PingOne Advanced Identity Cloud

Provision an application

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

On the Applications page, use the Provisioning tab to set up provisioning and configure the following:

  • Details about the application.

  • Properties in the target application.

  • Data in the target application.

  • Mappings from Advanced Identity Cloud admin UI to the target application.

  • Rules that specify the actions to take when certain reconciliation events occur.

  • Reconciliation to ensure data is synchronized between Advanced Identity Cloud admin UI and the target application.

  • Schedules to run reconciliation of accounts.

You must register an application before you can use the Provisioning tab. Afterward, you can use the Provisioning tab to create and manage connections to a target system like Salesforce.

The object type determines the side tabs that display on the Provisioning tab. Use the object type drop-down list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

ui workforce provisioning
Provisioning tab Description Related sections

Details

View and manage an application, including name, ID, and native type.

N/A

Properties

View and manage properties for the selected object type.

Data

View data about the selected object type.

Mapping

View and manage mappings from Advanced Identity Cloud admin UI properties to external system properties (outbound mappings) and from external system properties to Advanced Identity Cloud admin UI properties (inbound mappings).

Reconciliation

Preview inbound mappings between external systems and Advanced Identity Cloud admin UI, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Provision settings for an application

While the application templates contain the same basic settings, some applications have specific settings that you must configure in the Provisioning tab. The following section lists these provisioner settings.

For information about accessing built-in connectors through the IDM admin UI (native console), refer to Connectors.

Active Directory

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Active Directory domain controller.

    Port

    The port for connecting to the Active Directory domain controller.

    Use SSL

    Enable to use SSL to connect to the Active Directory domain controller. The default value is true.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Active Directory users and groups

    The Base context for Active Directory users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is true.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is user.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is sAMAccountName.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is unicodePwd.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is false.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is true.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.

  15. To only synchronize the modified properties on a target resource, select Exclude Unmodified.

  16. Click Connect.

  17. Verify the information in the Details tab.

Adobe Admin Console

Details

The Advanced Identity Cloud Adobe Admin Console application lets you manage users, groups, and user group memberships between Adobe Admin Console and Advanced Identity Cloud. This application requires an Adobe Admin Console administrator account and a properly configured Adobe Admin Console.

Adobe Admin Console requirements
The steps for configuring Adobe Admin Console should be used as an outline, as the specific options, menus, and features may have changed.

Before you can configure the Advanced Identity Cloud application, you must create and configure a project in Adobe Admin Console. You need an Adobe Admin Console developer account to complete this procedure:

  1. Create or log in to an Adobe Admin Console developer account.

  2. From the Adobe Developer Console, click the Projects tab, and then click Create new project.

    Show Me
    Create a project in the Adobe Developer Console
  3. On the Project Name page, click Add API.

    Show Me
    Adobe Developer Console, add API
  4. In the Add an API window, select User Management API, and click Next.

    Show Me
    Adobe Admin Console, Add User Management API
  5. In the Add Credential area, select OAuth Server-to-Server, enter a Credential name, and then click Save configured API.

    Show Me
    Add credential area of the Add an API flow
  6. On the Project Name > User Management API page, in the Connected credentials area, click the credential you just added (OAuth Server-to-Server).

    Show Me
    Adobe Developer Console, connected credentials
  7. From the Credential detail tab, make note of the following:

    • CLIENT ID

    • CLIENT SECRET

    • SCOPES

    • ORGANIZATION ID

    Show Me
    Adobe Developer Console, credentials tab

    Use these values when you configure provisioning for an Advanced Identity Cloud Adobe Admin Console application.

  1. Complete Adobe Admin Console requirements.

  2. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings, in the Connection area, click Settings.

  3. Configure the following fields:

    Field Description

    Service URI

    The service endpoint URI.

    Organization ID

    Your organization’s unique ID. For example, 12345@AdobeOrg.

    Refer to Adobe Admin Console requirements for help locating this value.

    Token Endpoint

    The endpoint to query for a new access token.

    Client ID

    The client ID for OAuth 2.0 flow.

    Refer to Adobe Admin Console requirements for help locating this value.

    Client Secret (optional)

    The client secret for OAuth 2.0 flow.

    Refer to Adobe Admin Console requirements for help locating this value.

  4. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Scope (optional)

    The OAuth 2.0 scope(s) to use.

    Refer to Adobe Admin Console requirements for help locating this value.

    Group Read Rate Limit

    Defines throttling for group read operations either per second ("30/sec") or per minute ("100/min").

    User Read Rate Limit

    Defines throttling for user read operations either per second ("30/sec") or per minute ("100/min").

    Write Rate Limit

    Defines throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

  5. Click Connect.

  6. Verify the information in the Details tab.

AS400

AS400 is a mainframe on-premises computer and database that can store identity data. The AS400 application enables you to manage and synchronize users between AS400 and Advanced Identity Cloud. The application can only be a target application.

The following instructions assume you have access to an AS400 instance as an administrator.

Details
  1. Set up a remote connector server (RCS).

  2. Set up the AS400 connector with your RCS.

  3. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    Host Name

    Host name or IP address of AS400.

    User Name

    The username to log in to AS400.

    Password

    The password to log in to AS400.

    Use SSL?

    Enable to use SSL to connect to the AS400 application. The default value is false.

  5. Optionally, click Show advanced settings to set the following option:

    Option Description

    Maximum Connections (optional)

    The maximum number of connections.

    Maximum Lifetime (optional)

    The maximum time for an available connection to exist. The default value is 86400000 milliseconds.

    Maximum Inactivity (optional)

    The the maximum amount of inactive time before an available connection closes. The default value is 3600000 milliseconds.

    Maximum Use Time (optional)

    The maximum time a connection can be in use before it closes. The default value is -1 which indicates that there is no time limit.

    Maximum Use Count (optional)

    The maximum number of times a connection can be used before it is replaced in the pool. The default value is -1 which indicates that there is no limit.

    Is run Maintenance

    Indicates whether the maintenance thread is used to cleanup expired connections. The default is true.

    Is thread used

    Indicates whether threads are used in communication with the host servers and for running maintenance. The default is true.

    Cleanup Interval (optional)

    Specifies how often the maintenance daemon runs. The default value is 300000 milliseconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Atlassian Jira

The Advanced Identity Cloud Atlassian Jira application lets you manage and synchronize data between Advanced Identity Cloud and Atlassian Jira.

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim).

    SCIM Protocol Version

    Choose version 1 or version 2. The default is 1.

    Authentication Method

    The method for authenticating on the remote server: BASIC, OAUTH, or TOKEN. The default is TOKEN.

  3. Depending on the Authentication Method, configure the applicable fields:

    • BASIC

    • OAUTH

    • TOKEN

    Field Description

    User

    The username for SCIM.

    Password

    The password for SCIM.

    Field Description

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

    Refresh Token

    Used by the refresh_token Grant Type.

    Field Description

    Auth Token

    The auth token for SCIM.

  4. Configure the HTTP connection pool:

    Field Description

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings

    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the Atlassian SCIM endpoint. If true (enabled), the application reads the schema from the server. If false (disabled), the application provides a default schema based on the object classes in the configuration. The default value is true (enabled).

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Azure AD

Details

This requires a Microsoft account and a Microsoft Azure application set up.

  1. Set up an Azure application.

  2. Click Certificates and Secrets > New Client Secret.

  3. Enter a description and choose an expiration date.

  4. Click Save.

  5. Copy your client secret.

  6. Click API Permissions.

  7. Select Add a permissions > MS Graph > Application Permissions.

  8. Use the search function to find and select the following 13 permissions:

    ui applications msgraphiap
  9. Click Add permissions.

  10. Click Grant admin consent for default directory.

  11. Copy the following values:

    • application (client) id

    • directory (tenant) id

    • client credentials/secret

  12. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  13. Configure the following fields:

    Field Description

    Tenant

    The Azure AD tenant name or id.

    Client ID

    The client ID the connector uses during the OAuth 2.0 flow.

    Client Secret

    The client secret the connector uses during the OAuth 2.0 flow.

    Read Rate Limit

    Define throttling for read operations either per second ("30/sec") or per minute ("100/min").

    Write Rate Limit

    Define throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

    Perform Hard Delete

    If true, the delete operation permanently deletes the Azure object.

    License Cache Expiry Time

    Defines the expiry time (in minutes) for cached license information; for example, service plan data. The default value is 60 minutes.

  14. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  15. Click Connect.

  16. Verify the information in the Details tab.

BeyondTrust

The Advanced Identity Cloud BeyondTrust application lets you manage and synchronize data from Advanced Identity Cloud to BeyondTrust. This application can only be a target application.

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim/v2).

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

    Refresh Token

    Used by the refresh_token Grant Type.

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings

    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the BeyondTrust SCIM endpoint. If true (enabled), the application reads the schema from the server. If false (disabled), the application provides a default schema based on the object classes in the configuration. The default value is true (enabled).

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

CSV File

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Follow the steps on the Set up CSV modal.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    CSV File

    The full file path to the CSV file that is the application data source. The path uses uses the file location format /opt/data/file.csv.

    UID Column

    The UID column name in the CSV file; the primary search key. The default value is uid.

    Password Column

    The password column name in the CSV file; the primary search key. The default is password.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Quote Character

    The default value is ".

    Field Delimiter

    The default value is '.

    Newline String

    The default value is /n.

    Space Replacement String

    The default value is _.

    Sync Retention Count

    The default value is 3.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Database Table

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    JDBC Connection Url

    The URl for the JDBC database address that contains the table that you are provisioning. The format of the url depends on the type of database. For example, jdbc:mysql://localhost:3306/contractordb?serverTimezone=UTC or jdbc:oracle:thin:@//localhost:3306/contractordb. The address includes the name of the database you are connecting to.

    JDBC Driver

    The class name of the driver you are using to connect to a database. The name varies depending on the type of database you are using, such as oracle.jdbc.OracleDriver or com.mysql.jdbc.Driver.

    Username

    The username sent to the JDBC driver to establish a connection.

    Password

    The password sent to the JDBC driver to establish a connection.

    Table

    The name of the table in the JDBC database that contains the user accounts. The default is TABLE_NAME.

    Key Column

    The column value that is the unique identifier for rows in the table. The default is KEY_COLUMN.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Validate resources and passwords

    Enable to validate resources and passwords. After enabling this option, in the Password Column field, enter the name of the column in the table that holds the password values.

    Activate Sync ICF Interface

    Enable to poll for synchronization events, which are native changes to target objects. After enabling this option, in the Change Log Column field, enter the change log column that stores the latest change time.

    Allow empty string

    Enable to allow empty strings instead of null values, except for OracleSQL.

    Quote Database Column Names

    Enable to place specific quote characters around column names in the SQL that is generated to access the database. After enabling this option, in the Quote Characters field, enter the characters to use for quotes.

    Rethrow All SQL Exceptions

    Enable to show SQL Exceptions with code = 0. The default value is true.

    Native Timestamps

    Enable to retrieve timestamp data.

    All Native

    Enable to retrieve in a database-native format.

    Validate Connection

    Enable to specify a SQL query used to validate connections. After enabling this option, in the Validation SQL Query (optional) field, enter the SQL query for validating connections.

    Validation Interval (ms)

    Enter the validation interval in milliseconds. The default value is 3000.

    Validation Connection Query Timeout (ms)

    Enter the validation connection query timeout in milliseconds. The default value is -1.

    Initial Pool size

    Enter the initial pool size. The default value is 10.

    Maximum Idle

    Enter the maximum idle time. The default value is 100.

    Minimum Idle

    Enter the minimum idle time. The default value is 10.

    Maximum Wait (ms)

    Enter the maximum wait time in milliseconds. The default value is 30000.

    Maximum Active

    Enter the maximum active time. The default value is 100.

    Maximum Age (ms)

    Enter the maximum age in milliseconds. The default value is 0.

    Minimum Evictable Idle Time (ms)

    Enter the minimum evictable idle time in milliseconds. The default value is 60000.

    Time Between Eviction Runs(ms)

    Enter the time between eviction checks in milliseconds. The default value is 5000.

    Test Connection When Idle

    Enable to test the connection when idle.

    Test Connection On Borrow

    Enable to test the connection on borrow.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Directory Services (DS)

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Directory Services domain controller.

    Port

    The port for connecting to the Directory Services domain controller.

    Use SSL

    Enable to use SSL to connect to the Directory Services domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Directory Services users and groups

    The Base context for Directory Services users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is true.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is inetOrgPerson.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is uid.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is userPassword.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is false.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is false.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.

  15. To only synchronize the modified properties on a target resource, select Exclude Unmodified.

  16. Click Connect.

  17. Verify the information in the Details tab.

DocuSign

Details

The Advanced Identity Cloud DocuSign application lets you manage DocuSign service accounts and synchronize DocuSign accounts and Advanced Identity Cloud identities.

You must have a DocuSign administrator account and be able to add an integrator key (DocuSign Documentation).

To modify the settings for an existing provisioning connection, in Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Settings.
  1. In DocuSign, set up a DocuSign app and integration key:

    1. Log in to DocuSign and go to Integrations > Apps and Keys.

    2. On the Apps and Keys page, in the My Account Information area, copy and save the following values:

      DocuSign field Advanced Identity Cloud application field

      API Account ID

      Account

      Account Base URI

      Service Endpoint URI

      Show Me
      DocuSign My Account Information
    3. Click Add App and Integration Key.

      Show Me
      DocuSign Add App and Integration Key button
    4. In the Add Integration Key modal, enter an App Name, and click Create App.

      Show Me
      DocuSign Add Integration Key modal
    5. On the Apps and Keys > App Name page, copy the Integration Key and save the value. Use this value as the Client Id in Advanced Identity Cloud.

      Show Me
      DocuSign Add Integration Key modal
    6. In the Authentication area, click + Add Secret Key, and copy and save the value. Use this value as the Client Secret in Advanced Identity Cloud.

      Show Me
      DocuSign Add Secret Key
    Keep DocuSign open, as you’ll need to add information during provisioning configuration.
  2. In Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Set up Provisioning.

  3. In the Configure DocuSign Connected App modal, copy the Redirect URI, and click Next.

    Show Me
    Configure DocuSign modal
  4. In DocuSign, in the Additional settings area, click Add URI, paste the redirect URI, and click Save.

    Show Me
    DocuSign Add URI
  5. Go to Integrations > API Usage Center, and from the API Limit area, make note of the following:

    • Hourly Limit

    • Burst Limit

      Show Me
      DocuSign API Limit

    Use these values in the Advanced Identity Cloud advanced settings.

  6. In Advanced Identity Cloud admin UI, configure the following fields:

    Field Description

    Service Endpoint URI

    The DocuSign Account Base URI.

    Account

    The DocuSign API Account ID.

    Client ID

    The client ID for OAuth 2.0 flow. The DocuSign Integration Key.

    Client Secret

    The client secret for OAuth 2.0 flow. The DocuSign Secret Key.

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

  7. Optionally, click Show advanced settings to set any of the following options:

    Field or option Description

    Use Basic Auth for Token Negotiation

    Select this option to send the client ID and client secret to DocuSign as authorization headers. If the option is not selected, the ID and secret are sent as form data.

    Hour Rate Limit

    The hourly rate limit for the DocuSign API. The DocuSign Hourly Limit.

    Burst Rate Limit

    The burst rate limit for the DocuSign API. The DocuSign Burst Limit.

    Disable Http Compression

    Content compression is enabled by default. Select this option to disable it.

    Debug/Test settings

    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  8. Click Connect.

  9. Verify the information in the Details tab.

Epic EMP

Details
  1. Set up a remote connector server (RCS).

  2. Install the Epic connector on your RCS.

  3. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    Client ID

    The client ID for OAuth 2.0 flow.

    Private Key

    The Epic private key in PKCS#8 format.

    User Name

    The Epic user name for the connection.

    Password

    The Epic password for the connection.

    Template File Path

    The user template file location.

    Sub-Template File Path

    The user sub-template file location.

    In Basket File Path

    The in basket classifications file location.

    Groups File Path

    The groups file location.

    Max Records (optional)

    The maximum records returned for each search operation.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Max Connections

    The maximum number of connections.

