested to support the Starling Connect PingOne and Workday HR connectors. To configure a connection for import-based workflows to the SCIM 2.0-based SuccessFactors HR 8.0 or ServiceNow 2.0 Starling connectors, use the Generic SCIM Connector instead. For more information, see Configuring data synchronization with the Generic SCIM Connector.

  • The SCIM Connector supports only the standard schema of the SCIM protocol. It does not support extended schemas, and therefore cannot handle user-made custom attributes.

For the list of Active Roles Synchronization Service connector features that the SCIM Connector supports or does not support, see the following table.

Table 116: SCIM Connector – Supported features

Feature

Supported

Bidirectional synchronization

Specifies whether you can both read and write data in the connected data system.

No

Delta processing mode

Specifies whether the connection can process only the data that has changed in the connected data system since the last synchronization operation. This reduces the overall synchronization duration.

No

Password synchronization

Specifies whether you can synchronize user passwords from an Active Directory (AD) domain to the connected data system.

No

Secure Sockets Layer (SSL) data encryption

Specifies whether the connector can use SSL to encrypt data transmitted between Active Roles Synchronization Service and the connected data system.

Yes

For more information on the SCIM protocol, see the official SCIM site, or the following IETF RFC documents:

  • IETF RFC-7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements

  • IETF RFC-7643: System for Cross-domain Identity Management: Core Schema

  • IETF RFC-7644: System for Cross-domain Identity Management: Protocol

Creating a SCIM connection

To create a new connection

  1. In the Synchronization Service Administration Console, open the Connections tab.

  2. Click Add Connection, and then use the following options:

    • Connection name. Type a descriptive name for the connection.

    • Use the specified connector. Select SCIM Connector.

  3. Click Next.

  4. On the Add Connection page, select the following options:

    •  SCIM settings
      • SCIM version. Select the required version of the SCIM. The available options are V2 and V1.1.
      • SCIM URL. Provide the SCIM URL.
      • Schema URL. Provide the schema URL.
      • Authentication type. Select the authentication type. The available options are OAuth, Basic, and API Key.
    • Authentication parameters

      Based on the chosen Authentication type, the parameters required for authenticating also differs.

      Basic

      • User name. Provide the username
      • Password. Provide the password used for authentication.

        IMPORTANT: Some of the connectors might use API key as the User name and the API token as the Password. For example, Ping Identity uses the API key and API token,

      OAuth

      Depending on the Grant Type selected, the following options are displayed. Th available options are password, client_credentials, Bearer_Token

      • password
        • Token URL. Provide the URL of the token.
        • User name. Provide the username.
        • Password. Provide the password .
        • Client id. Provide the client id used to login.
        • Client secret. Provide the client secret.
      • client_credentials
        • Token URL. Provide the URL of the token.
        • Client id. Provide the client id used to login.
        • Client secret. Provide the client secret.
      • Bearer_Token
        • Bearer token. Provide the bearer token.

          IMPORTANT: A connection established using the bearer token has a time-limit, specified by the token provider. After the expiration of the time-limit, the connection is discontinued. A new token must be created to establish a new connection session.

      API_Key

      • Key. Provide the API key.
      • Token. Provide the API token.

  1. Click Finish to create a connection to a SCIM connector.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating