Transcription
One Identity Active Roles 7.5Synchronization ServiceAdministration Guide
Copyright 2021 One Identity LLC.ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guideis furnished under a software license or nondisclosure agreement. This software may be used or copiedonly in accordance with the terms of the applicable agreement. No part of this guide may be reproducedor transmitted in any form or by any means, electronic or mechanical, including photocopying andrecording for any purpose other than the purchaser’s personal use without the written permission ofOne Identity LLC .The information in this document is provided in connection with One Identity products. No license,express or implied, by estoppel or otherwise, to any intellectual property right is granted by thisdocument or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THETERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED ORSTATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IFONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes norepresentations or warranties with respect to the accuracy or completeness of the contents of thisdocument and reserves the right to make changes to specifications and product descriptions at anytime without notice. One Identity does not make any commitment to update the informationcontained in this document.If you have any questions regarding your potential use of this material, contact:One Identity LLC.Attn: LEGAL Dept4 Polaris WayAliso Viejo, CA 92656Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.PatentsOne Identity is proud of our advanced technology. Patents and pending patents may apply to thisproduct. For the most current information about applicable patents for this product, please visit ourwebsite at emarksOne Identity and the One Identity logo are trademarks and registered trademarks of One IdentityLLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visitour website at www.OneIdentity.com/legal. All other trademarks are the property of theirrespective owners.LegendWARNING: A WARNING icon highlights a potential risk of bodily injury or propertydamage, for which industry-standard safety precautions are advised. This icon isoften associated with electrical hazards related to hardware.CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data ifinstructions are not followed.Active Roles Synchronization Service Administration GuideUpdated - November 2021Version - 7.5
ContentsSynchronization Service Overview11About Synchronization Service11Features and benefits12Bidirectional synchronization12Delta processing mode12Synchronization of group membership13Windows PowerShell scripting13Attribute synchronization rules13Rule-based generation of distinguished names13Scheduling capabilities14Extensibility14Azure Backsync Configuration15Technical overview16Synchronization Service16Capture Agent16Connectors and connected data systems17Synchronization workflows and steps18Deploying Synchronization Service19Deployment steps19Step 1: Install Synchronization Service19Step 2: Configure Synchronization Service20Step 3: Configuring Azure BackSync22Configuring automatic Azure BackSync23Configuring manual Azure BackSync25Settings updated after Azure backsync configuration operation28Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync30Upgrade from Quick Connect and Synchronization Service30Limitations31Upgrade steps31Communication ports32Getting started35Active Roles 7.5 Synchronization Service Administration Guide3
Synchronization Service Administration Console35Sync Workflows tab37Sync History tab38Connections tab38Mapping tab39Password Sync tab40Configuring diagnostic logging40Steps to synchronize identity data41Management Shell42Cmdlet naming conventions43Getting help43Connections to external data systems45External data systems supported out of the box45Working with Active Directory46Creating an Active Directory connection47Modifying an existing Active Directory connection48Communication ports required to synchronize data between two AD domains50Synchronizing user passwords between two AD domains50Synchronizing SID history of users or groups51Working with an AD LDS (ADAM) instance52Creating an AD LDS (ADAM) instance connection53Modifying an existing AD LDS (ADAM) instance connection53Working with Skype for Business Server54Creating a new Skype for Business Server connection55Modifying an existing Skype for Business Server connection56Skype for Business Server data supported out of the box57Attributes required to create a Skype for Business Server user70Getting or setting the Telephony option value in Skype for Business Server70Working with Oracle71Working with Oracle Database71Working with Oracle Database user accounts76Working with Exchange Server80Creating a new connection to Exchange Server81Modifying an existing connection to Exchange Server82Exchange Server data supported out of the box83Active Roles 7.5 Synchronization Service Administration Guide4
Scenario: Migrate mailboxes from one Exchange Server to anotherWorking with Active Roles99101Creating an Active Roles connection102Modifying an Active Roles connection103Working with One Identity Manager104Creating a One Identity Manager connection105Modifying a One Identity Manager connection106One Identity Manager Connector configuration file106Working with a delimited text file107Creating a delimited text file connection108Modifying an existing delimited text file connection110Working with Microsoft SQL Server112Creating a Microsoft SQL Server connection113Modifying an existing Microsoft SQL Server connection114Sample queries to modify SQL Server data116Working with Micro Focus NetIQ Directory117Creating a Micro Focus NetIQ Directory connection118Modifying an existing Micro Focus NetIQ Directory connection119Specify connection settings120Specify naming attributes121Working with Salesforce122Creating a Salesforce connection123Modifying an existing Salesforce connection124Salesforce data supported out of the box124Scenario: Provisioning users from an Active Directory domain to Salesforce128Working with ServiceNow130Creating a ServiceNow connection131Modifying an existing ServiceNow connection132ServiceNow data supported out of the box133Working with Oracle Unified Directory133Creating an Oracle Unified Directory connection134Modifying an existing Oracle Unified Directory Server connection135Specify naming attributes137Working with an LDAP directory serviceCreating an LDAP directory service connection137138Active Roles 7.5 Synchronization Service Administration Guide5
Modifying an existing Generic LDAP directory service connection141Specify password sync parameters for LDAP directory service143Working with IBM DB2144Creating an IBM DB2 connection145Modifying an existing IBM DB2 connection146Working with IBM AS/400148Creating an IBM AS/400 connection149Modifying an existing IBM AS/400 connection150Specify connection settings150Additional considerations150Working with an OpenLDAP directory service151Creating an OpenLDAP directory service connection152Modifying an existing OpenLDAP directory service connection154Working with IBM RACF connector156Creating a IBM RACF connection157Modifying a IBM RACF connection157Example of Mapping for Dataset Information158Create SQL Database and Table158Provisioning Datasets158Updating datasets159Deprovisioning datasets160Running TSO command161Working with MySQL database162Creating a MySQL database connection163Modifying an existing MySQL database connection165Working with an OLE DB-compliant relational database167Creating an OLE DB-compliant relational database connection167Modifying an existing OLE DB-compliant data source connection168Working with SharePoint170Creating a SharePoint connection171SharePoint data supported out of the box171Considerations for creating objects in SharePoint221Working with Microsoft Office 365221Creating a Microsoft Office 365 connection222Modifying a Microsoft Office 365 connection224Active Roles 7.5 Synchronization Service Administration Guide6
Microsoft Office 365 data supported out of the box225Objects and attributes specific to Microsoft Office 365 services318How Microsoft Office 365 Connector works with data319Modern Authentication320Working with Microsoft Azure Active Directory323Creating a Microsoft Azure Active Directory connection324Modifying a Microsoft Azure Active Directory connection326Microsoft Azure Active Directory data supported out of the box327Working with SCIM331Creating a SCIM connection332Modifying a SCIM connection334Additional authentication parameters334Supported objects and operations334Using connectors installed remotely335Steps to install Synchronization Service and built-in connectors remotely336Creating a connection using a remotely installed connector336Creating a connection337Renaming a connection337Deleting a connection338Modifying synchronization scope for a connection338Using connection handlers338Specifying password synchronization settings for a connection340Synchronizing identity data342Getting started with identity data synchronization342Managing sync workflows344Creating a sync workflow344Running a sync workflow344Running a sync workflow manually345Running a sync workflow on a recurring schedule345Disabling a sync workflow run schedule346Renaming a sync workflow346Deleting a sync workflow346Managing sync workflow steps347Adding a creating step347Creating an updating step349Active Roles 7.5 Synchronization Service Administration Guide7
Creating a deprovisioning step350Modifying a step351General Options tab352Source tab352Target tab353Creation Rules tab353Deprovisioning Rules tab354Updating Rules Tab354Step Handlers tab355Deleting a step355Changing the order of steps in a sync workflow356Generating object names by using rules356Modifying attribute values by using rules358Configuring a forward sync rule358Configuring a reverse sync rule360Configuring a merge sync rule361Using value generation rules362Configuring a rule entry363Using sync workflow step handlers364Example: Synchronizing group memberships365Example: Synchronizing multivalued attributes365Using sync workflow alerts366Creating or editing a sync workflow alert367Deleting a sync workflow alert368Managing outgoing mail profiles368Mapping objects370About mapping objects370Steps to map objects372Step 1: Create mapping pairs372Step 2: Create mapping rules372Step 3 (optional): Change scope for mapping rules373Step 4: Run map operation374Steps to unmap objects375Automated password synchronization377Active Roles 7.5 Synchronization Service Administration Guide8
About automated password synchronization377Steps to automate password synchronization378Managing Capture Agent379Installing Capture Agent manually380Using Group Policy to install Capture Agent381Uninstalling Capture Agent382Managing password sync rules383Creating a password sync rule383Deleting a password sync rule385Modifying settings of a password sync rule385Fine-tuning automated password synchronizationConfiguring Capture Agent386386Step 1: Create and link a Group Policy object388Step 2: Add administrative template to Group Policy object388Step 3: Use Group Policy object to modify Capture Agent settings388Configuring Synchronization Service389Specifying a custom certificate for encrypting password sync traffic390Step 1: Obtain and install a certificate391Step 2: Export custom certificate to a file392Step 3: Import certificate into certificates store392Step 4: Copy certificate’s thumbprint393Step 5: Provide certificate’s thumbprint to Capture Agent393Step 6: Provide certificate’s thumbprint to Synchronization Service394Using PowerShell scripts with password synchronizationExample of a PowerShell script run after password synchronization395395Synchronization history396About synchronization history396Viewing sync workflow history397Viewing mapping history398Searching synchronization history399Cleaning up synchronization history399Scenarios of use401About scenarios401Scenario 1: Create users from a .csv file to an Active Directory domain402Active Roles 7.5 Synchronization Service Administration Guide9
Step 1: Create a sync workflow403Step 2: Add a creating step403Step 3: Run the configured creating step405Step 4: Commit changes to Active Directory405Scenario 2: Use a .csv file to update user accounts in an Active Directory domain406Step 1: Create an updating step406Step 2: Run the created updating step407Step 3: Commit changes to Active Directory407Scenario 3: Synchronizing data between One Identity Manager Custom TargetSystems and an Active Directory domain408Step 1: Create connection to One Identity Manager409Step 2: Configure One Identity Manager modules, Custom Target System andContainer Information409Step 3: Create Workflow for Provisioning410Step 4: Create Provisioning410Step 5: Specify the synchronization rules410Step 6: Execute Workflow411Step 7: Commit changes to One Identity Manager411Step 8: Verify on One Identity Manager411Scenario 4: Deprovisioning between One Identity Manager Custom Target Systemsand an Active Directory domain412Scenario 5: Provisioning of Groups between One Identity Manager Custom TargetSystems and an Active Directory domain413Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom TargetSystems and an Active Directory domain414Appendix A: Developing PowerShell scripts for attribute synchronizationrules416Accessing source and target objects using built-in hash tablesExample script416417Appendix B: Using a PowerShell script to transform passwords419Accessing source object password419Example script419About us421Contacting us421Technical support resources421Active Roles 7.5 Synchronization Service Administration Guide10
1Synchronization Service OverviewlAbout Synchronization ServicelFeatures and benefitslTechnical overviewAbout Synchronization ServiceWithin the same organization identity information can be stored in many different datasystems, such as directories, databases, or formatted dump files. To manage identityinformation and synchronize it between these data systems, administrators sometimeshave to spend a considerable amount of time and effort. On top of that, performing thedata synchronization tasks manually is error-prone and can lead to the duplication ofinformation and incompatibility of data formats.With Synchronization Service, a component of Active Roles (formerly known asActiveRoles ), you can completely automate the process of identity data synchronizationbetween the data systems used in your enterprise environment.Synchronization Service increases the data management efficiency by allowing you toautomate the creation, deprovision, and update operations between the data systems youuse. For example, when an employee joins or leaves the organization, the relatedinformation in the data systems managed by Synchronization Service is automaticallyupdated, thereby reducing your administrative workload and getting the new users up andrunning faster.The use of scripting capabilities provides a flexible way to automate day-to-dayadministration tasks and integrate the administration of managed data systems with otherbusiness processes. By automating regular synchronization tasks, Synchronization Serviceallows administrators to concentrate on strategic issues, such as planning the directory,increasing enterprise security, and supporting business-critical applications.In order to synchronize identity data between external data systems, you must connectSynchronization Service to these data systems through connectors. A connector enablesSynchronization Service to access specific data system to read and synchronize data in thatsystem according to your settings.Active Roles 7.5 Synchronization Service Administration Guide11Synchronization Service Overview
Out of the box, Synchronization Service includes a number of built-in connectors. The builtin connectors do not require any license file.Features and benefitsSynchronization Service offers the following major features:lBidirectional synchronizationlDelta processing modelSynchronization of group membershiplWindows PowerShell scriptinglAttribute synchronization ruleslRule-based generation of distinguished nameslScheduling capabilitieslExtensibilityBidirectional synchronizationBidirectional synchronization allows you to synchronize all changes occurred to identityinformation between your data systems. Using this type of synchronization, you canproactively prevent potential identity information conflicts between different data sources.Note, that bidirectional synchronization is unavailable for some of the supported datasystems. For details, refer to the sections about the supported data systems.Delta processing modeDelta processing mode allows you to more quickly synchronize identities by processingonly the data that has changed in the source and target connected systems since their lastsynchronization.Both the full mode and the delta mode provide you with the flexibility of choosing theappropriate method for your synchronization tasks.Note, that delta processing mode is unavailable for some of the supported data systems.For details, refer to the sections about the supported data systems.Active Roles 7.5 Synchronization Service Administration Guide12Synchronization Service Overview
Synchronization of group membershipSynchronization Service allows you to ensure that group membership information is in syncin all connected data systems. For example, when creating a group object from an ActiveDirectory domain to an AD LDS (ADAM) instance, you can configure rules to synchronizethe Member attribute from the Active Directory domain to the AD LDS (ADAM) instance.Windows PowerShell scriptingThe Management Shell component of Synchronization Service is an automation andscripting shell that provides a command-line management interface for synchronizing databetween connected systems via the Synchronization Service.The Management Shell is implemented as a Windows PowerShell snap-in extending thestandard Windows PowerShell functionality. The cmdlets provided by the ManagementShell conform to the Windows PowerShell standards and are fully compatible with thedefault command-line tools that come with Windows PowerShell.The Management Shell lets administrators perform attribute or password synchronizationoperations by using Windows PowerShell scripts. For example, you can compose and run aWindows PowerShell script that assigns values to the target object attributes using thevalues of the source object attributes. For more information, see Appendix B: Using aPowerShell script to transform passwords.Attribute synchronization rulesWith Synchronization Service, you can create and configure synchronization rules togenerate values of target object attributes. These rules support the following types ofsynchronization:lllDirect synchronization. Assigns the value of a source object attribute to the targetobject attribute you specify.Script-based synchronization. Allows you to use a Windows PowerShell script togenerate the target object attribute value.Rule-based synchronization. Allows you to create and use rules to generate thetarget object attribute value you want.Rule-based generation of distinguishednamesSynchronization Service lets you create flexible rules for generating the distinguishednames (DNs) of objects being created. These rules allow you to ensure that created objectsActive Roles 7.5 Synchronization Service Administration Guide13Synchronization Service Overview
are named in full compliance with the naming conventions existing in your organization.Scheduling capabilitiesYou can schedule the execution of data synchronization operations and automaticallyperform them on a regular basis to satisfy your company’s policy and save time and effort.ExtensibilityTo access external data systems Synchronization Service employs special connectors. Aconnector enables Synchronization Service to read and synchronize the identity datacontained in a particular data system. Out of the box, Synchronization Service includesconnectors that allow you to connect to the following data systems:lMicrosoft Active Directory Domain ServiceslMicrosoft Active Directory Lightweight Directory ServiceslMicrosoft Exchange ServerlMicrosoft Skype for Business ServerlMicrosoft Azure Active DirectorylMicrosoft Office 365lMicrosoft SQL ServerlMicrosoft SharePointlActive Roles version 7.4.x, 7.3, 7.2, 7.1, 7.0, or 6.9lOne Identity Manager version 8.1, 8.0, or 7.0lData sources accessible through an OLE DB providerlDelimited text fileslGeneric LDAP Directory servicelMYSQL DatabaselOpenLDAP Directory servicelSalesforcelServiceNowlIBM DB2 DatabaselIBM RACF ConnectorlIBM AS/400 ConnectorlOracle Database connectorlOracle Database User Accounts connectorActive Roles 7.5 Synchronization Service Administration Guide14Synchronization Service Overview
lMicro Focus NetIQ Directory connectorlOracle Unified Directory connectorAzure Backsync ConfigurationIn any hybrid environment, on-premises Active Directory objects are synchronized toAzure AD using some means such as Azure AD Connect. When Active Roles is deployed insuch a hybrid environment, the existing users and groups' information, such as AzureobjectID, must be synchronized back from Azure AD to on-premises AD to continue usingthe functionality. To synchronize existing AD users and groups from Azure AD to ActiveRoles we must use the back-synchronization operation.Back Synchronization is performed by leveraging the existing functionality of Active RolesSynchronization Service. Synchronization workflows are configured to identify the AzureAD unique users or groups and map them to the on-premises AD users or groups. After theback-synchronization operation is completed, Active Roles displays the configured Azureattributes for the synchronized objects.The Azure Backsync Configuration feature allows you to configure the backsync operationin Azure with on-premises Active Directory objects through the Synchronization ServiceWeb interface. The required connections, mappings, and sync workflow steps are createdautomatically.When you configure the back-synchronization, the Azure App registration is doneautomatically with the default app ActiveRoles AutocreatedAzureBackSyncApp V2.NOTE:lllIn case of an application not found error, please try the configure backsynchronization operation again after some time, since the Azure App synchron- ization may take some time.If you use the existing back-synchronization configuration settings, then theexisting default app ActiveRoles AutocreatedAzureBackSyncApp is usedto run the back-synchronization workflow. However, it is recommended to usethe default app ActiveRoles AutocreatedAzureBackSyncApp V2 since itrequires reduced administrator privileges. To use the latest Azure App,configure the back-synchronization again. For information to configure theback-synchronization, see Step 3: Configuring Azure BackSync.For the back-synchronization to work as expected, the user in ARS must havewrite permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId,edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must alsohave a local administrator privileges where the ARS synchronization service isrunning.Active Roles 7.5 Synchronization Service Administration Guide15Synchronization Service Overview
Technical overviewThe following illustration shows how Synchronization Service synchronizes data betweenconnected data systems.Figure 1: Synchronization of data between connected systemsSynchronization Service uses Capture Agents, connected data systems, connectors,connections, and sync workflows to synchronize identity data.Synchronization ServiceSynchronization Service performs data synchronization operations and include theAdministration Console that provides a graphical user interface for managing connectionsto data systems and data synchronization operations.Capture AgentSynchronization Service Capture Agent allows you to synchronize user passwords betweenActive Directory domains managed by Synchronization Service and other connected datasystems. The following diagram shows how the Password Synchronization feature ofSynchronization Service works:Active Roles 7.5 Synchronization Service Administration Guide16Synchronization Service Overview