    Connection Timeout

    The connection timeout (in seconds).

    Token Validity

    The token validity period.

    Proxy Host

    The Proxy server host.

    Proxy Port

    The Proxy server port.

    Proxy Username

    The Proxy server login username.

    Proxy Password

    The Proxy server login password.

    REST API Endpoint

    The REST endpoint URL.

    SOAP API Endpoint

    The SOAP endpoint URL.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Google Workspace

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Find and copy the Authorized Redirect URI.

  3. Log in to Google Cloud Console.

  4. In the Credentials area of your project, enter the Authorized Redirect URI you copied in an earlier step.

  5. Save your work.

  6. Return to Advanced Identity Cloud admin UI.

  7. On the Provisioning tab, set the Client ID and Client Secret.

  8. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  9. Click Connect.

  10. When you are redirected to Google, log in using your admin credentials.

  11. On the next screen, click Allow. You are then redirected back to Advanced Identity Cloud admin UI.

  12. Verify the information in the Details tab.

LDAP

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the LDAP domain controller.

    Port

    The port for connecting to the LDAP domain controller.

    Use SSL

    Enable to use SSL to connect to the LDAP domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for LDAP users and groups

    The Base context for LDAP users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is false.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is inetOrgPerson.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is uid.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is userPassword.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is true.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is false.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.

  15. To only synchronize the modified properties on a target resource, select Exclude Unmodified.

  16. Click Connect.

  17. Verify the information in the Details tab.

Oracle E-Business Suite (EBS)

The Advanced Identity Cloud Oracle E-Business Suite (EBS) application lets you manage and synchronize accounts between EBS and Advanced Identity Cloud.

Details
  1. Set up a remote connector server (RCS).

  2. The EBS connector is bundled with RCS, but you must download the JDBC driver. For more information, refer to Install the EBS connector.

  3. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    EBS Database URL

    The Oracle EBS database connection URL.

    EBS Database User

    The Oracle EBS user.

    EBS Database User Password

    The Oracle EBS user password.

    JDBC Driver (optional)

    The fully qualified Java class name of the JDBC driver to use.

  5. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

PingOne

Details

The Advanced Identity Cloud PingOne application lets you manage and synchronize data between PingOne and Advanced Identity Cloud. Configuration requires a PingOne administrator account and a properly configured PingOne environment.

PingOne requirements

Before you can configure the Advanced Identity Cloud application, you must register an application in PingOne. You need a PingOne environment to complete this procedure:

  1. In your PingOne environment, create a new application:

    1. From the menu, expand the Applications node, and click Applications.

    2. On the Applications page, click the add button.

    3. In the Add Application window, enter the necessary details, select the Worker application type, and click Save.

    Show Me
    Create an application in PingOne
  2. In the Application Name window, enable the application.

    Show Me
    Enable the application in PingOne
  3. On the Roles tab, click Grant Roles.

  4. On the Available Responsibilities tab, expand the Identity Data Admin node, select the applicable environment, and click Save.

    Show Me
    Add PingOne application role
  5. Click the Configuration tab, and make note of the following:

    • URLs > Token Endpoint

    • General > Client ID

    • General > Client Secret

    • General > Environment ID

    Use these values when you configure provisioning for an Advanced Identity Cloud PingOne application.

  1. Complete PingOne requirements.

  2. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings, in the Connection area, click Settings.

  3. Configure the following fields:

    Field Description

    Service Uri

    The service endpoint URI.

    Token Endpoint

    The OAuth 2.0 access token endpoint.

    Environment Id

    The environment identifier for your PingOne environment.

    Client Id

    The client ID for OAuth 2.0 flow.

    Client Secret

    The client secret for OAuth 2.0 flow.

    Grant Type

    The OAuth 2.0 grant type to use (client_credentials or refresh_token).

  4. To use Basic Auth to send the Client Id and Client Secret to PingOne as authorization headers, select Use Basic Auth For OAuth Token Neg. If the option is not selected, the Id and Secret will be sent as form data.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

PowerShell

You can use the PowerShell Connector Toolkit to create connectors that can provision any Microsoft system, including but not limited to Active Directory, Microsoft SQL, MS Exchange, SharePoint, Office365, and Azure. Any task performed with PowerShell can be executed through connectors based on this toolkit.

The PowerShell Connector Toolkit lets you develop connectors in PowerShell that address the requirements of your Microsoft Windows ecosystem. The framework is included with the .NET RCS server. Note that the framework itself is not a connector.

The Powershell Connector toolkit is built-in to the .NET RCS server.

Connectors created with the PowerShell Connector Toolkit run on the .NET platform and require the installation of a .NET connector server on the Windows system. To install the .NET connector server, refer to Sync identities.

The PowerShell connector combines a command-line shell and scripting language, built on the .NET Framework. For more information, refer to PowerShell Documentation.
Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Active Directory Host

    The host name or IP address of the Active Directory server.

    Active Directory Port

    The port number on which the remote resource listens for connections.

    Login

    The user account in the remote resource that is used for the connection.

    Password

    The password of the user account that is used for the connection

    Authenticate Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-authenticate.html[ICF authenticate operation]. The ICF authenticate operation lets an application authenticate an object on the target system, usually with a unique identifier (username) and a password.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Create Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets an application create objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Delete Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets an application delete objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Schema Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets an application describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Search Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets an application search for objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Sync Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-sync.html[ICF sync operation]. The ICF sync operation lets an application poll the target system for synchronization events created by changes to target objects.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Test Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets an application test the connector configuration against the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Update Script

    The name of a script file that uses a custom PowerShell script to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets an application update (modify or replace) objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    UID attribute name

    The attribute on the resource that contains the object UID.

    NAME attribute name

    The attribute on the resource that contains the object NAME.

    Substitute UID and NAME in query filter

    Enable if the UID and NAME should be replaced by the value defined in the NameAttributeName and UidAttributeName in the query filter.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Variables Prefix

    To avoid variable namespace conflicts, define a prefix for script variables. All variables are injected into the script under that prefix and can be used with the dotted notation.

    The default value is Connector.

    Query Filter Type

    To define the format used when injecting the query into the connector, set a query filter type by clicking one of the following:

    • Map - The query filter is a map.

    • Ldap - The query filter is in LDAP search format, for example, (cn=Joe).

    • Native - The query filter is a native OpenICF query filter.

    • AdPsModule - The query filter is compatible with the Active Directory PowerShell module, Get-ADUser Filter.

    Reload script on execution

    To reload the script from disk every time the connector executes the script, enable this setting.

    This can be useful for debugging. In production, disable this setting.

    Use Interpreter’s Pool

    To leverage the PowerShell RunSpace Pool, enable this setting.

    Min interpreter pool size

    The minimum size of the interpreter pool. The default value is 1.

    Max interpreter pool size

    The maximum size of the interpreter pool. The default value is 5.

    Pool cleanup interval

    To specify the interval (in minutes) to discard unused interpreter instances. To avoid cleaning up unused interpreter instances, set this property to 0. The default value is 60.

    PS Modules to Import

    An array of additional PowerShell modules that must be imported

    Custom Properties

    An array of Strings that define custom configuration properties. Each property uses the format name=value.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Salesforce or Salesforce Community User

You can use a Salesforce application template or a Salesforce Community User application template to provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

Details
  1. In Advanced Identity Cloud admin UI, go to the Provisioning tab.

  2. On the Provisioning tab, click Set up Provisioning.

  3. In the Callback URI field, copy the callback URI.

  4. In another browser, log in to Salesforce.

  5. In platform tools, go to the app manager.

  6. Create a new connected app button.

  7. Configure the following settings:

    • Connected App Name

    • API Name

    • Contact email

    • Custom

  8. (Custom environment only) Enter the Login URL for the application.

  9. Enter the Consumer Key.

  10. Enter the Consumer Secret.

  11. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  12. Click Connect. You are redirected to Salesforce.

  13. Log in to Salesforce. You are redirected to Advanced Identity Cloud.

  14. Verify the information in the Details tab.

SAP SuccessFactors Account or SAP SuccessFactors HR

The SAP SuccessFactors connectors let you synchronize SAP SuccessFactors users with Advanced Identity Cloud admin UI users.

Details
  • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

  • When editing existing settings in the Connection area, click Settings.

    1. Configure the following fields:

      Field Description

      Host

      The hostname or IP address for your SuccessFactors application.

      Client ID

      The client ID for your SuccessFactors application.

      User ID

      The user ID for your SuccessFactors application.

      Private Key

      The private key which is used for signing JWT.

      Company Id

      The company ID as present in the target application.

    2. Optionally, click Show advanced settings to set any of the following options:

      Field Description

      Person Segments

      Enable to retrieve data based on person segments.

      Page Size

      The page size for the search operation.

      Maximum Connections

      The maximum allowed timeout for the connection (in seconds).

      Connection Timeout

      The connection timeout for the connection (in seconds).

      Use Proxy

      Enable to use a proxy server to connect to your SuccessFactors application.

      After you enable this option, set the following fields:

      • HTTP Proxy Host Name: The host name of the HTTP Proxy server.

      • HTTP Proxy Port: The port of the HTTP Proxy server.

      • HTTP Proxy Username: The username for logging into the HTTP Proxy server.

      • HTTP Proxy Password: The password for logging into the HTTP Proxy server.

      Exclude Unmodified

      Select this option to synchronize only the modified properties on a target resource.

    3. Click Connect.

    4. Verify the information in the Details tab.

SAP User Management

The SAP User Management connector lets you synchronize users from Advanced Identity Cloud to SAP user accounts. This application can only be a target application.

Details
  1. Set up a remote connector server (RCS).

  2. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  3. Configure the following fields:

    Field/Option Description

    SAP Application Server FQDN

    The FQDN of your SAP Application Server. For example, sap.example.com.

    SAP Gateway Host

    The SAP gateway host name.

    SAP Gateway Server

    The SAP gateway server.

    SAP User

    The SAP Logon user.

    Password

    The SAP Logon password.

    SAP Client

    The SAP client.

    SAP System Number

    The SAP system number.

    SAP System Language

    The language of the remote SAP system.

    SAP Router

    The IP address, port, and optional password of the SAP router, if applicable. The syntax is /H/host/S/port/W/optionalPassword. For example:

    /H/203.0.113.0/S/3299/W/48npb_hg815.77rr62.hdj

    CUA

    Whether to enable SAP Central User Administration (CUA).

  4. Optionally, click Show advanced settings to set any of the following options:

    Field/Option Description

    Destination

    SAP JCo destination name.

    Direct Connection

    If selected, use a direct connection to an SAP ABAP Application server or SAP router. If cleared, use a connection to a group of SAP instances through a SAP message server.

    Target Directory

    The directory to write classes.

    Warning Level

    The compiler warning level.

    Disabled Global AST Transformations

    A list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    SourceEncoding

    The encoding for source files.

    X509 Certificate

    The X509 certificate to supply for authentication.

    Trace

    Whether to enable RFC trace.

    CPIC Trace

    Whether to enable CPIC trace. Possible values are 0-3.

    SAP Message Server Host

    The message server host.

    Group

    The group name of the application servers. Used when you log in to a logon group that uses load balancing.

    Message Server Service

    The message server service name.

    R3 Name

    The name of the SAP system used when you log in to a logon group that uses load balancing.

    SNC Mode

    Flag used to activate SNC (Secure Network Connection). Possible values are 0 (OFF) and 1 (ON).

    SNC QoP

    The connection security level to use. Possible values are:

    1

    Authentication only

    2

    Integrity protection

    3

    Privacy protection

    8

    Use the application server value snc/data_protection/use

    9

    Use the application server value snc/data_protection/max

    SNC Library

    The external library path for the Secure Network Connection service. The default is the system-defined library as defined in the environment variable SNC_LIB.

    SNC Partner Name

    The application server ABAP SNC name. For example, "p:CN=ABC, O=MyCompany, C=US". You can find the name in the profile parameter snc/identity/as on the AS ABAP.

    SNC Name

    The connector SNC name. For example, "p:CN=OpenIDM, O=MyCompany, C=US". This parameter is optional, but set it to make sure that the correct SNC name is used for the connection.

    SNC SSO

    Whether the connection should be configured for single sign-on (SSO). Possible values are 0 (OFF) and 1 (ON).

    Pool Capacity

    The maximum number of idle connections kept open by the destination. If there is no connection pooling, set this to 0. The default value is 1.

    For optimum performance, set this value to an integer between 5 and 10.

    Expiration time

    After this time (in milliseconds) has elapsed, the system closes the free connection. The default value is 60000.

    Max Get time

    If the pool has allocated the maximum allowed number of connections, the maximum time (in milliseconds) to wait for a connection.

    Peak Limit

    The maximum number of active connections that can be created for a destination simultaneously. The value 0 is unlimited.

    Expiration Period

    After this time (in milliseconds) has elapsed, the destination checks released connections for expiration.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  5. Click Connect.

  6. Verify the information in the Details tab.

SCIM

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim).

    SCIM Protocol Version

    Choose version 1 or version 2. The default is 1.

    Authentication Method

    The method for authenticating on the remote server: BASIC, OAUTH, or TOKEN. The default is OAUTH.

  3. If you chose OAUTH, fill in the following fields:

    Field Description

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use.

  4. If you chose BASIC, configure the following fields:

    Field Description

    User

    The username for SCIM.

    Password

    The password for SCIM.

  5. If you chose TOKEN, configure the following fields:

    Field Description

    Auth Token

    The auth token for SCIM.

  6. Fill out the following fields:

    Field Description

    Use TLS Mutual Authentication

    Select to use TLS Mutual Authentication.

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  7. If you selected Use TLS Mutual Authentication, configure the following fields:

    Field Description

    Client Certificate Alias

    The client certificate alias.

    Client Certificate Password

    The client certificate password.

  8. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Use an HTTP Proxy

    Select to use an HTTP proxy.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings

    Only use these settings for test environments. Don’t enable for production environments.

    Selecting this option displays the following options:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the SCIM endpoint. The default value is true.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  9. Click Connect.

  10. Verify the information in the Details tab.

Scripted Groovy

The generic Groovy Connector Toolkit runs a Groovy script for any operation, such as search, update, create, and others, on any external resource. The Groovy Connector Toolkit is not a complete connector in the traditional sense. Rather, it is a framework you use to write your own Groovy scripts to address the requirements of your implementation. For more information, refer to Groovy Connector Toolkit.

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Script Base Class

    Base class name for scripts (must derive from Script).

    Script Roots

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

    Custom Sensitive Configuration

    Custom Sensitive Configuration script for Groovy ConfigSlurper.

    Schema Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    Test Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets a connector test the connector configuration against the target system.

    Create Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Authenticate Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-authenticate.html[ICF authenticate operation]. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Delete Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets a connector delete objects on the target system.

    Resolve Username Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-resolve-username.html[ICF resolve username operation]. The ICF resolve username operation lets a connector resolve an object to its UID, based on its username.

    Search Script

    The name of a connector file that uses a custom Groovy script to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets a connector search for objects on the target system.

    Customizer Script

    The name of the file that lets you customize the Apache HTTP client connection pool, proxy, default headers, timeouts, and so on.

    Target Directory

    Directory into which to write classes.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Warning Level

    The warning level of the compiler. If not set, the default value is 1.

    Min. Recompilation Interval

    Sets the minimum amount of time after a script can be recompiled. If not set, the default value is 100.

    Custom Configuration

    Custom Configuration script for Groovy ConfigSlurper.

    Tolerance

    The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. If not set, the default value is 10.

    Debug

    If true, debugging code should be activated.

    Classpath

    The classpath for use during compilation.

    Disabled Global AST Transformations

    Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    Verbose

    If true, the compiler should produce action information.

    Source Encoding

    The encoding for source files. If not set, the default value is UTF-8.

    Recompile Groovy Source

    If set to true, recompilation is enabled.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Scripted REST

The Scripted REST connector is an implementation of the Scripted Groovy Connector Toolkit. It uses Groovy scripts to interact with any REST API. This connector type lets you develop a fully functional REST-based connector for in-house or cloud-based application. For more information, refer to Scripted REST connector.

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Service Address

    The service URI (example: http://myservice.com/api).

    Proxy Address

    The optional Proxy server URI (example: http://myproxy:8080).

