PingDirectory

Considerations and limitations

There are limitations and other constraints to consider when synchronizing changes to a PingOne environment.

Renaming entries isn’t allowed

As a sync destination, PingOne doesn’t allow moddn operations to rename an entry. When creating a sync class, set the allow-destination-renames option to false to prevent PingDataSync from attempting to rename entries and then logging related errors. For example:

dsconfig create-sync-class \
  --pipe-name PingDirectory_to_PingOne \
  --class-name "PingDirectory_to_PingOne User Sync Class" \
  --set allow-destination-renames:false \
  --set attribute-map:PingDirectory_to_PingOne_User_Map \
  --set auto-mapped-source-attribute:-none- \
  --set destination-correlation-attributes:externalId \
  --set destination-correlation-attributes:username \
  --set destination-correlation-attributes:email \
  --set destination-create-only-attribute:resourceType \
  --set creates-as-modifies:true \
  --set include-filter:(objectClass=person)

You can find the previous example in the PingDataSync distribution. Learn more in the following file: config/sample-dsconfig-batch-files/reference-pingone-sync-destination-configuration.dsconfig.

Populations

All PingOne user resources must exist within a population.

The PingOne synchronization destination provides the following methods for managing a user’s population:

  • If a single population is in use, set the configuration attribute default-population-id on the sync destination.

  • If multiple populations are in use, use a constructed attribute mapping.

The following syntax provides an example with a constructed attribute mapping:

dsconfig create-attribute-mapping \
   --map-name PingDirectory_to_PingOne_User_Map  \
   --mapping-name population  \
   --type constructed  \
   --set 'value-pattern:{{"id":"[DEFAULT_POPULATION_ID]"}}'

To set the population, construct a valid JSON object.

Multivalued attributes

If your incoming data is in JSON format, configure your PingOne multivalued attribute as JSON and use a JSON attribute mapping.

If your incoming data is not in JSON format, you can configure your PingOne multivalued attribute as JSON and use a constructed attribute mapping. Otherwise, you must configure your PingOne multivalued attribute as DECLARED and use a direct attribute mapping.

Direct attribute mapping does not work with JSON multivalued PingOne attributes even with an attribute with the same name and value in PingDirectory.