Identity Cloud

Provision an application

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

On the Applications page, use the Provisioning tab to set up provisioning and configure the following:

  • Details about the application.

  • Properties in the target application.

  • Data in the target application.

  • Mappings from Identity Cloud admin UI to the target application.

  • Rules that specify the actions to take when certain reconciliation events occur.

  • Reconciliation to ensure data is synchronized between Identity Cloud admin UI and the target application.

  • Schedules to run reconciliation of accounts.

You must register an application before you can use the Provisioning tab. Afterward, you can use the Provisioning tab to create and manage connections to a target system like Salesforce.

The object type determines the side tabs that display on the Provisioning tab. Use the object type drop-down list to select an object type, such as 'Group'. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

ui workforce provisioning
Provisioning tab Description Related sections

Details

View and manage an application, including name, ID, and native type.

N/A

Properties

View and manage properties for the selected object type.

Data

View data about the selected object type.

Mapping

View and manage mappings from Identity Cloud admin UI properties to external system properties (outbound mappings) and from external system properties to Identity Cloud admin UI properties (inbound mappings).

Reconciliation

Preview inbound mappings between external systems and Identity Cloud admin UI, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Provision settings for an application

While the application templates contain the same basic settings, some applications have specific settings that you must configure in the Provisioning tab. The following section lists these provisioner settings.

For information about accessing built-in connectors through the IDM admin UI (native console), refer to Connectors.

Active Directory

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Active Directory domain controller.

    Port

    The port for connecting to the Active Directory domain controller.

    Use SSL

    Enable to use SSL to connect to the Active Directory domain controller. The default value is 'true'.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Active Directory users and groups

    The Base context for Active Directory users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls. The default value is 'True'.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is 'True'.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is 'changeNumber'.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is 'user'.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is 'sAMAccountName'.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is 'unicodePwd'.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is 'false'.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is 'true'.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is 'uniqueMember'.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is 'entryUUID'.

  15. Click Connect.

  16. Verify the information in the Details tab.

AS400

AS400 is a mainframe on-premises computer and database that can store identity data. The AS400 application enables you to manage and synchronize users between AS400 and Identity Cloud. The application can only be a target application.

The following instructions assume you have access to an AS400 instance as an administrator.

Details
  1. Set up a remote connector server (RCS).

  2. Set up the AS400 connector with your RCS.

  3. In Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  4. Configure the following fields:

    Field Description

    Host Name

    Host name or IP address of AS400.

    User Name

    The username to log in to AS400.

    Password

    The password to log in to AS400.

    Use SSL?

    Enable to use SSL to connect to the AS400 application. The default value is false.

    Maximum Connections (optional)

    The maximum number of connections.

    Maximum Lifetime (optional)

    The maximum time for an available connection to exist. The default value is 86400000 milliseconds.

    Maximum Inactivity (optional)

    The the maximum amount of inactive time before an available connection closes. The default value is 3600000 milliseconds.

    Maximum Use Time (optional)

    The maximum time a connection can be in use before it closes. The default value is -1 which indicates that there is no time limit.

    Maximum Use Count (optional)

    The maximum number of times a connection can be used before it is replaced in the pool. The default value is -1 which indicates that there is no limit.

    Is run Maintenance

    Indicates whether the maintenance thread is used to cleanup expired connections. The default is true.

    Is thread used

    Indicates whether threads are used in communication with the host servers and for running maintenance. The default is true.

    Cleanup Interval (optional)

    Specifies how often the maintenance daemon runs. The default value is 300000 milliseconds.

  5. Click Connect.

  6. Verify the information in the Details tab.

Azure AD

Details

This requires a Microsoft account and a Microsoft Azure application set up.

  1. Set up an Azure application.

  2. Click Certificates and Secrets > New Client Secret.

  3. Enter a description and choose an expiration date.

  4. Click Save.

  5. Copy your client secret.

  6. Click API Permissions.

  7. Select Add a permissions > MS Graph > Application Permissions.

  8. Use the search function to find and select the following 13 permissions:

    ui applications msgraphiap
  9. Click Add permissions.

  10. Click Grant admin consent for default directory.

  11. Copy the following values:

    • application (client) id

    • directory (tenant) id

    • client credentials/secret

  12. In Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  13. Configure the following fields:

    Field Description

    Tenant

    The Azure AD tenant name or id.

    Client ID

    The client ID the connector uses during the OAuth 2.0 flow.

    Client Secret

    The client secret the connector uses during the OAuth 2.0 flow.

    Read Rate Limit

    Define throttling for read operations either per second ("30/sec") or per minute ("100/min").

    Write Rate Limit

    Define throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

    Perform Hard Delete

    If true, the delete operation permanently deletes the Azure object.

    License Cache Expiry Time

    Defines the expiry time (in minutes) for cached license information; for example, service plan data. The default value is 60 minutes.

  14. Click Connect.

  15. Verify the information in the Details tab.

CSV File

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Follow the steps on the Set up CSV modal.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    CSV File

    The full file path to the CSV file that is the application data source. The path uses uses the file location format /opt/data/file.csv.

    UID Column

    The UID column name in the CSV file; the primary search key. The default value is 'uid'.

    Password Column

    The password column name in the CSV file; the primary search key. The default is 'password'.

  5. To configure advanced settings, click Show advanced settings.

  6. Configure the following fields:

    Field Description

    Quote Character

    The default value is ".

    Field Delimiter

    The default value is '.

    Newline String

    The default value is /n.

    Space Replacement String

    The default value is _.

    Sync Retention Count

    The default value is 3.

  7. Click Connect.

  8. Verify the information in the Details tab.

Database Table

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    JDBC Connection Url

    The URl for the JDBC database address that contains the table that you are provisioning. The format of the url depends on the type of database. For example, jdbc:mysql://localhost:3306/contractordb?serverTimezone=UTC or jdbc:oracle:thin:@//localhost:3306/contractordb. The address includes the name of the database you are connecting to.

    JDBC Driver

    The class name of the driver you are using to connect to a database. The name varies depending on the type of database you are using, such as oracle.jdbc.OracleDriver or com.mysql.jdbc.Driver.

    Username

    The username sent to the JDBC driver to establish a connection.

    Password

    The password sent to the JDBC driver to establish a connection.

    Table

    The name of the table in the JDBC database that contains the user accounts. The default is 'TABLE_NAME'.

    Key Column

    The column value that is the unique identifier for rows in the table. The default is 'KEY_COLUMN'.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Validate resources and passwords

    Enable to validate resources and passwords. After enabling this option, in the Password Column field, enter the name of the column in the table that holds the password values.

    Activate Sync ICF Interface

    Enable to poll for synchronization events, which are native changes to target objects. After enabling this option, in the Change Log Column field, enter the change log column that stores the latest change time.

    Allow empty string

    Enable to allow empty strings instead of null values, except for OracleSQL.

    Quote Database Column Names

    Enable to place specific quote characters around column names in the SQL that is generated to access the database. After enabling this option, in the Quote Characters field, enter the characters to use for quotes.

    Rethrow All SQL Exceptions

    Enable to show SQL Exceptions with code = 0. The default value is 'true'.

    Native Timestamps

    Enable to retrieve timestamp data.

    All Native

    Enable to retrieve in a database-native format.

    Validate Connection

    Enable to specify a SQL query used to validate connections. After enabling this option, in the Validation SQL Query (optional) field, enter the SQL query for validating connections.

    Validation Interval (ms)

    Enter the validation interval in milliseconds. The default value is 3000.

    Validation Connection Query Timeout (ms)

    Enter the validation connection query timeout in milliseconds. The default value is -1.

    Initial Pool size

    Enter the initial pool size. The default value is 10.

    Maximum Idle

    Enter the maximum idle time. The default value is 100.

    Minimum Idle

    Enter the minimum idle time. The default value is 10.

    Maximum Wait (ms)

    Enter the maximum wait time in milliseconds. The default value is 30000.

    Maximum Active

    Enter the maximum active time. The default value is 100.

    Maximum Age (ms)

    Enter the maximum age in milliseconds. The default value is 0.

    Minimum Evictable Idle Time (ms)

    Enter the minimum evictable idle time in milliseconds. The default value is 60000.

    Time Between Eviction Runs(ms)

    Enter the time between eviction checks in milliseconds. The default value is 5000.

    Test Connection When Idle

    Enable to test the connection when idle.

    Test Connection On Borrow

    Enable to test the connection on borrow.

  5. Click Connect.

  6. Verify the information in the Details tab.

Directory Services (DS)

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Directory Services domain controller.

    Port

    The port for connecting to the Directory Services domain controller.

    Use SSL

    Enable to use SSL to connect to the Directory Services domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Directory Services users and groups

    The Base context for Directory Services users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls. The default value is 'True'.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is 'True'.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is 'changeNumber'.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is 'inetOrgPerson'.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is 'uid'.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is 'userPassword'.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is 'false'.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is 'false'.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is 'uniqueMember'.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is 'entryUUID'.

  15. Click Connect.

  16. Verify the information in the Details tab.

Google Workspace

Details
  1. In Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Find and copy the Authorized Redirect URI.

  3. Log into https://console.cloud.google.com/.

  4. In credentials area of your project, enter the Authorized Redirect URI you copied in an earlier step.

  5. Save your work.

  6. Return to Identity Cloud admin UI.

  7. On the Provisioning tab, set the Client ID and Client Secret.

  8. Click Connect.

  9. When you are redirected to Google, log in using your admin credentials.

  10. On the next screen, click Allow. You are then redirected back to Identity Cloud admin UI.

  11. Verify the information in the Details tab.

LDAP

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the LDAP domain controller.

    Port

    The port for connecting to the LDAP domain controller.

    Use SSL

    Enable to use SSL to connect to the LDAP domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for LDAP users and groups

    The Base context for LDAP users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls. The default value is 'false'.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is 'false'.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is 'changeNumber'.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is 'inetOrgPerson'.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is 'uid'.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is 'userPassword'.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is 'true'.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is 'false'.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is 'uniqueMember'.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is 'entryUUID'.

  15. Click Connect.

  16. Verify the information in the Details tab.

PowerShell

You can use the PowerShell Connector Toolkit to create connectors that can provision any Microsoft system, including but not limited to Active Directory, Microsoft SQL, MS Exchange, SharePoint, Office365, and Azure. Any task performed with PowerShell can be executed through connectors based on this toolkit.

The PowerShell Connector Toolkit lets you develop connectors in PowerShell that address the requirements of your Microsoft Windows ecosystem. The framework is included with the .NET RCS server. Note that the framework itself is not a connector.

The Powershell Connector toolkit is built-in to the .NET RCS server.

Connectors created with the PowerShell Connector Toolkit run on the .NET platform and require the installation of a .NET connector server on the Windows system. To install the .NET connector server, refer to Sync identities.

The PowerShell connector combines a command-line shell and scripting language, built on the .NET Framework. For more information, refer to PowerShell Documentation.
Details
  1. In Identity Cloud admin UI, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Active Directory Host

    The host name or IP address of the Active Directory server.

    Active Directory Port

    The port number on which the remote resource listens for connections.

    Login

    The user account in the remote resource that is used for the connection.

    Password

    The password of the user account that is used for the connection

    Authenticate Script

    The name of a script file that uses a custom PowerShell script to implement the ICF authenticate operation. The ICF authenticate operation lets an application authenticate an object on the target system, usually with a unique identifier (username) and a password.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Create Script

    The name of a script file that uses a custom PowerShell script to implement the ICF create operation. The ICF create operation lets an application create objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Delete Script

    The name of a script file that uses a custom PowerShell script to implement the ICF delete operation. The ICF delete operation lets an application delete objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Schema Script

    The name of a script file that uses a custom PowerShell script to implement the ICF schema operation. The ICF schema operation lets an application describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Search Script

    The name of a script file that uses a custom PowerShell script to implement the ICF search operation. The ICF search operation lets an application search for objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Sync Script

    The name of a script file that uses a custom PowerShell script to implement the ICF sync operation. The ICF sync operation lets an application poll the target system for synchronization events created by changes to target objects.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Test Script

    The name of a script file that uses a custom PowerShell script to implement the ICF test operation. The ICF test operation lets an application test the connector configuration against the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    Update Script

    The name of a script file that uses a custom PowerShell script to implement the ICF update operation. The ICF update operation lets an application update (modify or replace) objects on the target system.

    To reference a script, use the following format C:\path\to\script\script.ps1.

    UID attribute name

    The attribute on the resource that contains the object UID.

    NAME attribute name

    The attribute on the resource that contains the object NAME.

    Substitute UID and NAME in query filter

    Enable if the UID and NAME should be replaced by the value defined in the NameAttributeName and UidAttributeName in the query filter.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Variables Prefix

    To avoid variable namespace conflicts, define a prefix for script variables. All variables are injected into the script under that prefix and can be used with the dotted notation. The default value is Connector.

    Query Filter Type

    To define the format used when injecting the query into the connector, set a query filter type by clicking one of the following:

    • Map - The query filter is a map.

    • Ldap - The query filter is in LDAP search format, for example, (cn=Joe).

    • Native - The query filter is a native OpenICF query filter.

    • AdPsModule - The query filter is compatible with the Active Directory PowerShell module, Get-ADUser Filter.

    Reload script on execution

    To reload the script from disk every time the connector executes the script, enable this setting. This can be useful for debugging. In production, disable this setting.

    Use Interpreter’s Pool

    To leverage the PowerShell RunSpace Pool, enable this setting.

    Min interpreter pool size

    The minimum size of the interpreter pool. The default value is 1.

    Max interpreter pool size

    The maximum size of the interpreter pool. The default value is 5.

    Pool cleanup interval

    To specify the interval (in minutes) to discard unused interpreter instances. To avoid cleaning up unused interpreter instances, set this property to 0. The default value is 60.

    PS Modules to Import

    An array of additional PowerShell modules that must be imported

    Custom Properties

    An array of Strings that define custom configuration properties. Each property uses the format name=value.

  5. Click Connect.

  6. Verify the information in the Details tab.

Salesforce application template or Salesforce Community User application template

You can use a Salesforce application template or a Salesforce Community User application template to provision, reconcile, and synchronize Salesforce, Salesforce Portal, and Salesforce Community accounts.

Details
  1. In Identity Cloud admin UI, go to the Provisioning tab.

  2. On the Provisioning tab, click Set up Provisioning.

  3. In the Callback URI field, copy the callback URI.

  4. In another browser, log in to https://login.salesforce.com/.

  5. In platform tools, go to the app manager.

  6. Create a new connected app button.

  7. Configure the following settings:

    • Connected App Name

    • API Name

    • Contact email

    • Custom

  8. (Custom environment only) Enter the Login URL for the application.

  9. Enter the Consumer Key.

  10. Enter the Consumer Secret.

  11. Click Connect. You are redirected to Salesforce.

  12. Log in to Salesforce. You are redirected to Identity Cloud.

  13. Verify the information in the Details tab.

SAP SuccessFactors Account or SAP SuccessFactors HR

The SAP SuccessFactors connectors let you synchronize SAP SuccessFactors users with Identity Cloud admin UI users.

Details
  • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

  • When editing existing settings in the Connection area, click Settings.

    1. Configure the following fields:

      Field Description

      Host

      The hostname or IP address for your SuccessFactors application.

      Client ID

      The client ID for your SuccessFactors application.

      User ID

      The user ID for your SuccessFactors application.

      Private Key

      The private key which is used for signing JWT.

      Company Id

      The company ID as present in the target application.

    2. Click Show advanced settings.

    3. Configure the following fields:

      Field Description

      Person Segments

      Enable to retrieve data based on person segments.

      Page Size

      The page size for the search operation.

      Maximum Connections

      The maximum allowed timeout for the connection (in seconds).

      Connection Timeout

      The connection timeout for the connection (in seconds).

      Use Proxy

      Enable to use a proxy server to connect to your SuccessFactors application.

      After you enable this option, set the following fields:

      • HTTP Proxy Host Name: The host name of the HTTP Proxy server.

      • HTTP Proxy Port: The port of the HTTP Proxy server.

      • HTTP Proxy Username: The username for logging into the HTTP Proxy server.

      • HTTP Proxy Password: The password for logging into the HTTP Proxy server.

    4. Click Connect.

    5. Verify the information in the Details tab.

SCIM

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim).

    SCIM Protocol Version

    Choose version 1 or version 2. The default is 1.

    Authentication Method

    The method for authenticating on the remote server: BASIC, OAUTH, or TOKEN. The default is OAUTH.

  3. If you chose OAUTH, fill in the following fields:

    Field Description

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Scope

    The OAuth 2.0 scope to use.

    Grant Type

    The OAuth 2.0 grant type to use.

  4. If you chose BASIC, configure the following fields:

    Field Description

    User

    The username for SCIM.

    Password

    The password for SCIM.

  5. If you chose TOKEN, configure the following fields:

    Field Description

    Auth Token

    The auth token for SCIM.

  6. Fill out the following fields:

    Field Description

    Use TLS Mutual Authentication

    Select to use TLS Mutual Authentication.

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  7. If you selected Use TLS Mutual Authentication, configure the following fields:

    Field Description

    Client Certificate Alias

    The client certificate alias.

    Client Certificate Password

    The client certificate password.