    Username

    The remote user to authenticate with.

    Password

    The password to authenticate with.

    Default Content Type

    The default HTTP request content type. One of TEXT, XML, HTML, URLENC, BINARY, or JSON. If not set, the default value is JSON.

    Default Request Headers

    Placeholder for default HTTP request headers.

    Default Authentication Method

    The default authentication method for the connection. Specify BASIC or OAUTH. If not set, the default value is BASIC.

    If Default Authentication Method is set to OAUTH, configure the following fields:

    • Token Endpoint: When using OAuth 2.0, this property defines the endpoint where a new access token should be queried for (https://myserver.com/oauth2/token).

    • Client ID: The secure client identifier for OAuth 2.0.

    • Client Secret: The secure client secret for OAuth 2.0.

    • Refresh Token: The refresh token used to renew the access token for the refresh_token grant type.

    • Scopes: The optional scopes to use for OAuth 2.0.

    Grant Type

    The grant type to use. Specify CLIENT_CREDENTIALS, REFRESH_TOKEN, or AUTHORIZATION_CODE. If not set, the default value is CLIENT_CREDENTIALS.

    Custom Sensitive Configuration

    Custom Sensitive Configuration script for Groovy ConfigSlurper.

    Custom Configuration

    Custom Configuration script for Groovy ConfigSlurper.

    Script Roots

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

    Authenticate Script

    The name of a connector file that uses a custom REST request to implement the ICF authenticate operation. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Create Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Delete Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets a connector delete objects on the target system.

    Search Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets a connector search for objects on the target system.

    Test Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets a connector test the connector configuration against the target system.

    Sync Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-sync.html[ICF sync operation]. The ICF sync operation lets a connector poll the target system for synchronization events created by changes to target objects.

    Schema Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports for each object type.

    Resolve Username Script

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-resolve-username.html[ICF resolve username operation]. The ICF resolve username operation lets a connector resolve an object to its UID, based on its username.

    Script On Resource

    The name of a connector file that uses a custom REST request to implement the /openicf/connector-dev-guide/operations/operation-script-on-resource.html[ICF script on resource operation]. The ICF script on resource operation lets a connector runs a script directly on the target resource.

    Customizer Script

    The name of the file that lets you customize the Apache HTTP client connection pool, proxy, default headers, timeouts, and so on.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Target Directory

    Directory into which to write classes.

    Warning Level

    The warning level of the compiler. If not set, the default value is 1.

    Recompilation Interval

    Sets the minimum of time after a script can be recompiled. If not set, the default value is 100.

    Script Base Class

    Base class name for scripts (must derive from Script).

    Tolerance

    The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. If not set, the default value is 10.

    Debug

    If true, debugging code should be activated.

    Classpath

    The classpath for use during compilation.

    Disabled Global AST Transformations

    Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    Verbose

    If true, the compiler should produce action information.

    Source Encoding

    The encoding for source files. If not set, the default value is UTF-8.

    Recompile Groovy Source

    If set to true, recompilation is enabled.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

Scripted Table

The Scripted SQL connector is an implementation of the Scripted Groovy Connector Toolkit. This connector lets you use Groovy scripts to interact with any SQL database. To use this connector, you must write a Groovy script for each operation that you want the connector to perform (create, read, update, delete, authenticate, and so on). For more information, refer to Scripted SQL connector.

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    User

    The connection username sent to the JDBC driver to establish a connection.

    Password

    The connection password sent to the JDBC driver to establish a connection.

    JDBC URL

    The URL for the JDBC driver.

    JDBC Driver

    The class name of the driver you are using to connect.

    Create Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-create.html[ICF create operation]. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-update.html[ICF update operation]. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Delete Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-delete.html[ICF delete operation]. The ICF delete operation lets a connector delete objects on the target system.

    Search Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-search.html[ICF search operation]. The ICF search operation lets a connector search for objects on the target system.

    Authenticate Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-authenticate.html[ICF authenticate operation]. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Schema Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-schema.html[ICF schema operation]. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    Sync Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-sync.html[ICF sync operation]. The ICF sync operation lets a connector poll the target system for synchronization events created by changes to target objects.

    Test Script

    The name of a connector file that uses a custom SQL command to implement the /openicf/connector-dev-guide/operations/operation-test.html[ICF test operation]. The ICF test operation lets a connector test the connector configuration against the target system.

    Script Root(s)

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

  3. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Validation Query

    The SQL query used to validate connections from this pool before returning them to the caller. If specified, this query does not have to return any data, it just can’t throw a SQLException. The default value is null. Example values are:

    • SELECT 1 (mysql)

    • select 1 from dual (oracle)

    • SELECT 1 (MS Sql Server)

    Validation Interval

    To avoid excess validation, only run validation at most at this frequency - time in milliseconds. If a connection is due for validation, but has been validated previously within this interval, it will not be validated again. The default value is 30000 (30 seconds).

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  4. Click Connect.

  5. Verify the information in the Details tab.

ServiceNow

Before you configure ServiceNow, refer to the Before you start section in ServiceNow connector.

Details
  1. In ServiceNow, create an OAuth API endpoint for external clients.

  2. Note your instance url, username, and password.

  3. After auto-generating your secret, copy the client id and client secret.

  4. In the connector configuration, you must include a ServiceNow user who has admin and rest_api_explorer roles.

    If you don’t want to assign the admin role to the ServiceNow user, you must ensure that the user has access to the following tables:

    • sys_user_has_role

    • sys_user_grmember

    • sys_user_delegate

    • sys_user_role

    • sys_user_group

    • core_company

    • cmn_department

    • cmn_cost_center

    • cmn_location

  5. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  6. Configure the following settings:

    Field Description

    ServiceNow instance

    URL of the ServiceNow instance. For example, dev00000.service-now.com

    Username

    An API user in ServiceNow that can consume the REST API.

    Password

    Password for the end user.

    Client ID

    Client ID of the OAuth 2.0 application in ServiceNow.

    Client Secret

    Client Secret for the preceding Client ID.

  7. Optionally, click Show advanced settings to set the following option:

    Option Description

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  8. Click Connect.

  9. Verify the information in the Details tab.

Webex

Details

The Advanced Identity Cloud Webex application lets you manage and synchronize data between Webex Control Hub and Advanced Identity Cloud. A Webex administrator account is required.

To modify the settings for an existing provisioning connection, in Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Settings.
  1. In Webex, set up a Webex integration application:

    1. Create a Webex developer account.

    2. Create an integration application and add the required scopes to manage users, groups, licenses, and roles. Minimum required scopes:

      • spark-admin:people_write

      • spark-admin:people_read

      • spark-admin:licenses_read

      • spark-admin:roles_read

      • identity:groups_rw

      • identity:groups_read

    3. Save the client secret and client ID.

      Keep your Webex integration application window open, as you’ll need to add information during provisioning configuration.
  2. In Advanced Identity Cloud admin UI, click the Provisioning tab, and then click Set up Provisioning.

  3. In the Configure Webex App modal, copy the Redirect URI, and click Next.

    Show Me
    Configure Webex modal
  4. In Webex, in your Webex integration application Redirect URI(s) area, paste the redirect URI, and click Save.

    Show Me
    Webex integration app redirect URI
  5. In Advanced Identity Cloud admin UI, configure the following fields:

    Field Description

    Client ID

    The client ID for OAuth 2.0 flow.

    Client Secret

    The client secret for OAuth 2.0 flow.

    Service URI

    The service endpoint URI.

    Token Endpoint

    The OAuth 2.0 access token endpoint.

  6. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Maximum Connections

    The maximum size of the HTTP connection pool. The default is 10 connections.

    Connection Timeout

    The timeout for the underlying HTTP connection in seconds. The default is 30 seconds.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  7. Click Connect.

  8. Verify the information in the Details tab.

Workday

Details
  1. In Advanced Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Make sure you have the requirements mentioned on the Connect to Workday page.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    Workday Host Name

    The hostname of the Workday instance. For example, example.workday.net.

    Workday Tenant Name

    The Workday tenant that you are connecting to.

    Username

    The username for connecting to the Workday tenant.