Figure 2: Password synchronizationCapture Agent tracks changes to user passwords in the source Active Directory domain andprovides that information to Synchronization Service, which in turn synchronizes thechanges with target connected data systems by using the password synchronization rulesyou specified. To synchronize passwords, you need to install Capture Agent on each domaincontroller in the Active Directory domain you want to use as a source for the passwordsynchronization operations.Connectors and connected data systemsSynchronization Service lets you synchronize identity information between a wide varietyof external data systems. To synchronize identities, you must connect SynchronizationService to your data systems through special connectors. A connector enablesSynchronization Service to access a specific data system and read and synchronize identitydata in that system.Out of the box, Synchronization Service supports the following data systems:lMicrosoft Active Directory Domain ServiceslMicrosoft Active Directory Lightweight Directory ServiceslMicrosoft Exchange ServerlMicrosoft Skype for Business ServerlMicrosoft Azure Active DirectorylMicrosoft Office 365lMicrosoft SQL ServerlMicrosoft SharePointlActive Roles version 7.4.x, 7.3, 7.2, 7.1, 7.0, or 6.9Active Roles 7.5 Synchronization Service Administration Guide17Synchronization Service Overview
lOne Identity Manager version 7.0 (D1IM 7.0)lOne Identity Manager version 8.1 or 8.0lData sources accessible through an OLE DB providerlDelimited text fileslGeneric LDAP Directory servicelMY SQL DatabaselOpenLDAP Directory servicelSalesforcelService nowlIBM DB2 DatabaselIBM RACF ConnectorlOracle Database connectorlOracle Database User Accounts connectorlMicro Focus NetIQ Directory connectorlOracle Unified Directory connectorlIBM AS/400Synchronization workflows and stepsA synchronization workflow (sync workflow) is a set of synchronization steps (orsynchronization operations) that define how to synchronize objects between two connecteddata systems. A sync workflow can comprise one or more synchronization steps. You canuse the Administration Console, a component of Synchronization Service, to configure asmany sync workflows as needed.You can configure a synchronization step to perform one of the following operations:lllCreation. Creates objects in the target connected data systems based on thechanges made to specific objects in the source connected system. When creating anew object, Synchronization Service assigns initial values to the object attributesbased on the attribute population rules you have configured.Update. Changes the attributes of objects in the target connected data systemsbased on the changes made to specific objects in the source connected system. Todefine the objects that will participate in the update operation you can use objectmapping rules. For more information, see Mapping objects.Deprovision. Modifies or removes objects in the target connected data systemsafter their counterparts have been disconnected from the source connected system.Synchronization Service can be configured to remove objects permanently or changethem to a specific state.Active Roles 7.5 Synchronization Service Administration Guide18Synchronization Service Overview
2Deploying Synchronization ServicelDeployment stepslUpgrade from Quick Connect and Synchronization ServicelCommunication portsDeployment stepsPerform these steps to deploy Synchronization Service:lStep 1: Install Synchronization ServicelStep 2: Configure Synchronization ServicelStep 3: Configuring Azure BackSyncStep 1: Install Synchronization ServiceTo install Synchronization Service1. Make sure the system on which you wish to install Synchronization Service meets thesystem requirements provided in the Active Roles Release Notes.2. From the Active Roles installation package, run the Setup.exe file to launch theActive Roles setup.3. Follow the instructions in the setup wizard.4. On the Component Selection page, select the Synchronization Service checkbox and click Next to install Synchronization Service, console, built-in connectors,and Management Shell. The console is a graphical user interface providing access tothe Synchronization Service functionality. Synchronization Service manages dataflows between connected data systems. Connectors enable Synchronization Serviceto access specific data systems to read and synchronize identity data.Active Roles 7.5 Synchronization Service Administration Guide19Deploying Synchronization Service
Management Shell is an automation and scripting shell that provides a command-linemanagement interface for synchronizing data between external data systems viaSynchronization Service. For more information, see Management Shell.5. On the Ready to Install page, click Install.6. Click Finish to exit the wizard.To install S
Additional authentication parameters 334 Supported objects and operations 334 Using connectors installed remotely 335 Steps to install Synchronization Service and built-in connectors remotely 336 Creating a connection using a remotely installed connector 336 Creating a connection 337 Renaming a connection 337
