--- title: Synchronize changes from a PingOne environment description: This section describes the configuration that is necessary to synchronize changes from a PingOne environment. To view an example configuration, see the file located at /config/sample-dsconfig-batch-files/reference-ping-one-sync-source-configuration.dsconfig. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_changes_from_p1 canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_changes_from_p1.html revdate: September 13, 2023 page_aliases: ["pd_sync_create_p1_sync_source.adoc", "pd_sync_config_attribute_mappings.adoc", "pd_sync_p1_account_status_pd.adoc", "pd_sync_considerations_limitations.adoc"] section_ids: create-a-pingone-sync-source: Create a PingOne sync source configuring-attribute-mapping: Configuring attribute mapping correlating-entries: Correlating entries sync_p1_pd: Synchronizing PingOne account status with PingDirectory about-this-task: About this task steps: Steps example: Example: troubleshooting: Troubleshooting considerations-and-limitations: Considerations and limitations bidirectional-synchronization: Bidirectional synchronization password-synchronization: Password synchronization population-management: Population management synchronization-delay: Synchronization delay --- # Synchronize changes from a PingOne environment This section describes the configuration that is necessary to synchronize changes from a PingOne environment. To view an example configuration, see the file located at `/config/sample-dsconfig-batch-files/reference-ping-one-sync-source-configuration.dsconfig`. ## Create a PingOne sync source Before you create a PingOne sync source, make certain you have the following information ready: * Environment ID (*environment-id*) * OAuth client ID (*oauth-client-id*) * OAuth client secret (*oauth-client-secret*) Learn more about obtaining these values in [Creating a PingOne worker application](pd_sync_prerequisites.html#pds_create_p1_worker). The following example creates a PingOne sync source. ``` dsconfig create-sync-source \ --source-name PingOne \ --type ping-one-customer \ --set api-url:https://api.pingone.com/v1 \ --set auth-url:https://auth.pingone.com/[PING_ONE_ENV_ID]/as/token \ --set environment-id:[PING_ONE_ENV_ID] \ --set oauth-client-id:[PING_ONE_OAUTH_CLIENT_ID] \ --set oauth-client-secret:[PING_ONE_OAUTH_CLIENT_SECRET] ``` ## Configuring attribute mapping The process of synchronizing data uses the concepts and structures associated with LDAP entries. Ping Identity recommends that you conceptualize the PingOne User Resource model as an LDAP entry when configuring an attribute mapping *(tooltip: \
\

Matching corresponding attributes between an IdP and an SP to identify federated users or add supplemental user information.\

\
)*. Additionally, you might need to use JSON pathing when selecting a value for complex JSON attributes within the user. ``` dsconfig create-attribute-mapping \ --map-name PingOne_to_PingDirectory_User_Map \ --mapping-name givenname \ --type constructed \ --set "value-pattern:{name.given}" ``` ### Correlating entries To ensure that users correlate to the appropriate entry in PingDirectory, map the `id` attribute from the user resource to `entryUUID` in PingDirectory. ## Synchronizing PingOne account status with PingDirectory ### About this task When configuring a one-way sync from PingOne to PingDirectory, you can enable PingDirectory to synchronize with the `User.Locked` or `User.Unlocked` status of a PingOne account. This synchronization reduces confusion for the administrator and enhances the security posture of the account. For example, if a PingOne account is locked due to multiple failed MFA attempts, it could be risky to leave the corresponding account fully functional. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | A PingOne `User.Locked` event disables the destination entry in PingDirectory. A `User.Unlocked` event enables the destination entry. | To enable this synchronization, you must map two account status attributes from PingOne directly to the corresponding PingDirectory attributes. Because the PingDirectory attributes can't be written to directly, PingDataSync uses intermediate attributes to facilitate an extended operation. The following table shows the relevant source, intermediate, and destination attributes for this mapping: | PingOne attribute | Intermediate attribute | PingDirectory attribute | | ------------------ | -------------------------------------- | ------------------------- | | `account.status` | `ds-pwp-account-disabled-from-pingone` | `ds-pwp-account-disabled` | | `account.lockedAt` | `pwdAccountLockedTimeFromPingOne` | `pwdAccountLockedTime` | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don't exist in PingOne or on the PingDirectory server. | ### Steps * Map `ds-pwp-account-disabled-from-pingone` to `ds-pwp-account-disabled` using the following command: ``` dsconfig create-attribute-mapping \ --map-name PingOne_to_PingDirectory_User_Map \ --mapping-name ds-pwp-account-disabled \ --type direct \ --set from-attribute:ds-pwp-account-disabled-from-pingone ``` * Map `pwdAccountLockedTimeFromPingOne` to `pwdAccountLockedTime` using the following command: ``` dsconfig create-attribute-mapping \ --map-name PingOne_to_PingDirectory_User_Map \ --mapping-name pwdAccountLockedTime \ --type direct \ --set from-attribute:pwdAccountLockedTimeFromPingOne ``` * To have the `pwdAccountLockedTime` attribute appear on the destination entry, set the `lockout-failure-count` attribute to a non-zero value. #### Example: ``` dsconfig set-password-policy-prop \ --policy-name "Default Password Policy" \ --set lockout-failure-count:1 ``` ### Troubleshooting By default, the `modifies-as-creates` sync class property is set to `false`. Active Directory attributes might not be synchronized as expected when all of the following are true: * You are using the `realtime-sync` tool. * The `modifies-as-creates` sync class property is set to `true`. * A modification is detected on the source endpoint to a missing entry on the destination endpoint. * The modification is to attributes other than the two PingOne attributes previously mentioned. To avoid this, you can run the `resync` tool instead of the `realtime-sync` tool. Using `resync` will correctly copy all attributes. Learn more about the [resync command](pd_sync_resync_tool.html). ## Considerations and limitations This section describes limitations and other constraints to consider when synchronizing changes from a PingOne environment. ### Bidirectional synchronization If you plan on configuring bidirectional synchronization between PingOne and PingDirectory, make sure that you satisfy the following conditions: * Use separate worker apps for the source and destination. * To prevent the unnecessary duplication of changes, add the client ID of the destination worker app to the `actor-id-to-ignore` configuration attribute of the source. * To ensure that no attribute mappings are mismatched, modify the reference `dsconfig` batch files. ### Password synchronization PingDataSync does not support the synchronizing of passwords from PingOne. ### Population management If your PingOne environment features a large number of populations, or if you want to limit synchronized users to a specific set of populations, provide one or more `population-to-synchronize` configuration attributes to the source. The name or ID of the population can be used. ### Synchronization delay PingDataSync propagates changes throughout PingOne nearly in real time. However, a delay might occur between the time a change occurs in PingOne and the time it becomes available for PingDataSync to synchronize. To help ensure that no changes are missed, a default delay of 5 seconds has been configured within the sync source. For environments of sufficient size or with high rates of change, use the configuration attribute `realtime-sync-polling-offset` on the sync source to increase the delay.