    Password

    The password for connecting to the Workday tenant.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Enforce Connection Timeout

    Enable to set the timeout (in seconds) the application waits for a request to be sent to the Workday instance. After you enable this option, enter a value in the Connection Timeout (seconds) field.

    Enforce Receive Timeout

    Enable to set the timeout (in seconds) the application waits for a response from the Workday instance. After you enable this option, enter a value in the Receive Timeout (seconds) field.

    Use Proxy

    Enable to use an HTTP proxy server to connect to Workday. After you enable this option, set the following fields:

    • Proxy Host Name: The hostname for the proxy.

    • Proxy Port: The port for the proxy.

    Set Effective Date

    Enable to set an effective date or a duration during which access to Workday is granted. After you enable this option, set the Effective Date field. Valid values for the Effective Date field are X-Path function, XML Schema, or Duration. If set to Duration, the effective date is the current date + duration.

    Exclude Unmodified

    Select this option to synchronize only the modified properties on a target resource.

  6. Click Connect.

  7. Verify the information in the Details tab.

Manage application attributes

Properties are the application attributes that Advanced Identity Cloud creates automatically. You can use the Properties tab to view and modify the properties of an account object or group/organization identity that can access your application.

The tab displays the name, identity type, and other information such as multivalued or required, for a property.

Add or edit a property

  1. On the Properties tab, do one of the following:

    • To add a new property, click Add a Property.

    • To edit a property, double-click a property.

  2. In the Name drop-down field, select a property.

  3. In the Type drop-down field, select a property type.

  4. Set one or more of the following options:

    Field Description

    Multi-valued

    Make the property a multi-value property.

    Required

    Make the property a required property.

    User-specific

    Make the property specific to individual users and not roles. If you don’t check this option, the property appears in the role’s relationship page when you add a role to an application.

  5. Optionally, click Show advanced settings to set any of the following options:

    Field Description

    Creatable

    Make the property creatable.

    Readable

    Make the property readable. Required for the property to appear in the Users & Roles tab.

    Updatable

    Make the property updatable.

    Returned by default

    Set the property to be returned by default. Requires the Readable option to be checked.

    Enumerated Values

    A list of allowed values that constrain the values you can set for the property. Supported for string and array type properties.

    To define a list of values for this property:

    1. Beside the Values field, click the plus sign.

    2. In the text field, enter the unique identifier for the value.

    3. In the value field, enter the display text for the value.

    4. To add another value, click the plus sign, and repeat steps 2 and 3 above.

    5. To delete a value, click the negative sign beside a value.

  6. Click Save.

Set a property as user-specific

You can set a property to be for a specific user.

  1. On the Properties tab, click a property.

  2. Enable User-specific.

  3. Click Save.

Set the display order of a property

When you add a new user or role, you specify properties for the identity. You can set the display order of the properties.

  1. In the Provisioning page, under the application name and logo, click the drop-down arrow and select a user or role. For example, select User.

  2. On the Properties tab, to set the order of a property, drag and drop a property up or down to the desired location.

  3. To verify your changes, add a new user or role. For example, on the Users & Roles tab, select Users, and click + Assign Users.

  4. The modal should display the properties in the order that you set.

Delete a property

  1. On the Properties tab, to the right of the property, click the ellipsis (...).

  2. Click Delete.

You cannot undo the delete action.

View user access data

After you successfully connect to the target application, review the Data tab to verify the users and groups/organizations that have access to the application.

Customize columns

  1. In the upper right corner of the Data page, click the horizontal ladder icon.

  2. Select the column types to display.

  3. Click Apply.

End-user data sharing

Users who have accounts in target applications can share their data with other applications. After a preference to share data with other applications has been configured, data from the target applications is synchronized with Advanced Identity Cloud.

Configure end-user data sharing and synchronization

  1. In Advanced Identity Cloud admin UI, on the Provisioning tab, click the Privacy & Consent tab.

  2. To let end users prevent sharing of their personal data, under Consent-based Provisioning, click Activate.

  3. To only share the data of users that have set sharing preferences:

    1. In Advanced Identity Cloud admin UI, go to Hosted Pages and select Realm Default theme.

    2. Go to Account Pages and select Layout.

    3. Check the Consent option.

    4. Click Save. The end-user profile page now displays the Personal Data Sharing option.

    5. In Advanced Identity Cloud admin UI, on the Provisioning tab, click the Privacy & Consent tab.

    6. Under Preference-based Provisioning, choose one or more preferences. These are the preferences you set up for users.

Manage mappings

The Mapping tab lets you create identity object and attribute mappings between Advanced Identity Cloud and an external system application. You define mappings between a source and a target. The definition of source and target depend on the type of mapping:

Outbound mapping

Provision user attributes from Advanced Identity Cloud (source) to an external target application (target).

Inbound mapping

Reconcile user attributes from an external authoritative application (source) to Advanced Identity Cloud (target).

To avoid inconsistencies between systems, don’t update mappings while a provisioning or reconciliation is in progress.

Create or edit a mapping

  1. In the Advanced Identity Cloud admin UI, go to Applications, then select your application, then click the Provisioning tab.

  2. In the left navigation panel, click the Mapping tab.

    • If displayed, click Outbound (shown if your application is connected to external target application).

      1. Choose one of the following:

        • To create an outbound mapping:

          1. Click + Add a property to open a mapping configuration modal.

          2. In the drop-down list of targets, select an attribute to update in the external target application.

          3. Click Next.

        • To edit an outbound mapping:

          1. Click a mapping to open its mapping configuration modal.

      2. In the drop-down list of sources, select an Advanced Identity Cloud attribute to provide a source value. This step is optional if you intend to apply a transformation script and/or a default value.

    • If displayed, click Inbound (shown if your application is connected to an external authoritative application).

      1. Choose one of the following:

        • To create an inbound mapping:

          1. Click + Add a property to open a mapping configuration modal.

          2. In the drop-down list of targets, select an Advanced Identity Cloud attribute to update.

          3. Click Next.

        • To edit an inbound mapping:

          1. Click a mapping to open its mapping configuration modal.

      2. In the drop-down list of sources, select an attribute from the external authoritative application to provide a source value. This step is optional if you intend to apply a transformation script and/or a default value.

  3. (Optional) Apply a transformation script to the mapping.

  4. (Optional) Apply a conditional update to the mapping.

  5. (Optional) Apply a default value to the mapping.

  6. Click Save to save the mapping and close the mapping configuration modal.

Apply a transformation script to a mapping

You can apply a transformation script to a mapping to compute a target value using a combination of source values and string manipulations. For example, you may want to combine first name and last name attributes into a single name attribute.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Check Apply transformation script.

    2. Insert your transformation script into the Transformation Script editor. Refer to these examples:

    3. (Optional) To use custom global variables in the script, refer to Define custom global variables for a script.

    4. Click Save to save the mapping and close the mapping configuration modal.

Source object behavior

The source object in a transformation script changes depending on what you select from the drop-down list of sources:

  • If you select a source attribute, such as source.name, the source object represents just that attribute. For example, to access name.familyName you would reference source.familyName.

  • If you don’t select a source attribute, the source object represents the entire identity object and its attributes. For example, to access name.familyName you would reference source.name.familyName.

Transformation script example 1

source.name ? source.name.familyName : null ;

In this example, the script checks if a value exists for source.name. If it does, we know source.name is an object and familyName is one of the attributes on that object, so the script sets the field with the value of source.name.familyName. Otherwise, the script sets this field to null.

Transformation script example 2

source.givenName + ' ' + source.sn ;

In this example, the script sets the field to a combination of the given name and surname, with a space in the middle; for example, "Jane Fergus".

Transformation script example 3a

source.active ? 'active' : 'inactive';

In this example, the script checks if the source.active property has any value set. If true, the script sets this field to the string active. Otherwise, the script sets the field to inactive.

Transformation script example 3b

You can configure the previous script slightly differently if you prefer (as described in Source object behavior). If you select source.active from the drop-down list of sources, source.active is represented as source in the transformation script. So the transformation script would be:

source ? 'active' : 'inactive';

Apply a conditional update to a mapping

You can apply a conditional update to a mapping so that the target attribute is only updated when certain conditions evaluate to true.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Click Show advanced settings.

    2. Check Apply conditional update.

    3. Choose one of the following ways to conditionally update the attribute:

      • To use filter fields:

        1. Make sure Filter is selected.

        2. Use the fields to set the conditions that must occur to update the attribute.

          For example, if you want to update the attribute only for users in the United States, select "Country" from the list of attributes, select "is" from the list of operators, and enter "United States" in the open text field:

          mapping conditional update filter fields
      • To use a filter query:

        1. Make sure Filter is selected.

        2. Click Advanced Editor.

          If you build a filter with the filter fields, it is automatically populated as a query filter in the advanced editor.
        3. In the editor, edit the query filter.

          For example, if you want to update the attribute only for users in the United States, enter /object/country eq "United States":

          mapping conditional update filter query
      • To use a script:

        1. Click Script.

        2. In the Conditional Update Script field, modify the script that defines the condition.

          For example, if you want to update the attribute only for users in the United States, enter object.country == "United States":

          mapping conditional update script
        3. (Optional) To use custom global variables in the script, refer to Define custom global variables for a script.

    4. Click Save to save the mapping and close the mapping configuration modal.

Apply a default value to a mapping

You can apply a default value to a mapping. The default value is applied to a target attribute if the result of a mapping (including after any transformation script or conditional update) is a value of null.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Click Show advanced settings.

    2. Check Apply a default if value is null.

    3. Insert your default value into the editor.

    4. Click Save to save the mapping and close the mapping configuration modal window.

Define custom global variables for a script

  1. In the Transformation Script field or the Conditional Update Script field, click + Add Variables.

  2. To specify the variables in a JSON format, check the JSON toggle.

  3. To give the variable a name, enter a name in the Name field.

  4. To give the variable a value, enter a value in the Value field.

  5. To add more global variables for your script, click the plus sign and repeat the previous two steps.

  6. Click Save.

Preview an outbound mapping

Previewing provides an example of how user mapping appears from source to target.

  1. In the left navigation panel, click the Mapping tab, then click Outbound.

  2. Click Preview.

  3. In the drop-down list, choose an end user to preview. The page displays a preview of the target object that will be created when provisioning.

  4. Click Done.

Delete a mapping

  1. In the Advanced Identity Cloud admin UI, go to Applications, then select your application, then click the Provisioning tab.

  2. In the left navigation panel, click the Mapping tab.

    • If displayed, click Outbound (shown if your application is connected to external target application).

    • If displayed, click Inbound (shown if your application is connected to an external authoritative application).

  3. Click a mapping.

  4. Find the mapping you want to delete and click its ellipsis icon (more_horiz), then click Delete.

  5. In the Delete Mapping? modal, click Delete.

Reconcile and synchronize end-user accounts

A reconciliation operation involves a target system (the system with user account updates) and Advanced Identity Cloud admin UI (the system that receives the updates). For example, a Salesforce application and Advanced Identity Cloud admin UI. Mappings define the relationship between the target system and Advanced Identity Cloud admin UI.

The goal of reconciliation is to ensure synchronization and consistency between Advanced Identity Cloud admin UI and the external system application. Reconciliation uses the details you define in the Mappings tab to determine how to map and update properties.

Running reconciliation syncs end-user account changes (New accounts, updated accounts, deleted accounts) and user-associated non-account objects (like Groups) from an authoritative application to Advanced Identity Cloud. This is for an inbound mapping.

The Reconciliation tab prepares an application to run reconciliation jobs; however, to schedule full and incremental reconciliation, go to the Reconciliation > Reconcile > Schedules tab.

Preview associations

To discern how your data reconciles between an external system and Advanced Identity Cloud admin UI, you can preview associations before you run reconciliation.

On the Reconciliation > Reconcile tab, click Preview Associations.

Synchronize an identity

You can synchronize an identity in Advanced Identity Cloud with an identity that exists in a target system. To achieve this, Advanced Identity Cloud models the identity in the target system and makes it available for mapping as a series of objects and properties:

Account object

The account object represents the user entity in the target system. Examples of account object properties are name and email.

For example, in a Salesforce application, the account.email object property is mapped to mail in the Advanced Identity Cloud user identity.

Non-account object

Non-account objects represent entities linked to the user entity in the target system. Examples of non-account objects are roles, groups, departments, permissions, and licenses.

For example, in a Salesforce application, the group object property is mapped to the GroupIds field in the Advanced Identity Cloud user identity.

Each templated application in Advanced Identity Cloud contains an account object and may contain one or more non-account objects that are modelled specifically to the target system.

Manually set non-account objects for an account object

After you create certain connectors and run reconciliation, you can start mapping the account object to various non-account objects. These non-account objects are predefined. For more information about connectors with predefined non-account objects, refer to Connectors with predefined non-account objects.

However, connectors for non-authoritative applications, such as a Scripted REST connector, a Scripted Groovy connector, or a Scripted Table connector, don’t have predefined non-account objects. The reason is that these types of connectors can have different non-account objects. These non-account objects are nonpredefined objects.

For connectors for non-authoritative applications, you must manually select the non-account objects that map to specific properties for an account object.

  1. Select the Provisioning tab.

  2. Select the Properties tab.

  3. Edit a property.

  4. On the Edit Property screen, enable Constrain values for this property.

  5. On the Edit Property screen, enable Application Object Type.

  6. In the Select Object Type drop-down field, select a non-account object type to map to the current property.

  7. On the Edit Property screen, enable Entitlement.

  8. Click Save.

Connectors with predefined non-account objects

The following connectors have predefined non-account object types. After creating a connector that is listed in the table and running reconciliation, you can associate the account object in the second column with the non-account objects in the third column.

Connector Account object Predefined non account objects

Active Directory

ldapGroups

Group

Azure AD

  • __roles__

  • memberOf

  • __servicePlanIds__

  • Directory Role

  • Group

  • servicePlan

Google Workspace

  • __ROLES__

  • __GROUPS__

  • __LICENSE_ASSIGNMENTS__

  • Role

  • __GROUP__

  • __LICENSE_ASSIGNMENTS__

LDAP

ldapGroups

Group

Powershell

Dynamic

N/A

Salesforce

  • __PermissionSetIds__

  • __GroupIds__

  • Profile Id

  • UserRoleId

  • FeatureLicenses

  • Permission Set

  • Group

  • Profile

  • UserRole

  • FeatureLicense

SAP SuccessFactors

__GROUP__

Group

SCIM

groups

Group

Sripted Groovy

Dynamic

N/A

Scripted REST

Dynamic

N/A

Sripted SQL

Dynamic

N/A

ServiceNow

  • location

  • costcenter

  • company

  • department

  • group

  • roles

  • location

  • costcenter

  • company

  • department

  • group

  • role

Map target system object properties to Identity Cloud

To ensure all properties that are associated with a user account or role account synchronize during reconciliation, perform the following steps.

  1. If your connector is not predefined, perform the steps in Manually set non-account objects for an account object.

  2. Select the Provisioning tab.

  3. Click Mapping.

  4. Click Inbound.

  5. Follow steps 3 to 6 in Create or edit a mapping.

Run a reconciliation

Before you perform the following steps, to ensure you synchronize all information for the identity, map all relevant object properties with the identity.

  1. On the Reconciliation > Reconcile tab, click the ellipsis (…​) to the right of a mapping.

  2. Click Reconcile Identity.

  3. Verify the information on the page, and click Reconcile Identity.

  4. After the reconciliation process is complete, click Done.

View a report about the last reconciliation

You can view information about the last reconciliation, such as:

  • The percent of all accounts successfully reconciled.

  • Information about each reconciled account: mapping source, mapping target, attempted action, and the result of the reconciliation.

Before you perform the following steps, make sure you run reconciliation.

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. To view a searchable table report of the last reconciliation results, set Persist Associations to true.

    • If set to true, the UI displays a reconciliation report table and a search field that lets you search the table. The table displays below the reconciliation percentage graphic and percentage bars.

    • If set to false, the UI does not display a reconciliation report table.
      To filter the report results, enter text in the Search users field.
      To view different subsets of the report (1-to-1 match / no match), click View and select an item from the drop-down list.

For large reconciliations jobs:
To avoid performance issues, ForgeRock recommends that you leave Persist Associations set to false.

Manage reconciliation schedules

The Schedules section of the Reconciliation > Settings tab lets you view and schedule reconciliation events for accounts or groups/organizations that have access to your application.

You can schedule two types of reconciliation:

  • Full Reconciliation: A process that completely synchronizes the source and target. This process usually happens once a week on a weekend or once a month but at longer intervals. The long intervals are because the synchronization process is very labor-intensive and can take a large amount of time depending on the reconciliation data.

  • Incremental Reconciliation: Also referred to as liveSync, incremental reconciliation is a process that only synchronizes the deltas between the source and target. You can run incremental reconciliation every few minutes to get new updates. For example, if you run an incremental reconciliation at 12:55 PM, then again at 2:00 PM, Advanced Identity Cloud admin UI only looks at the timeframe in between to update, create, or delete data if anything changes in the source or target. Depending on the application, a timestamp or change number is used to synchronize the delta.

You can edit existing schedules and activate or deactivate them.

Set up a full or incremental reconciliation schedule

The initial state of a schedule is inactive.

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an inactive schedule: Full Reconciliation or Incremental Reconciliation.

  3. Choose one of the following ways to edit the schedule:

    • Edit the fields on the Set up page and click Save Schedule.

    • To use a text editor to edit the schedule:

      1. Enable the Use cron toggle.

      2. Enter a valid cron string in the Frequency field.

      3. Click Save Schedule.

Deactivate a schedule

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an active schedule.

  3. Click Deactivate Schedule.

Manage reconciliation rules

You use rules to define the actions you want Advanced Identity Cloud to perform when certain events occur during reconciliation. For example, if reconciliation detects that an identity object exists in Advanced Identity Cloud but not in the target application, Advanced Identity Cloud creates an identity object in the target application and links it to a source object in Advanced Identity Cloud if both of the following are true:

  • Reconciliation detects that the identity object exists in Advanced Identity Cloud but not in the target application.

  • You select Advanced Identity Cloud to take the action CREATE.

Each rule has an action. Advanced Identity Cloud performs the action when a rule triggers an action to be performed on a record. Advanced Identity Cloud evaluates each record. When an event meets a rule condition, Advanced Identity Cloud performs the action you have defined for that rule.

The Situation Rules section of the Reconciliation > Settings tab displays the name and action of the rules for your application.

Situation (application) rules

Situation rule Description

Ambiguous

The source identity object matches multiple target identity objects based on the defined unique attribute. There must be a one-to-one link between a source and target identity object. can’t accurately make this link due to ambiguity.

Source Missing

For authoritative apps only.

The target identity object links to a missing source. This usually means the source identity object was deleted.

Missing

The source links to a missing target identity object. This usually means the target identity object was deleted.

Found Already Linked

The target identity object is linked to an old source object, usually deleted, and can’t be linked to the new source identity object. This usually the source identity object was deleted and tried to recreate the source object. On reconciliation, Advanced Identity Cloud identified that it already found a source and target identity object linked. For more information on Found Already Linked, refer to the knowledge base article How do I resolve the Found Already Linked situation in Advanced Identity Cloud?.

Unassigned

The reconciliation finds a valid target identity object with no link established. This usually means another reconciliation needs to happen to establish a link (if you set the action to Link).

Unqualified

The source identity object doesn’t qualify, but target identity objects were found.

Link Only

A link is found, but the target identity object is missing. Advanced Identity Cloud had a matching source and target with a link but can no longer find the target identity object.

Confirmed

The ideal situation for a record. The source and target identity objects both exist and a valid link between the two are present. This means the source and target both have a unique identifier that can only match one-to-one, and Advanced Identity Cloud established a link between the two.

Found

A valid source and target identity object match, but there is no link between the two. On a following reconciliation, Advanced Identity Cloud creates a link and the record moves from Found to the Confirmed rule.

Absent

The source identity object doesn’t find a target identity object. This usually means a new record was created on the source, and typically, the action is Create. This creates a target identity object and links the source and target identity object.

Rule action types

When a reconciliation determines the situation of a record, you must specify the action to be taken. There can only be one action per situation rule.

Action Description

Async

An asynchronous process has started. Don’t perform any action or generate any report.

Create

Create a target identity object and link the source and target.

Delete

Delete the target identity object and unlink the source and target.

Exception

Flag the link situation as an exception and log the incident.

Ignore

Don’t change the link or target object state.

Link

Create a link between the source and the correlated target identity object.

No Report

Don’t perform any action or generate any report.

Onboard

Onboard the account and link the correlated target object.

Report

Don’t perform any action but report what would happen if the default action were performed.

Unlink

Unlink the linked target from the source.

Update

Update the target identity object and create a link between source and target.

Configure basic and advanced correlation between accounts

You can correlate the user accounts in an application to user accounts in Advanced Identity Cloud admin UI. This correlation is important because account attributes in the application may have different names than account attributes in Advanced Identity Cloud admin UI.

The Account Correlation section of the Reconciliation > Settings tab lets you choose the attribute(s) to use to match users in your application to users in Advanced Identity Cloud admin UI.

  1. On the Reconciliation > Settings tab, navigate to the Account Correlation section.

  2. Click Match using.

  3. In the Attribute(s) to Match drop-down list, choose the attribute(s) to use to match users in the target system to users in Advanced Identity Cloud admin UI.

  4. To use a query to set or edit match attributes, click Use advanced query.

    • For an authoritative application:

      1. Choose to correlate a user if any or all attributes are matched.

      2. Use the User property field to set the user property(s) to match.

    • For a target application:

      1. Edit the correlation query script.

  5. Click Save.

Manage reconciliation events

Event hooks allow you to set an action that occurs when a specific event happens.

The Event Hooks section of the Reconciliation > Settings tab lets you view and define event hooks for reconciliation events.

Add an event hook

  1. On the Reconciliation > Settings tab, navigate to the Event Hooks section.

  2. To the right of an event hook, click + Add.

  3. Edit the script for the event hook.

  4. Click Save or Save and Close.

Restrict reconciliation to specific identities

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. Configure the following settings:

    • To restrict reconciliation to specific identities in an application by defining an explicit source query:

      1. Enable Filter Source.

      2. Choose to filter the source if Any or All conditions are met.

      3. Use the remaining fields to define the explicit source query. You can define the query using all the properties available in the target system.

    • To restrict reconciliation to specific identities in Advanced Identity Cloud by defining an explicit target query:

      1. Enable Filter Target.

      2. Choose to filter the target if Any or All conditions are met.

      3. Use the remaining fields to define the explicit target query. You can define the query using all the properties available in Advanced Identity Cloud.

    • To filter the application identities that are included in reconciliation using a script:

      1. Enable Valid Source Script.

      2. Edit the script.

    • To view a searchable table report of the last reconciliation results, set Persist Associations to true. For more information, refer to View a report about the last reconciliation.

    • To filter the Advanced Identity Cloud admin UI identities that are included in reconciliation using a script:

      1. Enable Valid Target Script.

      2. Edit the script.

    • To allow correlation of source objects to empty target objects, enable Correlate empty target objects.

    • To prefetch each link in the database before processing each source or target object, enable Prefetch Links.

    • To allow reconciliations from an empty source to delete all data in a target resource, enable Allow reconciliations from an Empty Source.

    • To tune performance by adjusting the number of concurrent threads dedicated to reconciliation, in the Threads Per Reconciliation field, enter the number of concurrent threads.

    • To set the synchronization token used for incremental inbound reconciliation, enter a value in the Sync Token field.

  3. Click Save.

Reset the last reconciliation job

You may need to reset the last reconciliation job if it failed or if it made a change you want to revert; for example, if the last reconciliation job added a new application user.

To reset the last reconciliation job, you must reset the sync token attribute. The sync token attribute stores the value of the last incremental reconciliation job that synced data inbound from a target system to Advanced Identity Cloud.

  1. In your target system, get or create the reset value for the sync token attribute. To understand how to do this, refer to the documentation provided by the vendor of your target system.

  2. In Advanced Identity Cloud admin UI, navigate to Applications > Provisioning > Reconciliation.

  3. Click the Settings tab.

  4. Scroll down and click Show advanced settings.

  5. In the Sync Token text field, enter a new value for the sync token attribute.

  6. Click Save.