Synchronize changes to a PingOne environment
This section describes the configuration that is necessary to synchronize changes to a PingOne environment. PingDataSync supports synchronization of single and multivalued attributes to PingOne. To view an example configuration, see the file located at <server-root>/config/sample-dsconfig-batch-files/reference-ping-one-sync-destination-configuration.dsconfig
.
When configuring a sync pipe in PingDataSync to synchronize users to a PingOne destination, you must include a constructed attribute mapping named |
Creating a PingOne sync destination
Before you create a PingOne sync destination, make sure you have the following information ready:
-
Environment ID (environment-id)
-
OAuth client ID (oauth-client-id)
-
OAuth client secret (oauth-client-secret)
For information about obtaining these values, see Create a worker application.
The following sample creates a PingOne sync destination.
dsconfig create-sync-destination \ --destination-name PingOne \ --type ping-one-customer \ --set api-url:https://api.pingone.com/v1 \ --set auth-url:https://auth.pingone.com/[PING_ONE_ENV_ID]/as/token \ --set environment-id:[PING_ONE_ENV_ID] \ --set oauth-client-id:[PING_ONE_OAUTH_CLIENT_ID] \ --set oauth-client-secret:[PING_ONE_OAUTH_CLIENT_SECRET]
Configuring JSON attribute mapping
Add the JSON attribute mapping type with sub-objects (the JSON attribute mapping field) that allow you to map individual fields.
About this task
If a source attribute doesn’t have a value, the corresponding field is omitted.
Use JSON attribute mappings rather than constructed attribute mappings. |
Steps
-
To create an attribute map, run
dsconfig
with thecreate-attribute-map
option.Example:
The following example creates an attribute map titled
PingDirectory_to_PingOne_User_Map
.dsconfig create-attribute-map \ --map-name PingDirectory_to_PingOne_User_Map
-
To create the attribute mapping, run
dsconfig
with thecreate-attribute-mapping
option.Example:
The following example creates the attribute mapping to
PingDirectory_to_PingOne_User_Map
.dsconfig create-attribute-mapping \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name name \ --type json
-
To map JSON attributes, run
dsconfig
with thecreate-json-attribute-mapping-field
option.Example:
The following example creates the JSON attribute mapping field
formatted
from thecn
attribute.dsconfig create-json-attribute-mapping-field \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name name \ --field-name formatted \ --set from-attribute:cn \ --set json-type:string
The following example creates the JSON attribute mapping field
given
from thegivenName
attribute.dsconfig create-json-attribute-mapping-field \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name name \ --field-name given \ --set from-attribute:givenName \ --set json-type:string
The following example creates the JSON attribute mapping field
family
from thesn
attribute.dsconfig create-json-attribute-mapping-field \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name name \ --field-name family \ --set from-attribute:sn \ --set json-type:string
Configuring constructed attribute mappings
It is recommended that you use JSON attribute mappings rather than constructed attribute mappings (see Configuring JSON attribute mapping). |
The PingOne User model contains simple JSON attributes like "title": "Director"
as well as complex JSON objects like \{"name": \{"given": "Jane", "family": “Doe”}}
. To ensure accurate processing when you construct attribute mappings that interact with complex objects, construct valid JSON strings and use the command jsonEscape
, as the following example shows.
dsconfig create-attribute-mapping \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name name \ --type constructed \ --set 'value-pattern:{{"given":"{givenname:jsonEscape}","family":" {sn:jsonEscape}"}}'
Some attributes in the User resource are operational and cannot be modified by synchronizing data. For more information, see the PingOne Platform API Reference.
Correlating entries
The PingOne User Resource model provides an attribute named externalId
. To ensure that users correlate to the appropriate entry in PingDirectory, map entryUUID
to this value and configure externalId
as a destination-correlation-attribute on the Sync class.
Considerations and limitations
There are limitations and other constraints to consider when synchronizing changes to a PingOne environment.
Populations
All PingOne user resources must exist within a population. |
The PingOne synchronization destination provides the following methods for managing a user’s population:
-
If a single population is in use, set the configuration attribute
default-population-id
on the sync destination. -
If multiple populations are in use, use a constructed attribute mapping.
The following syntax provides an example with a constructed attribute mapping:
dsconfig create-attribute-mapping \ --map-name PingDirectory_to_PingOne_User_Map \ --mapping-name population \ --type constructed \ --set 'value-pattern:{{"id":"[DEFAULT_POPULATION_ID]"}}'
To set the population, construct a valid JSON object.
Multivalued attributes
If your incoming data is in JSON format, configure your PingOne multivalued attribute as JSON and use a JSON attribute mapping.
If your incoming data is not in JSON format, you can configure your PingOne multivalued attribute as JSON and use a constructed attribute mapping. Otherwise, you must configure your PingOne multivalued attribute as DECLARED
and use a direct attribute mapping.
Direct attribute mapping does not work with JSON multivalued PingOne attributes even with an attribute with the same name and value in PingDirectory. |