PingDirectory

Synchronize changes from a PingOne environment

This section describes the configuration that is necessary to synchronize changes from a PingOne environment. To view an example configuration, see the file located at <server-root>/config/sample-dsconfig-batch-files/reference-ping-one-sync-source-configuration.dsconfig.

Create a PingOne sync source

Before you create a PingOne sync source, make certain you have the following information ready:

  • Environment ID (environment-id)

  • OAuth client ID (oauth-client-id)

  • OAuth client secret (oauth-client-secret)

For information about obtaining these values, see Create a worker application.

The following example creates a PingOne sync source.

dsconfig create-sync-source \
  --source-name PingOne \
  --type ping-one-customer \
  --set api-url:https://api.pingone.com/v1 \
  --set auth-url:https://auth.pingone.com/[PING_ONE_ENV_ID]/as/token \
  --set environment-id:[PING_ONE_ENV_ID] \
  --set oauth-client-id:[PING_ONE_OAUTH_CLIENT_ID] \
  --set oauth-client-secret:[PING_ONE_OAUTH_CLIENT_SECRET]

Configuring attribute mapping

The process of synchronizing data uses the concepts and structures associated with LDAP entries. Ping Identity recommends that you conceptualize the PingOne User Resource model as an LDAP entry when configuring an attribute mapping. Additionally, you might need to use JSON pathing when selecting a value for complex JSON attributes within the user.

dsconfig create-attribute-mapping \
  --map-name PingOne_to_PingDirectory_User_Map \
  --mapping-name givenname \
  --type constructed \
  --set "value-pattern:{name.given}"

Correlating entries

To ensure that users correlate to the appropriate entry in PingDirectory, map the id attribute from the user resource to entryUUID in PingDirectory.

Considerations and limitations

This section describes limitations and other constraints to consider when synchronizing changes from a PingOne environment.

Bidirectional synchronization

If you plan on configuring bidirectional synchronization between PingOne and PingDirectory, make sure that you satisfy the following conditions:

  • Use separate worker apps for the source and destination.

  • To prevent the unnecessary duplication of changes, add the client ID of the destination worker app to the actor-id-to-ignore configuration attribute of the source.

  • To ensure that no attribute mappings are mismatched, modify the reference dsconfig batch files.

Password synchronization

PingDataSync does not support the synchronizing of passwords from PingOne.

Population management

If your PingOne environment features a large number of populations, or if you want to limit synchronized users to a specific set of populations, provide one or more population-to-synchronize configuration attributes to the source. The name or ID of the population can be used.

Synchronization delay

PingDataSync propagates changes throughout PingOne nearly in real time. However, a delay might occur between the time a change occurs in PingOne and the time it becomes available for PingDataSync to synchronize. To help ensure that no changes are missed, a default delay of 5 seconds has been configured within the sync source. For environments of sufficient size or with high rates of change, use the configuration attribute realtime-sync-polling-offset on the sync source to increase the delay.