Synchronize changes from a PingOne environment
This section describes the configuration that is necessary to synchronize changes from a PingOne environment. To view an example configuration, see the file located at <server-root>/config/sample-dsconfig-batch-files/reference-ping-one-sync-source-configuration.dsconfig
.
Create a PingOne sync source
Before you create a PingOne sync source, make certain you have the following information ready:
-
Environment ID (environment-id)
-
OAuth client ID (oauth-client-id)
-
OAuth client secret (oauth-client-secret)
For information about obtaining these values, see Create a worker application.
The following example creates a PingOne sync source.
dsconfig create-sync-source \ --source-name PingOne \ --type ping-one-customer \ --set api-url:https://api.pingone.com/v1 \ --set auth-url:https://auth.pingone.com/[PING_ONE_ENV_ID]/as/token \ --set environment-id:[PING_ONE_ENV_ID] \ --set oauth-client-id:[PING_ONE_OAUTH_CLIENT_ID] \ --set oauth-client-secret:[PING_ONE_OAUTH_CLIENT_SECRET]
Configuring attribute mapping
The process of synchronizing data uses the concepts and structures associated with LDAP entries. Ping Identity recommends that you conceptualize the PingOne User Resource model as an LDAP entry when configuring an attribute mapping. Additionally, you might need to use JSON pathing when selecting a value for complex JSON attributes within the user.
dsconfig create-attribute-mapping \ --map-name PingOne_to_PingDirectory_User_Map \ --mapping-name givenname \ --type constructed \ --set "value-pattern:{name.given}"
Considerations and limitations
This section describes limitations and other constraints to consider when synchronizing changes from a PingOne environment.
Bidirectional synchronization
If you plan on configuring bidirectional synchronization between PingOne and PingDirectory, make sure that you satisfy the following conditions:
-
Use separate worker apps for the source and destination.
-
To prevent the unnecessary duplication of changes, add the client ID of the destination worker app to the
actor-id-to-ignore
configuration attribute of the source. -
To ensure that no attribute mappings are mismatched, modify the reference
dsconfig
batch files.
Population management
If your PingOne environment features a large number of populations, or if you want to limit synchronized users to a specific set of populations, provide one or more population-to-synchronize
configuration attributes to the source. The name or ID of the population can be used.
Synchronization delay
PingDataSync propagates changes throughout PingOne nearly in real time. However, a delay might occur between the time a change occurs in PingOne and the time it becomes available for PingDataSync to synchronize. To help ensure that no changes are missed, a default delay of 5 seconds has been configured within the sync source. For environments of sufficient size or with high rates of change, use the configuration attribute realtime-sync-polling-offset
on the sync source to increase the delay.