Learn how to configure PingDataSync for Microsoft Active Directory (AD) to PingOne in a Windows environment.
Components
- PingOne
- PingDataSync 8.3
You must:
- Install PingDataSync.
- Have the hostname for the AD instance.
- Have the port for the AD instance.
With AD, this is 389 or 636. If you’re not planning to work with passwords, you should keep everything on 389. Steps for working with SSL over port 636 are not a part of this guide.
- Have the AD Admin ID (For example, cn=administrator, cn=users, dc=mydomain, dc=com).
- Have your PingOne Environment ID, Client
ID, and Client Secret from your designated PingOne Worker App.Note:
Use the Client ID and Client Secret from the PingOne Worker App that will manage the operation. For more information on the creation and maintenance of Worker Apps, see Adding an application in the PingOne documentation.
Setting this configuration primarily uses the dsconfig.bat
tool.
Although the steps for this configuration are shown in a Windows environment, you can configure this in Linux or Docker with the correct networking configuration in place.
This task uses the following naming conventions:
- PingDataSync Server references: “server” + Application. For example, serverAD or serverP1.
- PingDataSync objects: object name + source + “to” + destination. For example, mapADtoP1, pipeADtoP1.
-
To create an external server in PingDataSync, open a terminal window and run the following command.
Note:
Make sure to replace the bracketed fields with the values for the administrative user.
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-external-server --server-name serverAD --type active-directory --set server-host-name:<hostname or IP> --set server-port:389 --set bind-dn:<your bind DN> --set password:<password> --set connection-security:none --set key-manager-provider:null --trustAll --no-prompt
This step defines the connection from PingDataSync to the AD server.
Note:The --trustAll and --no-prompt parameters bypass any potential certificate issues and suppress prompts or inputs from executing dsconfig.
-
To create the sync source, specify the starting point for the synchronization
process with the following command.
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-sync-source --source-name sourceAD --type active-directory --set base-dn:<your base DN> --set server:serverAD --trustAll --no-prompt
-
To create the sync destination, run the following command.
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-sync-destination --destination-name destinationP1 --type ping-one-customer --set api-url:https://api.pingone.com/v1 --set auth-url:https://auth.pingone.com/<your environment ID>/as/token --set environment-id:<your environment ID> --set oauth-client-id:<your OAuth client ID> --set oauth-client-secret:<your client secret> --trustAll --no-prompt
Note:Because you’re using PingOne as a destination, you don’t need to create an external server reference. Everything is done through the API.
-
Create the attribute map:
-
Create the map object with the following command.
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-map --map-name mapADtoP1 --trustAll --no-prompt
There are three types of mappings that you can make after you define a map:
- Direct
- All the contents from the source attribute are mapped to the
destination attribute with no changes, for
example,
mail
toemail
. - Constructed
- The value of the destination attribute is constructed by
various means with the simplest use case being a user
defined string, for example,
resourceType
to"user"
. - JSON Attribute mapping
- JSON mappings hold a JSON representation of a complex
attribute. PingOne
specifically uses JSON representation for concepts, such as
addresses and name information. These attributes in PingOne are case-sensitive.
For example,
Address.street
doesn’t work, butaddress.streetAddress
does.
Note:The following mappings are suggestions for what works. Your installations might require different mappings.
-
Create the direct attribute mappings.
Mapping Command sAMAccountName
toaccountID
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name accountID --type direct --set from-attribute:samaccountname --trustAll --no-prompt
mobile
tomobilePhone
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name mobilePhone --type direct --set from-attribute:mobile --trustAll --no-prompt
mail
toemail
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name email --type direct --set from-attribute:mail --trustAll --no-prompt
telephoneNumber
toprimaryPhone
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name primaryPhone --type direct --set from-attribute:telephoneNumber --trustAll --no-prompt
title
totitle
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name title --type direct --set from-attribute:title --trustAll --no-prompt
employeeNumber
toexternalID
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name externalID --type direct --set from-attribute:employeeNumber --trustAll --no-prompt
sAMAccountName
tousername
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name username --type direct --set from-attribute:samaccountname --trustAll --no-prompt
-
Create constructed attribute mappings.
Mapping Command population
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name population --trustAll --no-prompt --type constructed --set value-pattern:{{"P1People":"name"}}
resourceType
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name resourceType --trustAll --no-prompt --type constructed --set value-pattern:user
-
Create JSON attribute maps:
- To create the
name
attribute, run the following command.C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-namemapADtoP1 --mapping-name name --type json --trustAll --no-prompt
Note:The PingOne name attribute holds information about the identity’s name -- first name, last name, and formatted (display name).
- To create the
address
attribute, run the following command.C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-attribute-mapping --map-name mapADtoP1 --mapping-name address --type json --trustAll --no-prompt
Note:The PingOne address attribute holds address information and maps to a number of different fields.
- To create the
-
Create JSON attribute mappings.
Mapping Command sn
toname.family
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name name --field-name family --set json-type:string --set from-attribute:sn --trustAll --no-prompt
givenName
toname.given
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name name --field-name given --set json-type:string --set from-attribute:givenName --trustAll --no-prompt
cn
toname.formatted
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name name --field-name formatted --set json-type:string --set from-attribute:cn --trustAll --no-prompt
l
toaddress.locality
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name address --field-name locality --set json-type:string --set from-attribute:l --trustAll --no-prompt
postalCode
toaddress.postalCode
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name address --field-name postalCode --set json-type:string --set from-attribute:postalCode --trustAll --no-prompt
st
toaddress.region
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name address --field-name region --set json-type:string --set from-attribute:st --trustAll --no-prompt
street
toaddress.streetAddress
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name address --field-name streetAddress --set json-type:string --set from-attribute:street --trustAll --no-prompt
c
toaddress.countryCode
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-json-attribute-mapping-field --map-name mapADtoP1 --mapping-name address --field-name countryCode --set json-type:string --set from-attribute:c --trustAll --no-prompt
-
Create the map object with the following command.
-
Create the sync pipe with the following command.
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-sync-pipe --pipe-name pipeADtoP1 --set started:true --set sync-source:sourceAD --set sync-destination:destinationP1 --trustAll --no-prompt
Creating the sync pipe provides the object that is directly used by PingDataSync and continues to bring the PingDataSync objects together.
-
Create the sync class with the following command.
C:\<Ping>\<PingDataSync>\bat\dsconfig.bat create-sync-class --pipe-name pipeADtoP1 --class-name classADtoP1 --set attribute-map:mapADtoP1 --set "include-filter:(objectClass=user)" --set auto-mapped-source-attribute:-none- --set destination-correlation-attributes:username --set replace-all-attr-values:true --set creates-as-modifies:true --trustAll --no-prompt
The sync class brings the remaining objects together and is directly linked to the sync pipe.
-
To test the PingDataSync connection
between AD and PingOne, run the
resync -p pipeADtoP1
command.Note:If the sync encounters any errors, see the C:\<Ping>\<PingDataSync>\logs\tools\re-sync-failed-DNs.log file.