The following users are involved in synchronizing One Identity Manager with a cloud application.
User | Authorizations | ||
---|---|---|---|
One Identity Manager Service user account |
The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited). The user account must belong to the group "Domain Users". The user account must have the extended access right "Log on as a service". The user account requires access rights to the internal web service.
The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager. In the default installation the One Identity Manager is installed under:
| ||
Security tokens or users for accessing the cloud application | Security tokens or user name and password for use as authentication in the cloud application. | ||
User for accessing the One Identity Manager database |
The default system user "Synchronization |
To setup synchronization with a cloud application, a server has to be available that has the following software installed on it:
Following versions are supported:
Microsoft .NET Framework Version 4.5.2 or later
|
NOTE: Microsoft .NET Framework version 4.6 is not supported. |
|
NOTE: Take the target system manufacturer's recommendations into account. |
All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Entries which are necessary for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.
Use the Server Installer to install the One Identity Manager Service. This program executes the following steps.
|
NOTE: The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain. |
To install and configure the One Identity Manager Service remotely on a server
- OR -
Click Add to add a new job server.
Property | Description |
---|---|
Server | Name of the Job servers. |
Queue |
Name of queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the job queue using exactly this queue name. The queue identifier is entered in the One Identity Manager Service configuration file. |
Full server name |
Full name of the server in DNS syntax. Example: <name of server>.<fully qualified domain name> |
|
NOTE: Use the Advanced option to edit other Job server properties. You can use the Designer to change properties at a later date. |
The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here.
|
NOTE: The initial service configuration is already predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see One Identity Manager Configuration Guide. |
|
NOTE: This page is only displayed when the database is encrypted. |
Data | Description |
---|---|
Computer | Server on which to install and start the service from.
To select a server
|
Service account | One Identity Manager Service user account data.
To enter a user account for the One Identity Manager Service
|
Installation account | Data for the administrative user account to install the service.
To enter an administrative user account for installation
|
Installation of the service occurs automatically and may take some time.
|
NOTE: The is entered with the name "One Identity Manager Service" in the server's service administration. |
Use the Synchronization EditorOne Identity Manager tool for configuring target system synchronization. to set up synchronization between the One Identity Manager database and cloud application. The following describes the steps for initial configuration of a synchronization project.
After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.
Have the following information available for setting up a synchronization project.
|
NOTE: Be aware of case sensitive parts of the URL during configuration. |
Data | Explanation | ||||||
---|---|---|---|---|---|---|---|
Servers DNS name / URL | DNS name of the server that provides the SCIM interface or URL for connecting to the server. | ||||||
Port | Port for accessing the cloud application. | ||||||
URI service | URL for reaching the SCIM service. | ||||||
Authentication endpoint or URL | URL available for authenticating. If authentication of another server or another root URL is used for authentication, the full URL must be entered here. | ||||||
Authentication type | Permitted type of authentication for logging into the cloud application. | ||||||
User account and password | User name and password for logging into the cloud application with the authentication types "Basic authentication", "OAuth authentication" and "Negotiated authentication". | ||||||
Client secret | Security token for logging into the cloud application with the authentication type "OAuth authentication". | ||||||
SCIM endpoint | Endpoint URIs or URLs for accessing the cloud application's schema, resource and service provider data. | ||||||
Synchronization server |
All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Entries which are necessary for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The One Identity Manager Service with the SCIM connector must be installed on the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.
For more information, see Setting Up a Synchronization Server. | ||||||
One Identity Manager Database Connection |
SQL Server:
Oracle:
| ||||||
Remote connection server |
To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with target system to do this. The remote connection server and the workstation must be in the same Active Directory domain. Remote connection server configuration:
The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required. For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide. |
|
NOTE: The following sequence describes how you configure a synchronization project if the Synchronization Editor is both:
Additional settings can be made if the project wizard is run in expert mode or is started directly from the Synchronization Editor. Follow the project wizard instructions through these steps. |
To set up initial synchronization project for a cloud application
|
NOTE: If synchronization is executed by an application server, connect the database through the application server. |
This starts the Synchronization Editor's project wizard.
In this case, set the option Connect using remote connection server and select, under Job server, the server you want to use for the connection.
