--- title: Provision data between Advanced Identity Cloud and PingDirectory description: "Estimated time to complete: 1 hour." component: pingoneaic page_id: pingoneaic:use-cases:use-case-idc-with-ping-directory canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-idc-with-ping-directory.html keywords: ["Use Case", "PingDirectory"] section_ids: idc-ping-directory-use-case-name-description: Description idc-ping-directory-goals: Goals idc-ping-directory-prereqs: Prerequisites idc-ping-directory-tasks: Tasks task_1_download_remote_server: "Task 1: Download remote server" ping-directory-rcs-register-remote-server: Register a remote server ping-directory-rcs-reset-client-secret: Reset the client secret and download remote server ping-directory-rcs-configure-remote-server: "Task 2: Configure the remote server" create-auth-ping-directory-app: "Task 3: Create authoritative LDAP app to provision users from PingDirectory server" auth-ping-directory-app-map-attr: "Task 4: Map attributes from the PingDirectory server to Advanced Identity Cloud" idc-ping-directory-task-4-correlate-attributes: Correlate user attributes create-target-ping-directory-app: "Task 5: Create target LDAP app to provision users to PingDirectory server from Advanced Identity Cloud" task-6-map-attributes: "Task 6: Map attributes from Advanced Identity Cloud to the PingDirectory server" auth-ping-directory-app-situations-actions: "Task 7: Configure situations and actions for both apps" idc-ping-directory-validation: Validation idc-ping-directory-validation-provision-from-ping-directory: Provision user from the PingDirectory server idc-ping-directory-validation-provision-to-ping-directory: Provision a user to the PingDirectory server idc-ping-directory-video-validation: Video of validation idc-ping-directory-explore-further: Explore further idc-ping-directory-reference-material: Reference material --- # Provision data between Advanced Identity Cloud and PingDirectory ## Description Estimated time to complete: 1 hour *(tooltip: This assumes you have completed the prerequisites beforehand.)*. In this use case, you configure two apps in PingOne Advanced Identity Cloud to provision data to and from PingDirectory using the LDAP app template via a remote connector server (RCS). ### Goals After completing this use case, you will know how to do the following: * Create an authoritative app to provision data to Advanced Identity Cloud. * Create a target app to provision data from Advanced Identity Cloud. * Let Advanced Identity Cloud communicate with an on-premise external data store, a PingDirectory server, by installing a remote connector server (RCS), also referred to as a remote server, and using an LDAP connector. * Map attributes between Advanced Identity Cloud and an external data source. * Determine the actions Advanced Identity Cloud takes with synchronization situations. ## Prerequisites Before you start work on this use case, ensure you have these prerequisites: * A basic understanding of: * [The `managed/alpha_user` object schema](../identities/identity-cloud-identity-schema.html) * [App templates](../app-management/applications.html) * [PingOne Open Connector Framework (ICF)](https://docs.pingidentity.com/openicf/connector-reference/openidm-openicf.html) * [Advanced Identity Cloud remote connector servers (RCS)](../connectors/connectors.html#remote_connectors) * [Provisioning-related concepts in app management](../app-management/provision-an-application.html): * Mappings * Reconciliation * Synchronization * Synchronization situations and actions * Access to your development environment as an administrator with test data. * A test user to provision to the PingDirectory server. * A test user in Advanced Identity Cloud to serve as the app owner for the created apps. * [PingDirectory](https://docs.pingidentity.com/pingdirectory/latest/pd_ds_intro_pindirectory_server.html) installed on a server with test data. PingDirectory connects to Advanced Identity Cloud using a remote connector server. The server must be able to communicate with the PingDirectory server. ## Tasks | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The following tasks assume you have access to a server with PingDirectory installed. Substitute your own environment and PingDirectory details as necessary. | ### Task 1: Download remote server Advanced Identity Cloud uses a remote server to connect to on-premise external data stores. The remote server contains bundled connectors. #### Register a remote server 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. In the left menu pane, go to Identities > Connect and click + New Connector Server. 3. In the New Connector Server dialog box, provide the following: Name — This name displays in the Connector Servers list.\ Use only lowercase letters and numerals. Underscores and hyphens are the only special characters allowed. In this case, enter `ping-directory`. 4. Click Save. This creates an OAuth2 client. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When the remote server is successfully registered, links display the next steps. Be sure to open each link in a different window or tab, so you always have access to the Next Steps dialog box. These steps are listed in the following sections.![The next steps page after registering a remote server in Advanced Identity Cloud](_images/sync-onprem-data-store/use-case-sync-on-prem-data-store-register-server-next-steps.png) | #### Reset the client secret and download remote server 1. Under the Client Credentials box, next to the Client Secret field, click Reset. 2. In the Reset Client Secret dialog box, enter any string to serve as a password. 3. Read the warning, and then click Save. 4. Go to Identities > Connect, and click ping-directory. 5. Under the Quick Start box, click the Download a connector server link. You're redirected to the [IDM Cloud Connectors](https://backstage.pingidentity.com/downloads/browse/idm/featured/connectors) download page. * Log in to Backstage. * Download the remote server to the host that runs the connector server. We recommend you use the Java version of RCS. Only download the .NET version if you need to use a PowerShell connector. For more information about the differences between the RCS types, learn more in [Install a Remote Connector Server (RCS)](https://docs.pingidentity.com/openicf/connector-reference/remote-connector.html#install-connector-server). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can run the connector server on the same host as the external data source or you can run it on a different host. For example, you could download the remote server to a different server that has connectivity to the external data source | ### Task 2: Configure the remote server 1. On the server you downloaded RCS, unpack the remote server you downloaded in task 1. 2. On the remote server, open `ConnectorServer.properties`. This file includes the configurations to connect to your Advanced Identity Cloud tenant. The path to this file may differ depending on the version and type of remote server you download. 3. The remote server (OAuth2 client) uses the Client Credentials grant type. To add the OAuth2 client credentials, operational, and security settings, specify the following values in `ConnectorServer.properties`: | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The default values in ConnectorServer.properties serve as starting configurations for your remote server. Adjust the properties to the needs of your organization. | > **Collapse: ConnectorServer.properties** > > | Field | Value | Description | > | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | `connectorserver.url` | Uncomment and update to `connectorserver.url=wss:///openicf/0`. | This is the Advanced Identity Cloud OpenICF *(tooltip: The framework Ping Identity uses for connecting to external resources, such as LDAP or AD.)* endpoint.- In sandbox or development environments, use only one URL. Example: `connectorserver.url=wss:///openicf/0` > > - In staging and production environments, use three URLs in a space-delimited list. For example: `connectorserver.url=wss:///openicf/0 wss:///openicf/1 wss:///openicf/2` | > | `connectorserver.connectorServerName` | The name of the remote server in Advanced Identity Cloud to connect to. Uncomment and enter the name of the remote server (OAuth2 client) you created in [task 1](#register_a_remote_server).For example, `connectorserver.connectorServerName=ping-directory`. | The name of the remote server (OAuth2 client) in Advanced Identity Cloud to connect to. | > | `connectorserver.pingPongInterval` | Uncomment and don't modify. | The WebSocket Ping/Pong interval, in seconds. The default is `60` seconds. | > | `connectorserver.housekeepingInterval` | Uncomment and don't modify. | The WebSocket connections housekeeping interval, in seconds. The default is `20` seconds. | > | `connectorserver.groupCheckInterval` | Uncomment and don't modify | The WebSocket groups check interval, in seconds. The default is `60` seconds. | > | `connectorserver.webSocketConnections` | Uncomment and don't modify. | Specifies the number of sockets the connector server establishes and maintains to each Advanced Identity Cloud (IDM) backend instance. The default is `3`. | > | `connectorserver.connectionTtl` | Uncomment and don't modify. | The WebSocket connection's time to live (ttl), in seconds. The default is `300` seconds. | > | `connectorserver.newConnectionsInterval` | Uncomment and don't modify. | The time between new connections, in seconds. The default is `10` seconds. | > | `connectorserver.tokenEndpoint` | Uncomment and update to `connectorserver.tokenEndpoint=https:///am/oauth2/realms/root/realms/alpha/access_token`. | The token endpoint to retrieve the access token. | > | `connectorserver.clientId` | Update to `connectorserver.clientId=RCSClient`. | When you create a remote server in Advanced Identity Cloud, Advanced Identity Cloud sets the `clientId` to `RCSClient`. | > | `connectorserver.clientSecret` | Update to `connectorserver.clientSecret=client-secret`.Enter the client secret you [reset](#rcs-reset-client-secret). | The client secret for the OAuth2 client. | > | `connectorserver.scope` | Uncomment and update to `connectorserver.scope=fr:idm:*`. | The OAuth2 token scope. The scope `fr:idm:*` gives access to `/openidm/*` (identity-related) API endpoints. | > | `connectorserver.loggerClass` | Don't modify. Ensure the key/value pair is `connectorserver.loggerClass=org.forgerock.openicf.common.logging.slf4j.SLF4JLog`. | The logging class the remote server uses. | > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | You don't need to set the `connectorserver.usessl` property; the remote server determines connection security from the value of the `connectorserver.url` property. | 4. Save the file. 5. Start the remote server from the openicf-zip-\\openicf directory by running one of the following commands: * Windows * Linux ```dos bin\ConnectorServer.bat /run ``` If the server starts successfully, the following (or similar) displays: `RCS started`. ```bash bin/ConnectorServer.sh /run ``` If the server starts successfully, the following (or similar) displays: `RCS 1.5.20.15 started`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | This starts the remote server for the *terminal session only*. Consider creating a job to start or stop your remote server(s). | 6. To verify that the connection between Advanced Identity Cloud and the remote server is successful, in the Advanced Identity Cloud admin console, navigate to Identites > Connect. The Status column of the remote server, in this case, `ping-directory`, displays Connected. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the status is `Waiting to connect…​`, make sure the server where the remote server resides is connected to Advanced Identity Cloud. Verify the properties you set in `ConnectorServer.properties` are correct. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To view the bundled connectors with RCS, select the connected remote serve in Advanced Identity Cloud and click the Connectors tab. Learn more about each connector in the [Connector reference](https://docs.pingidentity.com/openicf/connector-reference/preface.html). | Check in At this point, you: | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [icon: check, set=fa][Registered](#ping-directory-rcs-register-remote-server) the remote server and [reset](#ping-directory-rcs-reset-client-secret) the client secret in Advanced Identity Cloud. | [icon: check, set=fa][Downloaded and installed](#ping-directory-rcs-reset-client-secret) the remote server on the same server (or a server with connectivity) to the PingDirectory server. | | [icon: check, set=fa][Configured](#rcs-configure-remote-server) the remote server `ConnectorServer.properties` file to specify settings, namely, the connection details between the remote server and Advanced Identity Cloud. | | ### Task 3: Create authoritative LDAP app to provision users from PingDirectory server In Advanced Identity Cloud, you create one app to provision data from an external data source and another app to provision data from Advanced Identity Cloud. In both situations, you use RCS to facilitate the connection between the two. This task configures an authoritative app to provision data from PingDirectory to Advanced Identity Cloud. 1. From the Advanced Identity Cloud admin console, go to Applications and click [icon: grid_view, set=material, size=inline] Browse App Catalog. 2. In the Filter apps search box, enter and select `LDAP`. 3. Click Next. 4. Click Next again. 5. Enter the following details: | Field | Value | Description | | ------------- | ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Name | Enter `PingDirectory - Authoritative`. | N/A | | Description | Enter `This app is to provision data from the PingDirectory server to Advanced Identity Cloud.` | Optional. The purpose of the app. | | Owners | Select the test user you created in Advanced Identity Cloud to be the app owner. | Every app has an owner. The owner is responsible for the app, including the details and the users and roles who have access to the app. | | App Logo URI | Don't modify. | The location of the app logo. | | Authoritative | Enable. | If you want the app to be authoritative *(tooltip: Create and manage user accounts in an authoritative app. Authoritative apps act as a source of identities and do not allow management of users and roles.)*, enable this field. When enabled, synchronization can only happen from the app to Advanced Identity Cloud, and Advanced Identity Cloud can't push changes to the app. If you don't enable this field, Advanced Identity Cloud can provision data to the app. | 6. Click Create App. Advanced Identity Cloud redirects you to the newly created app. 7. Enter the connection details for the app by going to the Provisioning tab and clicking Set up Provisioning. 8. Enter the following details: | Field | Value | Description | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Host Name or IP | Enter the host name or IP of the server where you installed the remote server. If entering the IP address leads to a connection failure, try the host name. | N/A | | Port | Enter the port to connect to the PingDirectory server. For example, `389`. In a production scenario, use a common secure port, such as `1636`. | The server must be actively waiting for inbound requests on this port, and firewall policies must be in place to allow Advanced Identity Cloud to connect to the server via this port.Learn more about the port the server is listening on in [Configuring connection handlers](https://docs.pingidentity.com/pingdirectory/latest/pingdirectory_security_guide/pd_sec_config_connection_handlers.html). | | Use SSL | Disable | Enabled by default. In a production scenario, enable. | | Login Account DN | Enter the name of the administrator service account to connect to the server. For example, `cn=Directory Manager`. | N/A | | Password | Enter the password of the administrator service account to connect to the server. | N/A | | Base DNs | Enter base DNs that include your users and groups. | For example, `DC=example,DC=com`. | ![Connection settings for the authoritative PingDirectory app](_images/use-case-idc-ping-directory/ping-directory-auth-app-connect-app.png) 9. Click Connect. Advanced Identity Cloud uses the remote server that has connectivity to the PingDirectory server. On the Provisioning tab, the status Connected displays. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you receive an error connecting to the PingDirectory server, ensure your connection details are correct. If the error persists, check the PingDirectory server [error log](https://docs.pingidentity.com/pingdirectory/latest/troubleshooting_the_pingdirectory_suite_of_products/pd_ds_dir_server_troubleshoot_info.html). | 10. On the Provisioning tab, click Data to confirm that you're reading data from PingDirectory. ![Advanced Identity Cloud connected to a PingDirectory server using the LDAP app template](_images/use-case-idc-ping-directory/ping-directory-target-app-confirm-data.png) ### Task 4: Map attributes from the PingDirectory server to Advanced Identity Cloud Now that you've connected the PingDirectory server to Advanced Identity Cloud, you must map and correlate the attributes between the two: | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Because of hashing compatibility and because organizations typically have a phased approach to [migrating passwords](use-case-pass-through-auth.html), this use case doesn't map or migrate passwords. | 1. In the PingDirectory - Authoritative app, click Mappings > [icon: add, set=material, size=inline] Add a property. 2. In the Ping Identity Property field, select `userName`. 3. Click Next. 4. In the PingDirectory - Authoritative Property field, select `source.uid`. 5. Click Save. 6. Repeat steps 2 - 5 for the following fields: | Ping Identity property | PingDirectory property | | ---------------------- | ---------------------- | | `mail` | `source.mail` | | `givenName` | `source.givenName` | | `sn` | `source.sn` | | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When you create a mapping, you must specify the attributes required by the Advanced Identity Cloud managed object, which is the `alpha_user` managed object in this use case. Otherwise, you'll experience an error during object creation.In a default Advanced Identity Cloud tenant, the required properties are `userName`, `givenName`, `sn`, and `mail`.Learn more in [property definition fields](../idm-objects/creating-modifying-managed-objects.html#managed-objects-property-def-fields). | #### Correlate user attributes Now that you've mapped attributes between PingDirectory to Advanced Identity Cloud, ensure that you also correlate user attributes between the PingDirectory Authoritative app and Advanced Identity Cloud. Correlation ensures user account updates match between Advanced Identity Cloud and the application. In this use case, correlation would apply to the `userName` attribute. The Account Correlation section of the Reconciliation > Settings tab lets you choose the attributes to use to match users in the PingDirectory Authoritative app to users in the Advanced Identity Cloud admin console: 1. On the Reconciliation > Settings tab, navigate to the Account Correlation section. 2. Click Match using. 3. In the Attribute(s) to Match dropdown list, choose the attributes to use to match users in the PingDirectory Authoritative app to users in Advanced Identity Cloud admin console. 4. To use a query to set or edit match attributes, click Use advanced query. * For an authoritative application: 1. Choose to correlate a user if any or all attributes are matched. 2. Use the User property field to set the user property to match. * For a target application: * Edit the correlation query script. 5. Click Save. Learn more about correlating user attributes in [Configure basic and advanced correlation between accounts](../app-management/provision-an-application.html#provision-app-account-correlation). Check in At this point, you: | | | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Registered](#ping-directory-rcs-register-remote-server) the remote server and [reset](#ping-directory-rcs-reset-client-secret) the client secret in Advanced Identity Cloud. | [icon: check, set=fa][Downloaded and installed](#ping-directory-rcs-reset-client-secret) the remote server on the same server or on a server with connectivity to the PingDirectory server. | | [icon: check, set=fa][Configured](#ping-directory-rcs-configure-remote-server) the remote server `ConnectorServer.properties` file to specify settings, specifically the connection details between the remote server and Advanced Identity Cloud. | [icon: check, set=fa][Created](#create-auth-ping-directory-app) an authoritative LDAP app to provision data from PingDirectory to Advanced Identity Cloud. | | [icon: check, set=fa][Mapped](#auth-ping-directory-app-map-attr) attributes from the PingDirectory server to Advanced Identity Cloud. | [icon: check, set=fa][Correlated](#idc-ping-directory-task-4-correlate-attributes) user accounts between the PingDirectory - Authoritative app and Advanced Identity Cloud. | ### Task 5: Create target LDAP app to provision users to PingDirectory server from Advanced Identity Cloud In the previous task, you created an authoritative app and connected the PingDirectory server to Advanced Identity Cloud to prepare to provision data into Advanced Identity Cloud. In this task, you create an app to provision data *from* Advanced Identity Cloud to the PingDirectory server. 1. From the Advanced Identity Cloud admin console, go to Applications and click [icon: grid_view, set=material, size=inline] Browse App Catalog. 2. In the Filter apps search box, enter and select `LDAP`. 3. Click Next. 4. Click Next again. 5. Enter the following details: | Field | Value | Description | | ------------- | ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Name | Enter `PingDirectory - Target`. | N/A | | Description | Enter `This app is to provision data from Advanced Identity Cloud TO the PingDirectory server.` | Optional. The purpose of the app. | | Owners | Select the test user you created in Advanced Identity Cloud to be the app owner. | Every app has an owner. The owner is responsible for the app, including the details and the users and roles who have access to the app. | | App Logo URI | Don't modify. | The location of the app logo. | | Authoritative | *Don't* enable. | When enabled, synchronization can only happen from the app to Advanced Identity Cloud and Advanced Identity Cloud can't push changes to the app. If you don't enable this field, Advanced Identity Cloud can provision data to the app. | 6. Click Create App. Advanced Identity Cloud redirects you to the newly created app. 7. Enter the connection details for the app by going to the Provisioning tab and clicking Set up Provisioning. 8. Enter the following details: | Field | Value | Description | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Host Name or IP | Enter the host name or IP of the server where you installed the remote server. If entering the IP address leads to a connection failure, try the host name. | N/A | | Port | Enter the port to connect to the PingDirectory server.For example, `389`. In a production scenario, use a common secure port, such as `1636`. | The server must be actively waiting for inbound requests on this port and firewall policies must be in place to allow Advanced Identity Cloud to connect to the server via this port.Learn more in [Configuring connection handlers](https://docs.pingidentity.com/pingdirectory/latest/pingdirectory_security_guide/pd_sec_config_connection_handlers.html). | | Use SSL | Disable | Enabled by default. In a production scenario, enable. | | Login Account DN | Enter the name of the administrator service account to connect to the server. For example, `cn=Directory Manager`. | N/A | | Password | Enter the password of the administrator service account to connect to the server. | N/A | | Base DNs | Enter base DNs that include your users and groups. | For example, `DC=example,DC=com`. | ![Connection settings for the target PingDirectory server](_images/use-case-idc-ping-directory/ping-directory-target-app-connect-app.png) 9. Click Connect. Advanced Identity Cloud uses the remote server that has connectivity to the PingDirectory server. On the Provisioning tab, the status Connected displays. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you receive an error connecting to the PingDirectory server, ensure your connections details are correct. If the error persists, check the PingDirectory server [error log](https://docs.pingidentity.com/pingdirectory/latest/troubleshooting_the_pingdirectory_suite_of_products/pd_ds_dir_server_troubleshoot_info.html). | 10. On the Provisioning tab, click Data to confirm that you're reading data from PingDirectory. ![Advanced Identity Cloud connected to a PingDirectory server using the LDAP app template](_images/use-case-idc-ping-directory/ping-directory-target-app-confirm-data.png) ### Task 6: Map attributes from Advanced Identity Cloud to the PingDirectory server By default, Advanced Identity Cloud maps attributes in the target app. However, you must add attributes to suit your specific needs. In this instance, you must add additional PingDirectory attributes. 1. From the `PingDirectory - Target` app, click Provisioning > Mapping > [icon: add, set=material, size=inline]Add a property. 2. In the PingDirectory - Target Property field, select `uid`. 3. Click Next. 4. In the Ping Identity Property field, select `source.userName`. 5. Click Save. 6. Again, click [icon: add, set=material, size=inline] Add a property. 7. In the PingDirectory - Target Property field, select `dn`. 8. In the Ping Identity Property field, select `source.userName`. 9. Enable Apply transformation script. 10. Transform the `dn` attribute to match your directory structure. For example, enter the following in the Transformation Script box: ```js "uid=" + source + ",ou=People,dc=example,dc=com" ``` 11. Click Save. ### Task 7: Configure situations and actions for both apps 1. Select the PingDirectory - Authoritative app. 2. From the Provisioning tab, click Reconciliation > Settings. 3. Under the Situation Rules section, set the following actions for each situation: | Situation | Action | | -------------------- | --------------------------------------------- | | Ambiguous | Select `Exception`. | | Source Missing | *Authoritative apps only*.Select `Exception`. | | Missing | Select `Create`. | | Found Already Linked | Select `Exception`. | | Unqualified | Select `Delete`. | | Unassigned | Select `Exception`. | | Link Only | Select `Unlink`. | | Confirmed | Select `Update`. | | Found | Select `Update`. | | Absent | Select `Create`. | For descriptions of the situations and actions, learn more in [Manage reconciliation rules](../app-management/provision-an-application.html#provision-app-recon-rules). 4. Repeat steps 2 and 3 for the PingDirectory - Target app. Check in At this point, you: | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [icon: check, set=fa][Registered](#ping-directory-rcs-register-remote-server) the remote server and [reset](#ping-directory-rcs-reset-client-secret) the client secret in Advanced Identity Cloud. | [icon: check, set=fa][Downloaded and installed](#ping-directory-rcs-reset-client-secret) the remote server on the same server (or a server with connectivity) to the PingDirectory server. | | [icon: check, set=fa][Configured](#rcs-configure-remote-server) the remote server `ConnectorServer.properties` file to specify settings, namely, the connection details between the remote server and Advanced Identity Cloud. | [icon: check, set=fa][Created](#create-auth-ping-directory-app) an authoritative LDAP app to provision data from PingDirectory to Advanced Identity Cloud. | | [icon: check, set=fa][Mapped](#auth-ping-directory-app-map-attr) attributes from the PingDirectory server to Advanced Identity Cloud. | [icon: check, set=fa][Created](#create-target-ping-directory-app) an LDAP app to provision data from Advanced Identity Cloud to the PingDirectory server. | | [icon: check, set=fa][Mapped](#task-6-map-attributes) attributes from Advanced Identity Cloud to the PingDirectory server. | [icon: check, set=fa][Configured](#auth-ping-directory-app-situations-actions) the situations and actions for both apps. | ## Validation Validate provisioning data to and from Advanced Identity Cloud and the PingDirectory server by: * [Provisioning](#idc-ping-directory-validation-provision-from-ping-directory) one user from PingDirectory into Advanced Identity Cloud. * [Adding](#idc-ping-directory-validation-provision-to-ping-directory) a user to the PingDirectory - Target app. ### Provision user from the PingDirectory server 1. From the Advanced Identity Cloud admin console, click Applications > PingDirectory - Authoritative. 2. Click the Provisioning tab. To show provisioning a user into Advanced Identity Cloud, restrict the reconciliation to one user matching a defined criteria. 3. Under Reconciliation > Settings, click Show advanced settings. 4. Enable the Filter Source checkbox (PingDirectory is the source) and fill out the following details: | Field | Value | | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | | Assign to PingDirectoryAuthoritative if *Any [icon: keyboard_arrow_down, set=material, size=inline]* conditions are met | Select `Any`. | | PingDirectoryAuthoritative properties [icon: keyboard_arrow_down, set=material, size=inline] | Select `uid`. | | contains [icon: keyboard_arrow_down, set=material, size=inline] | Select `is`. | | Blank | Enter the uid of the user you want to pull in from the PingDirectory server. | ![Filter reconciliation to be a single user](_images/use-case-idc-ping-directory/validation-filter-source-recon.png) 5. Scroll down and click Save. 6. In the left tabs, click Reconciliation > Reconcile. 7. Click Reconcile Now. Monitor the progress of the reconciliation in the metrics that display. Since you are filtering to reconcile only one user, failures on the reconciled data are expected. 8. In the left menu pane, Identities > Manage > Alpha realm - Users and search for the user. The user successfully displays in Advanced Identity Cloud. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If the user doesn't display, check the following:- The fields Advanced Identity Cloud required to create an identity are present in the mapping. - The source filtering to reconcile only one record is correct. | ### Provision a user to the PingDirectory server 1. From the Advanced Identity Cloud admin console, click Applications > PingDirectory - Target. 2. Click the Users & Roles tab. 3. Click [icon: add, set=material, size=inline] Add Member. 4. Select a test user. 5. Click Next. 6. Review the account information. 7. Click Assign. The user successfully creates in the PingDirectory server. 8. From the Provisioning tab, click Data. 9. The user successfully displays from the read-only view of the PingDirectory server data. ### Video of validation The following video displays the expected validation for provisioning a user from a PingDirectory server to Advanced Identity Cloud and provisioning a user from Advanced Identity Cloud to a PingDirectory server. **Video (Brightcove)** \ ## Explore further ### Reference material | Reference | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Sync identities](../identities/sync-identities.html) | Register and connect a remote server with Advanced Identity Cloud. | | [Introduction to the PingDirectory server](https://docs.pingidentity.com/pingdirectory/latest/pd_ds_intro_pindirectory_server.html) | Learn about PingDirectory including system requirements, installation requirements, and loading sample data. | | [Register an application using app templates](../app-management/register-an-application.html) | Gain an in-depth understanding of registering an application using app templates. | | [LDAP provisioning](../app-management/provision-an-application.html#provision-ldap) | Learn how to connect an LDAP server to Advanced Identity Cloud. | | [Add](../app-management/provision-an-application.html#provision-app-create-mapping) or [edit a mapping](../app-management/provision-an-application.html#provision-edit-mapping) | Learn how to add or edit mappings with application templates. | | [Reconciliation rules](../app-management/provision-an-application.html#provision-app-recon-rules) | Learn the various actions you can take on reconciliation situations. For example, if the situation is `ABSENT` (account not present or found) Advanced Identity Cloud can perform the `CREATE` action (create the object). | | [Identity object fields](../idm-objects/creating-modifying-managed-objects.html#managed-objects-property-def-fields) | Understand identity object fields you can modify, such as setting a property as required or whether an end user can update the property in the hosted account pages. | | [Synchronization types](../idm-synchronization/sync-types.html) | Understand the various synchronization types Advanced Identity Cloud uses to keep data consistent: reconciliation, liveSync, and implicit synchronization. | | [PingOne Open Connector Framework (ICF)](https://docs.pingidentity.com/openicf/index.html) | Learn more about connectors. This includes connectors bundled with RCS and connectors you can download and add to the remote server. |