PingDirectory

Synchronize changes to a PingOne environment

This section describes the configuration that is necessary to synchronize changes to a PingOne environment. PingDataSync supports synchronization of single and multivalued attributes to PingOne. To view an example configuration, see the file located at <server-root>/config/sample-dsconfig-batch-files/reference-ping-one-sync-destination-configuration.dsconfig.

When configuring a sync pipe in PingDataSync to synchronize users to a PingOne destination, you must include a constructed attribute mapping named resourceType with a value-pattern of user.

Creating a PingOne sync destination

Before you create a PingOne sync destination, make sure you have the following information ready:

  • Environment ID (environment-id)

  • OAuth client ID (oauth-client-id)

  • OAuth client secret (oauth-client-secret)

For information about obtaining these values, see Create a worker application.

The following sample creates a PingOne sync destination.

dsconfig create-sync-destination  \
  --destination-name PingOne  \
  --type ping-one-customer  \
  --set api-url:https://api.pingone.com/v1 \
  --set auth-url:https://auth.pingone.com/[PING_ONE_ENV_ID]/as/token \
  --set environment-id:[PING_ONE_ENV_ID]  \
  --set oauth-client-id:[PING_ONE_OAUTH_CLIENT_ID]  \
  --set oauth-client-secret:[PING_ONE_OAUTH_CLIENT_SECRET]

Configuring JSON attribute mapping

Add the JSON attribute mapping type with sub-objects (the JSON attribute mapping field) that allow you to map individual fields.

About this task

If a source attribute doesn’t have a value, the corresponding field is omitted.

Use JSON attribute mappings rather than constructed attribute mappings.

Steps

  1. To create an attribute map, run dsconfig with the create-attribute-map option.

    Example:

    The following example creates an attribute map titled PingDirectory_to_PingOne_User_Map.

    dsconfig create-attribute-map
    --map-name PingDirectory_to_PingOne_User_Map

  2. To create the attribute mapping, run dsconfig with the create-attribute-mapping option.

    Example:

    The following example creates the attribute mapping to PingDirectory_to_PingOne_User_Map.

    dsconfig create-attribute-mapping \
    --map-name PingDirectory_to_PingOne_User_Map \
    --mapping-name name \
    --type json

  3. To map JSON attributes, run dsconfig with the create-json-attribute-mapping-field option.

    Example:

    The following example creates the JSON attribute mapping field formatted from the cn attribute.

    dsconfig create-json-attribute-mapping-field \
    --map-name PingDirectory_to_PingOne_User_Map \
    --mapping-name name \
    --field-name formatted \
    --set from-attribute:cn \
    --set json-type:string

    The following example creates the JSON attribute mapping field given from the givenName attribute.

    dsconfig create-json-attribute-mapping-field \
    --map-name PingDirectory_to_PingOne_User_Map \
    --mapping-name name \
    --field-name given \
    --set from-attribute:givenName \
    --set json-type:string

    The following example creates the JSON attribute mapping field family from the sn attribute.

    dsconfig create-json-attribute-mapping-field \
    --map-name PingDirectory_to_PingOne_User_Map \
    --mapping-name name \
    --field-name family \
    --set from-attribute:sn \
    --set json-type:string

Configuring constructed attribute mappings

It is recommended that you use JSON attribute mappings rather than constructed attribute mappings (see Configuring JSON attribute mapping).

The PingOne User model contains simple JSON attributes like "title": "Director" as well as complex JSON objects like \{"name": \{"given": "Jane", "family": “Doe”}}. To ensure accurate processing when you construct attribute mappings that interact with complex objects, construct valid JSON strings and use the command jsonEscape, as the following example shows.

dsconfig create-attribute-mapping \
   --map-name PingDirectory_to_PingOne_User_Map  \
   --mapping-name name  \
   --type constructed  \
   --set 'value-pattern:{{"given":"{givenname:jsonEscape}","family":"
{sn:jsonEscape}"}}'

Some attributes in the User resource are operational and cannot be modified by synchronizing data. For more information, see the PingOne Platform API Reference.

Correlating entries

The PingOne User Resource model provides an attribute named externalId. To ensure that users correlate to the appropriate entry in PingDirectory, map entryUUID to this value and configure externalId as a destination-correlation-attribute on the Sync class.

Considerations and limitations

There are limitations and other constraints to consider when synchronizing changes to a PingOne environment.

Populations

All PingOne user resources must exist within a population.

The PingOne synchronization destination provides the following methods for managing a user’s population:

  • If a single population is in use, set the configuration attribute default-population-id on the sync destination.

  • If multiple populations are in use, use a constructed attribute mapping.

The following syntax provides an example with a constructed attribute mapping:

dsconfig create-attribute-mapping \
   --map-name PingDirectory_to_PingOne_User_Map  \
   --mapping-name population  \
   --type constructed  \
   --set 'value-pattern:{{"id":"[DEFAULT_POPULATION_ID]"}}'

To set the population, construct a valid JSON object.

Multivalued attributes

If your incoming data is in JSON format, configure your PingOne multivalued attribute as JSON and use a JSON attribute mapping.

If your incoming data is not in JSON format, you can configure your PingOne multivalued attribute as JSON and use a constructed attribute mapping. Otherwise, you must configure your PingOne multivalued attribute as DECLARED and use a direct attribute mapping.

Direct attribute mapping does not work with JSON multivalued PingOne attributes even with an attribute with the same name and value in PingDirectory.