Use Cases

Setting up PingDataSync between PingDirectory and PingOne

Learn how to set up PingDataSync between PingDirectory and PingOne using installation commands for Linux.

Before you begin

You must have:

  • PingDataSync

  • PingDirectory

  • PingOne

You must:

  • Install PingDataSync.

  • (Optional) Note the following values in a plain text file for easy copy and paste to the command line:

    • Implementation suffix

    • Host name for the PingDirectory instance

    • PingDirectory port

    • PingDirectory starting point

    • PingDirectory filter

    • PingDirectory Admin ID

    • PingDirectory Admin password

    • PingOne Population ID

    • PingOne Environment ID

    • WorkerApp Client ID

    • WorkerApp Client Secret

      Use the Client ID and Client Secret from the PingOne Worker App that will be managing the operation. Learn more about creating and maintaining Worker Apps in Adding an application in the PingOne documentation.

  • (Optional) Use SSO for the PingAuthorize Administrative Console.

    This allows administrative users to single sign-on (SSO) to the PingData admin console from PingOne.

Steps

  1. To create an external server, run the following command:

    /opt/<PingDataSync>/bin/dsconfig create-external-server --server-name serverPD_PDtest --type ping-identity-ds --set server-host-name:localhost --set server-port:11389 --set bind-dn:<your bind DN>  --set password:<your password>  --set connection-security:none --set key-manager-provider:null --trustAll --no-prompt

    The --type parameter is different if you’re using Active Directory or another Directory Server type.

  2. To create a sync source, run the following command:

    /opt/<PingDataSync>/bin/dsconfig create-sync-source --source-name sourcePD_PDtest --type ping-identity --set base-dn:ou=test,dc=p1,dc=lab --set server:serverPD_PDtest --trustAll --no-prompt

    Make sure that your base-dn indicates where you want to start in the directory tree.

  3. To create a sync destination, run the following command:

    /opt/<PingDataSync>/bin/dsconfig create-sync-destination --destination-name destinationPD-P1_PDtest --trustAll --no-prompt --type ping-one-customer --set api-url:https://api.pingone.com/v1 --set auth-url:https://auth.pingone.com/<your PingOne environment ID>/as/token --set environment-id:<your PingOne environment ID>  --set oauth-client-id:<your worker app client ID>  --set oauth-client-secret:<your worker app client secret>  --set default-population-id:<your PingOne population ID>

    Setting the population ID here avoids having to configure it in the attribute mapping section.

  4. To create an attribute map, run the following command:

    /opt/<PingDataSync>/bin/dsconfig create-attribute-map --map-name mapPDtoP1_PDtest --trustAll --no-prompt

    There are three types of mappings that you can make after you define a map:

    Direct

    All the contents from the source attribute are mapped to the destination attribute with no changes, such as mail to email.

    Constructed

    The value of the destination attribute is constructed by various means, with the simplest use case being a user defined string, such as resourceType to "user".

    JSON Attribute mapping

    JSON mappings hold a JSON representation of a complex attribute. PingOne specifically uses JSON representation for concepts, such as addresses and name information. These attributes in PingOne are case-sensitive. For example, Address.street doesn’t work, but address.streetAddress does.

    The following mappings are suggestions for what works. Your installations will possibly require different mappings.

    1. Create direct mappings.

      This is easier to run as a dsconfig batch.

      1. Create a <PingDataSync>/directMapping.dsconfig text file.

      2. Place the following commands into your directMapping file:

        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name accountID --type direct --set from-attribute:uid --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name mobilePhone --type direct --set from-attribute:mobile --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name email --type direct --set from-attribute:mail --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name primaryPhone --type direct --set from-attribute:telephoneNumber --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name title --type direct --set from-attribute:title --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name externalID --type direct --set from-attribute:employeeNumber --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name username --type direct --set from-attribute:uid --trustAll --no-prompt
      3. Run the batch with the following command:

        /opt/<PingDataSync>/bin/dsconfig --trustAll --no-prompt --batch-file /opt/<Your directMapping file name>.dsconfig
    2. Create constructed attribute mappings with the following command:

      /opt/<PingDataSync>/bin/dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name resourceType --trustAll --no-prompt --type constructed --set value-pattern:user
    3. Create JSON attribute maps.

      This is easier to run as a dsconfig batch. The JSON maps are created as a subset of the attribute map that was just constructed and are populated in the following steps.

      1. Create a <PingDataSync>/jsonMap.dsconfig text file.

      2. Place the following commands in your jsonMap file:

        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name name --type json --trustAll --no-prompt
        dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name address --type json --trustAll --no-prompt
      3. Run the batch with the following command:

        /opt/<PingDataSync>/bin/dsconfig --trustAll --no-prompt --batch-file /opt/jsonMap.dsconfig
    4. Create JSON attribute mappings.

      This is easier to run as a dsconfig batch.

      1. Create a <PingDataSync>/jsonMapping.dsconfig text file.

      2. Place the following commands in your jsonMapping file:

        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name name --field-name family --set json-type:string --set from-attribute:sn --trustAll --no-prompt
        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name name --field-name given --set json-type:string --set from-attribute:givenName --trustAll --no-prompt
        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name name --field-name formatted --set json-type:string --set from-attribute:cn --trustAll --no-prompt
        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name locality --set json-type:string --set from-attribute:l --trustAll --no-prompt
        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name postalCode --set json-type:string --set from-attribute:postalCode --trustAll --no-prompt
        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name region --set json-type:string --set from-attribute:st --trustAll --no-prompt
        dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name streetAddress --set json-type:string --set from-attribute:street --trustAll --no-prompt
      3. Run the batch with the following command:

        /opt/<PingDataSync>/bin/dsconfig --trustAll --no-prompt --batch-file /opt/jsonMapping.dsconfig
  5. To create a SyncPipe, run the following command:

    /opt/<PingDataSync>/bin/dsconfig create-sync-pipe --pipe-name  pipePDtoP1_PDtest --set started:true --set sync-source:sourcePD_PDtest --set sync-destination:destinationPD-P1_PDtest --trustAll --no-prompt
  6. To create a sync class, run the following command:

    /opt/<PingDataSync>/bin/dsconfig  create-sync-class --pipe-name pipePDtoP1_PDtest --class-name classPDtoP1_PDtest --set attribute-map:mapPDtoP1_PDtest --set "include-filter:(objectClass=inetOrgPerson)" --set auto-mapped-source-attribute:-none- --set destination-correlation-attributes:username --set replace-all-attr-values:true --set creates-as-modifies:true --trustAll --no-prompt
  7. Test the sync:

    1. Run the sync with the following command:

      /opt/<PingDataSync>/bin/resync -p pipePDtoP1_PDtest
    2. (Optional) If the sync results in any errors, examine the /Ping/<PingDataSync>/logs/tools/re-sync-failed-DNs.log.

    3. (Optional) If you receive an error that includes Cannot connect because: The connection to server localhost:11389 was closed while waiting for a response to a bind request SimpleBindRequest(dn='cn=dmanager').:

      1. In the PingDataSync admin console, go to Configuration > External Servers > ServerPD_PDtest.

      2. Update your password.