Setting up PingDataSync between PingDirectory and PingOne
Learn how to set up PingDataSync between PingDirectory and PingOne using installation commands for Linux.
Before you begin
You must have:
-
PingDataSync
-
PingDirectory
-
PingOne
You must:
-
(Optional) Note the following values in a plain text file for easy copy and paste to the command line:
-
Implementation suffix
-
Host name for the PingDirectory instance
-
PingDirectory port
-
PingDirectory starting point
-
PingDirectory filter
-
PingDirectory Admin ID
-
PingDirectory Admin password
-
PingOne Population ID
-
PingOne Environment ID
-
WorkerApp Client ID
-
WorkerApp Client Secret
Use the Client ID and Client Secret from the PingOne Worker App that will be managing the operation. Learn more about creating and maintaining Worker Apps in Adding an application in the PingOne documentation.
-
-
(Optional) Use SSO for the PingAuthorize Administrative Console.
This allows administrative users to single sign-on (SSO) to the PingData admin console from PingOne.
Steps
-
To create an external server, run the following command:
/opt/<PingDataSync>/bin/dsconfig create-external-server --server-name serverPD_PDtest --type ping-identity-ds --set server-host-name:localhost --set server-port:11389 --set bind-dn:<your bind DN> --set password:<your password> --set connection-security:none --set key-manager-provider:null --trustAll --no-prompt
The
--type
parameter is different if you’re using Active Directory or another Directory Server type. -
To create a sync source, run the following command:
/opt/<PingDataSync>/bin/dsconfig create-sync-source --source-name sourcePD_PDtest --type ping-identity --set base-dn:ou=test,dc=p1,dc=lab --set server:serverPD_PDtest --trustAll --no-prompt
Make sure that your
base-dn
indicates where you want to start in the directory tree. -
To create a sync destination, run the following command:
/opt/<PingDataSync>/bin/dsconfig create-sync-destination --destination-name destinationPD-P1_PDtest --trustAll --no-prompt --type ping-one-customer --set api-url:https://api.pingone.com/v1 --set auth-url:https://auth.pingone.com/<your PingOne environment ID>/as/token --set environment-id:<your PingOne environment ID> --set oauth-client-id:<your worker app client ID> --set oauth-client-secret:<your worker app client secret> --set default-population-id:<your PingOne population ID>
Setting the population ID here avoids having to configure it in the attribute mapping section.
-
To create an attribute map, run the following command:
/opt/<PingDataSync>/bin/dsconfig create-attribute-map --map-name mapPDtoP1_PDtest --trustAll --no-prompt
There are three types of mappings that you can make after you define a map:
- Direct
-
All the contents from the source attribute are mapped to the destination attribute with no changes, such as
mail
toemail
. - Constructed
-
The value of the destination attribute is constructed by various means, with the simplest use case being a user defined string, such as
resourceType
to"user"
. - JSON Attribute mapping
-
JSON mappings hold a JSON representation of a complex attribute. PingOne specifically uses JSON representation for concepts, such as addresses and name information. These attributes in PingOne are case-sensitive. For example,
Address.street
doesn’t work, butaddress.streetAddress
does.The following mappings are suggestions for what works. Your installations will possibly require different mappings.
-
Create direct mappings.
This is easier to run as a
dsconfig
batch.-
Create a
<PingDataSync>/directMapping.dsconfig
text file. -
Place the following commands into your
directMapping
file:dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name accountID --type direct --set from-attribute:uid --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name mobilePhone --type direct --set from-attribute:mobile --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name email --type direct --set from-attribute:mail --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name primaryPhone --type direct --set from-attribute:telephoneNumber --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name title --type direct --set from-attribute:title --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name externalID --type direct --set from-attribute:employeeNumber --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name username --type direct --set from-attribute:uid --trustAll --no-prompt
-
Run the batch with the following command:
/opt/<PingDataSync>/bin/dsconfig --trustAll --no-prompt --batch-file /opt/<Your directMapping file name>.dsconfig
-
-
Create constructed attribute mappings with the following command:
/opt/<PingDataSync>/bin/dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name resourceType --trustAll --no-prompt --type constructed --set value-pattern:user
-
Create JSON attribute maps.
This is easier to run as a
dsconfig
batch. The JSON maps are created as a subset of the attribute map that was just constructed and are populated in the following steps.-
Create a
<PingDataSync>/jsonMap.dsconfig
text file. -
Place the following commands in your
jsonMap
file:dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name name --type json --trustAll --no-prompt dsconfig create-attribute-mapping --map-name mapPDtoP1_PDtest --mapping-name address --type json --trustAll --no-prompt
-
Run the batch with the following command:
/opt/<PingDataSync>/bin/dsconfig --trustAll --no-prompt --batch-file /opt/jsonMap.dsconfig
-
-
Create JSON attribute mappings.
This is easier to run as a
dsconfig
batch.-
Create a
<PingDataSync>/jsonMapping.dsconfig
text file. -
Place the following commands in your
jsonMapping
file:dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name name --field-name family --set json-type:string --set from-attribute:sn --trustAll --no-prompt dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name name --field-name given --set json-type:string --set from-attribute:givenName --trustAll --no-prompt dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name name --field-name formatted --set json-type:string --set from-attribute:cn --trustAll --no-prompt dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name locality --set json-type:string --set from-attribute:l --trustAll --no-prompt dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name postalCode --set json-type:string --set from-attribute:postalCode --trustAll --no-prompt dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name region --set json-type:string --set from-attribute:st --trustAll --no-prompt dsconfig create-json-attribute-mapping-field --map-name mapPDtoP1_PDtest --mapping-name address --field-name streetAddress --set json-type:string --set from-attribute:street --trustAll --no-prompt
-
Run the batch with the following command:
/opt/<PingDataSync>/bin/dsconfig --trustAll --no-prompt --batch-file /opt/jsonMapping.dsconfig
-
-
-
To create a SyncPipe, run the following command:
/opt/<PingDataSync>/bin/dsconfig create-sync-pipe --pipe-name pipePDtoP1_PDtest --set started:true --set sync-source:sourcePD_PDtest --set sync-destination:destinationPD-P1_PDtest --trustAll --no-prompt
-
To create a sync class, run the following command:
/opt/<PingDataSync>/bin/dsconfig create-sync-class --pipe-name pipePDtoP1_PDtest --class-name classPDtoP1_PDtest --set attribute-map:mapPDtoP1_PDtest --set "include-filter:(objectClass=inetOrgPerson)" --set auto-mapped-source-attribute:-none- --set destination-correlation-attributes:username --set replace-all-attr-values:true --set creates-as-modifies:true --trustAll --no-prompt
-
Test the sync:
-
Run the sync with the following command:
/opt/<PingDataSync>/bin/resync -p pipePDtoP1_PDtest
-
(Optional) If the sync results in any errors, examine the
/Ping/<PingDataSync>/logs/tools/re-sync-failed-DNs.log
. -
(Optional) If you receive an error that includes
Cannot connect because: The connection to server localhost:11389 was closed while waiting for a response to a bind request SimpleBindRequest(dn='cn=dmanager').
:-
In the PingDataSync admin console, go to Configuration > External Servers > ServerPD_PDtest.
-
Update your password.
-
-