Property | Description |
---|---|
Servers DNS name / URL | DNS of the server, which provided by the SCIM interface or the URL for connecting to the server. |
Port | Port for accessing the cloud application. |
Service URI |
URI for reaching the SCIM service. Only the part of the URL used in common by all endpoints to be called, is required. The SCIM connector take the URL from the server URL, the port and URI together. For example, if the full URL is "https://identities.example.net:8080/scim/v2", then enter "scim/v2" as the URI. |
Property | Description |
---|---|
Basic authentication | Authentication using user name and password. |
OAuth authentication | Authentication using OAuth protocol 2.0. |
Negotiated authentication | Authentication using Windows authentication methods like NTLM or Kerberos. |
Authentication endpoint/URL |
URI, under which authentication is possible. Only the part of the URL added to the common part, is required to reach the authentication endpoints. If authentication of another server or another root URL is used for authentication, the full URL must be entered here. Example: If the full URI is "https://identities.example.net:8080/scim/v2/auth/token", enter "auth/token" in this case. If the base URL or the server is different to the resource URL, enter the full URL, for example "https://authserver.example.net/token". |
If the client secret is not known, enter the user name and password.
One Identity Manager tries to connect to the cloud application.
|
TIP: One Identity Manager saves the test result. When you reopen the page and the connection data has not changed, the result of the test is displayed. You do not have to run the connection test again if it was successful. |
Property | Description |
---|---|
Schema |
Endpoin for accessing the cloud application's schema information. |
Resources | Endpoint for accessing cloud application resource data, for example, groups or user accounts. |
Supported service options | Endpoint for accessing cloud application service provider data. |
|
TIP: One Identity Manager saves the test result. When you reopen the page and the endpoint configuration has not changed, the result of the test is displayed. |
Property | Description |
---|---|
SCIM Core V 2.0 | Product for synchronizing a default SCIM environment. |
One Identity Connect For Cloud | Product for synchronizing a One Identity Connect For Cloud system |
You can use display names to differentiate between the cloud application in One Identity Manager tools. Display names cannot be changed later.
|
NOTE: Reenter all the connection data if you are not working with an encrypted One Identity Manager database and no synchronization project has been saved yet in the database. This page is not shown if a synchronization project already exists. |
Project template | Description |
---|---|
SCIM synchronization |
Use this project template for initially setting up the synchronization project for synchronizing a System for Cross-domain Identity Management environment. |
Synchronizing a One Identity Connect For Cloud environment |
Use this project template for initially setting up the synchronization project for synchronizing a SCIM environment using the One Identity Connect For Cloud infrastructure. |
|
NOTE: A default project template ensures that all required information is added in the One Identity Manager. This includes mappings, workflows and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the .Synchronization Editor |
Option | Meaning |
---|---|
Read-only access to target system. |
Specifies whether a synchronization workflow should be set up to initially load the target system into the One Identity Manager database. The synchronization workflow has the following characteristics:
|
Changes are also made to the target system. |
Specifies whether a provisioning workflow should be set up in addition to the synchronization workflow to initially load the target system. The provisioning workflow displays the following characteristics:
|
If the synchronization server is not declare as a job server in the One Identity Manager database yet, you can add a new job server.
The synchronization server is declared as job server for the target system in the One Identity Manager database.
|
NOTE: Ensure that this server is set up as the synchronization server after saving the synchronization project. |
This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.
The synchronization project is created, saved and enabled immediately.
|
NOTE: If the synchronization project is not going to be executed immediately, disable the option Activate and save the new synchronization project automatically.
In this case, save the synchronization project manually before closing the Synchronization Editor. |
|
NOTE: The target system connection data is saved in a variable set, which you can change in the Synchronization Editor under Configuration | Variables if necessary. |
To configure the content of the synchronization log
|
NOTE: Certain content create a lot of log data. The synchronization log should only contain the data necessary for error analysis and other evaluations. |
To synchronize on a regular basis
To start initial synchronization manually
SynchronizationThe process of comparing data between One Identity Manager and a target system. Objects and their properties are compared by fixed rules. Synchronization results in the identical data situation in the target system and One Identity Manager database. results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.
To display a synchronization log
Logs for all completed synchronization runs are displayed in the navigation view.
An analysis of the synchronization is shown as a report. You can save this report.
To display a provisioning log.
Logs for all completed provisioning processes are displayed in the navigation view.
Select a log by double-clicking on it.
An analysis of the provisioning is show as a report. You can save this report.
The log is marked in color in the navigation view. This mark shows you the execution status of the synchronization/provisioning.
Synchronization logs are stored for a fixed length of time. The retention period is set in the configuration parameter "DPR\Journal\LifeTime" and its sub parameters.
To modify the retention period for synchronization logs
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy