When configuring a one-way sync from PingOne to PingDirectory, you can enable PingDirectory to synchronize with the
User.Locked
or User.Unlocked
status of a
PingOne account. This synchronization
reduces confusion for the administrator and enhances the security posture of the
account. For example, if a PingOne account is
locked due to multiple failed MFA attempts, it could be risky to leave the
corresponding account fully functional.
A PingOne
User.Locked
event disables the destination entry in PingDirectory. A
User.Unlocked
event enables the destination entry.
To enable this synchronization, you must map two account status attributes from PingOne directly to the corresponding PingDirectory attributes. Because the PingDirectory attributes can't be written to directly, PingDataSync uses intermediate attributes to facilitate an extended operation.
The following table shows the relevant source, intermediate, and destination attributes for this mapping:
PingOne attribute | Intermediate attribute | PingDirectory attribute |
---|---|---|
|
|
|
|
|
|
Intermediate attributes only exist in memory on the PingDataSync server so that they can be consumed for attribute mappings. They don't exist in PingOne or on the PingDirectory server.
By default, the modifies-as-creates
sync class property is set to
false
.
Active Directory attributes might not be synchronized as expected when all of the following are true:
- You are using the
realtime-sync
tool. - The
modifies-as-creates
sync class property is set totrue
. - A modification is detected on the source endpoint to a missing entry on the destination endpoint.
- The modification is to attributes other than the two PingOne attributes previously mentioned.
To avoid this, you can run the resync
tool instead of the
realtime-sync
tool. Using resync
will
correctly copy all attributes. Learn more about the resync command.