PingDirectory

Synchronizing PingOne account status with PingDirectory

About this task

When configuring a one-way sync from PingOne to PingDirectory, you can enable PingDirectory to synchronize with the User.Locked or User.Unlocked status of a PingOne account. This synchronization reduces confusion for the administrator and enhances the security posture of the account. For example, if a PingOne account is locked due to multiple failed MFA attempts, it could be risky to leave the corresponding account fully functional.

A PingOne User.Locked event disables the destination entry in PingDirectory. A User.Unlocked event enables the destination entry.

To enable this synchronization, you must map two account status attributes from PingOne directly to the corresponding PingDirectory attributes. Because the PingDirectory attributes can’t be written to directly, PingDataSync uses intermediate attributes to facilitate an extended operation.

The following table shows the relevant source, intermediate, and destination attributes for this mapping:

PingOne attribute Intermediate attribute PingDirectory attribute

account.status

ds-pwp-account-disabled-from-pingone

ds-pwp-account-disabled

account.lockedAt

pwdAccountLockedTimeFromPingOne

pwdAccountLockedTime

Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don’t exist in PingOne or on the PingDirectory server.

Steps

  • Map ds-pwp-account-disabled-from-pingone to ds-pwp-account-disabled using the following command:

    dsconfig create-attribute-mapping \
  --map-name PingOne_to_PingDirectory_User_Map \
  --mapping-name ds-pwp-account-disabled \
  --type direct \
  --set from-attribute:ds-pwp-account-disabled-from-pingone

  • Map pwdAccountLockedTimeFromPingOne to pwdAccountLockedTime using the following command:

    dsconfig create-attribute-mapping \
  --map-name PingOne_to_PingDirectory_User_Map \
  --mapping-name pwdAccountLockedTime \
  --type direct \
  --set from-attribute:pwdAccountLockedTimeFromPingOne

  • To have the pwdAccountLockedTime attribute appear on the destination entry, set the lockout-failure-count attribute to a non-zero value.

    Example:

    dsconfig set-password-policy-prop \
  --policy-name "Default Password Policy" \
  --set lockout-failure-count:1

Troubleshooting

By default, the modifies-as-creates sync class property is set to false.

Active Directory attributes might not be synchronized as expected when all of the following are true:

  • You are using the realtime-sync tool.

  • The modifies-as-creates sync class property is set to true.

  • A modification is detected on the source endpoint to a missing entry on the destination endpoint.

  • The modification is to attributes other than the two PingOne attributes previously mentioned.

To avoid this, you can run the resync tool instead of the realtime-sync tool. Using resync will correctly copy all attributes. Learn more about the resync command.