How Synchronization Situations Are Assessed

Reconciliation is performed in two phases:

  1. Source reconciliation accounts for source objects and associated links based on the configured mapping.

  2. Target reconciliation iterates over the target objects that were not processed in the first phase.

    For example, if a source object was deleted, the source reconciliation phase will not identify the target object that was previously linked to that source object. Instead, this orphaned target object is detected during the second phase.

Source Reconciliation

During source reconciliation and liveSync, Identity Cloud iterates through the objects in the source resource. For reconciliation, the list of objects includes all objects that are available through the connector. For liveSync, the list contains only changed objects. Identity Cloud can filter objects from the list by using the following:

  • Scripts specified in the validSource property

  • A query specified in the sourceCondition property

  • A query specified in the sourceQuery property

For each object in the list, Identity Cloud assesses the following conditions:

  1. Is the source object valid?

    Valid source objects are categorized qualifies=1. Invalid source objects are categorized qualifies=0. Invalid objects include objects that were filtered out by a validSource script or sourceCondition. For more information, see "Filter Source and Target Objects With Scripts".

  2. Does the source object have a record in the links table?

    Source objects that have a corresponding link in the repository's links table are categorized link=1. Source objects that do not have a corresponding link are categorized link=0.

  3. Does the source object have a corresponding valid target object?

    Source objects that have a corresponding object in the target resource are categorized target=1. Source objects that do not have a corresponding object in the target resource are categorized target=0.

The following diagram illustrates the categorization of four sample objects during source reconciliation. In this example, the source is the managed user repository and the target is an LDAP directory:

Object Categorization During the Source Synchronization Phase
Illustration shows how source objects are categorized during the source synchronization phase

Based on the categorizations of source objects during the source reconciliation phase, the synchronization process assesses a situation for each source object, and executes the action that is configured for each situation.

Not all situations are detected during all synchronization types (reconciliation, implicit synchronization, and liveSync). The following table describes the set of synchronization situations detected during source reconciliation, the default action taken for each situation, and valid alternative actions that can be configured for each situation:

Situations Detected During Reconciliation and Source Change Events
Source QualifiesLink ExistsTarget Objects FoundSituationDefault ActionPossible Actions
0SOURCE_IGNOREDIGNORE source objectEXCEPTION, REPORT, NOREPORT, ASYNC
1UNQUALIFIEDDELETE target objectEXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC
> 1UNQUALIFIEDDELETE target objectsEXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC
0UNQUALIFIEDDELETE linked target object [a] EXCEPTION, REPORT, NOREPORT, ASYNC
1UNQUALIFIEDDELETE linked target objectEXCEPTION, REPORT, NOREPORT, ASYNC
> 1UNQUALIFIEDDELETE linked target objectEXCEPTION, REPORT, NOREPORT, ASYNC
0ABSENTCREATE target objectEXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC
1FOUNDUPDATE target objectEXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC
1FOUND_ALREADY_LINKED [b] EXCEPTIONIGNORE, REPORT, NOREPORT, ASYNC
> 1AMBIGUOUS [c] EXCEPTIONREPORT, NOREPORT, ASYNC
0MISSING [d] EXCEPTIONCREATE, UNLINK, DELETE, IGNORE, REPORT, NOREPORT, ASYNC
1CONFIRMEDUPDATE target objectIGNORE, REPORT, NOREPORT, ASYNC

[a] In this case (and the two following cases), the DELETE action is applied to the linked target object and not necessarily to the target object(s) found by the correlation query. If the source is no longer valid and a link existed, the correlation logic is skipped.

[b] The source object qualifies for a target object and is not linked to an existing target object. There is a single target object that correlates with this source object, according to the logic in the correlation, but that target object is already linked to a different source object.

[c] The source object qualifies for a target object, is not linked to an existing target object, but there is more than one correlated target object (that is, more than one possible match on the target system).

[d] If the action is CREATE for the situation MISSING, the orphaned link associated with the source object is updated to point to the new target object. When a target object is deleted, the link from the target to the corresponding source object is not deleted automatically. This allows Identity Cloud to detect and report items that might have been removed without permission or might need review. If you need to remove the corresponding link when a target object is deleted, change the action to UNLINK to remove the link, or to DELETE to remove the target object and the link.


Based on this table, the following situations would be assigned to the previous diagram:

Situation Assignment During the Source Synchronization Phase
Illustration shows how situations are assigned, based on source object categorization

Target Reconciliation

During source reconciliation, the synchronization process cannot detect situations where no source object exists. In this case, the situation is detected during the second reconciliation phase, target reconciliation.

Target reconciliation iterates through the target objects that were not accounted for during source reconciliation. The process checks each object against the validTarget filter, determines the appropriate situation, and executes the action configured for the situation. Target reconciliation evaluates the following conditions:

  1. Is the target object valid?

    Valid target objects are categorized qualifies=1. Invalid target objects are categorized qualifies=0. Invalid objects include objects that were filtered out by a validTarget script. For more information, see "Filter Source and Target Objects With Scripts".

  2. Does the target object have a record in the links table?

    Target objects that have a corresponding link in the links table are categorized link=1. Target objects that do not have a corresponding link are categorized link=0.

  3. Does the target object have a corresponding source object?

    Target objects that have a corresponding object in the source resource are categorized source=1. Target objects that do not have a corresponding object in the source resource are categorized source=0.

The following diagram illustrates the categorization of three sample objects during target reconciliation:

Object Categorization During the Target Synchronization Phase
Illustration shows how target objects are categorized during the target synchronization phase

Based on the categorizations of target objects during the target reconciliation phase, a situation is assessed for each remaining target object. Not all situations are detected in all synchronization types. The following table describes the set of situations that can be detected during the target reconciliation phase:

Situations Detected During Target Reconciliation
Target QualifiesLink ExistsSource ExistsSource QualifiesSituationDefault ActionPossible Actions
n/an/an/aTARGET_IGNORED [a]IGNOREDELETE, UNLINK, REPORT, NOREPORT, ASYNC
n/aUNASSIGNEDEXCEPTIONIGNORE, REPORT, NOREPORT, ASYNC
CONFIRMEDUPDATE target objectIGNORE, REPORT, NOREPORT
UNQUALIFIED [b] DELETEUNLINK, EXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC
n/aSOURCE_MISSING [c] EXCEPTIONDELETE, UNLINK, IGNORE, REPORT, NOREPORT, ASYNC

[a] During target reconciliation, the target becomes unqualified by the validTarget script.

[b] Detected during reconciliation and target change events

[c] Detected during reconciliation and target change events


Based on this table, the following situations would be assigned to the previous diagram:

Situation Assignment During the Target Synchronization Phase
Illustration shows how situations are assigned, based on target object categorization

Situations Specific to Implicit Synchronization and LiveSync

Certain situations occur only during implicit synchronization (when changes made in the repository are pushed out to external systems) and liveSync (when Identity Cloud polls external system change logs for changes and updates the repository).

The following table shows the situations that pertain only to implicit sync and liveSync, when records are deleted from the source or target resource.

Situations Detected During Target Reconciliation
Source QualifiesLink ExistsTargets Found [a] Targets QualifySituationDefault ActionPossible Actions
n/a0n/aLINK_ONLYEXCEPTIONIGNORE, REPORT, NOREPORT, ASYNC
n/a11SOURCE_MISSINGEXCEPTIONIGNORE, REPORT, NOREPORT, ASYNC
n/a10TARGET_IGNOREDIGNOREDELETE, UNLINK, EXCEPTION, REPORT, NOREPORT, ASYNC
n/a0n/aALL_GONEIGNOREEXCEPTION, REPORT, NOREPORT, ASYNC
0n/aALL_GONEIGNOREEXCEPTION, REPORT, NOREPORT, ASYNC
11UNASSIGNEDEXCEPTIONREPORT, NOREPORT
> 1> 1AMBIGUOUSEXCEPTIONIGNORE, REPORT, NOREPORT, ASYNC
0n/aALL_GONEIGNOREEXCEPTION, REPORT, NOREPORT, ASYNC
11TARGET_IGNOREDIGNORE target objectDELETE, UNLINK, EXCEPTION, REPORT, NOREPORT, ASYNC
> 1> 1UNQUALIFIEDDELETE target objectsEXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC

[a] If no link exists for the source object, Identity Cloud executes any included correlation logic. If a link exists, correlation does not apply.


Read a different version of :