  8. To configure advanced settings, click Show advanced settings.

  9. Configure the following settings:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Use an HTTP Proxy

    Select to use an HTTP proxy.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings

    Enable for test environments. Don’t enable for production environments. After enabling the setting, configure the following fields:

    After you enable this option, set the following fields:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host Name Verifier: Enable to disable hostname verifiers.

    Read Schema

    Read/discover the schema from the SCIM endpoint. The default value is 'true'.

  10. Click Connect.

  11. Verify the information in the Details tab.

Scripted Groovy

The generic Groovy Connector Toolkit runs a Groovy script for any operation, such as search, update, create, and others, on any external resource. The Groovy Connector Toolkit is not a complete connector in the traditional sense. Rather, it is a framework you use to write your own Groovy scripts to address the requirements of your implementation. For more information, refer to Groovy Connector Toolkit.

Details
  1. In Identity Cloud admin UI, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Script Base Class

    Base class name for scripts (must derive from Script).

    Script Roots

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

    Custom Sensitive Configuration

    Custom Sensitive Configuration script for Groovy ConfigSlurper.

    Schema Script

    The name of a connector file that uses a custom Groovy script to implement the ICF schema operation. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    Test Script

    The name of a connector file that uses a custom Groovy script to implement the ICF test operation. The ICF test operation lets a connector test the connector configuration against the target system.

    Create Script

    The name of a connector file that uses a custom Groovy script to implement the ICF create operation. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom Groovy script to implement the ICF update operation. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Authenticate Script

    The name of a connector file that uses a custom Groovy script to implement the ICF authenticate operation. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Delete Script

    The name of a connector file that uses a custom Groovy script to implement the ICF delete operation. The ICF delete operation lets a connector delete objects on the target system.

    Resolve Username Script

    The name of a connector file that uses a custom Groovy script to implement the ICF resolve username operation. The ICF resolve username operation lets a connector resolve an object to its UID, based on its username.

    Search Script

    The name of a connector file that uses a custom Groovy script to implement the ICF search operation. The ICF search operation lets a connector search for objects on the target system.

    Customizer Script

    The name of the file that lets you customize the Apache HTTP client connection pool, proxy, default headers, timeouts, and so on.

    Target Directory

    Directory into which to write classes.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Warning Level

    The warning level of the compiler. If not set, the default value is 1.

    Min. Recompilation Interval

    Sets the minimum amount of time after a script can be recompiled. If not set, the default value is 100.

    Custom Configuration

    Custom Configuration script for Groovy ConfigSlurper.

    Tolerance

    The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. If not set, the default value is 10.

    Debug

    If true, debugging code should be activated.

    Classpath

    The classpath for use during compilation.

    Disabled Global AST Transformations

    Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    Verbose

    If true, the compiler should produce action information.

    Source Encoding

    The encoding for source files. If not set, the default value is UTF-8.

    Recompile Groovy Source

    If set to true, recompilation is enabled.

  5. Click Connect.

  6. Verify the information in the Details tab.

Scripted REST

The Scripted REST connector is an implementation of the Scripted Groovy Connector Toolkit. It uses Groovy scripts to interact with any REST API. This connector type lets you develop a fully functional REST-based connector for in-house or cloud-based application. For more information, refer to Scripted REST connector.

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Service Address

    The service URI (example: http://myservice.com/api).

    Proxy Address

    he optional Proxy server URI (example: http://myproxy:8080).

    Username

    The remote user to authenticate with.

    Password

    The password to authenticate with.

    Default Content Type

    The default HTTP request content type. One of TEXT, XML, HTML, URLENC, BINARY, or JSON. If not set, the default value is JSON.

    Default Request Headers

    Placeholder for default HTTP request headers.

    Default Authentication Method

    The default authentication method for the connection. Specify BASIC or OAUTH. If not set, the default value is BASIC.

    If Default Authentication Method is set to OAUTH, configure the following fields:

    • Token Endpoint: When using OAuth 2.0, this property defines the endpoint where a new access token should be queried for (https://myserver.com/oauth2/token).

    • Client ID: The secure client identifier for OAuth 2.0.

    • Client Secret: The secure client secret for OAuth 2.0.

    • Refresh Token: The refresh token used to renew the access token for the refresh_token grant type.

    • Scopes: The optional scopes to use for OAuth 2.0.

    Grant Type

    The grant type to use. Specify CLIENT_CREDENTIALS, REFRESH_TOKEN, or AUTHORIZATION_CODE. If not set, the default value is CLIENT_CREDENTIALS.

    Custom Sensitive Configuration

    Custom Sensitive Configuration script for Groovy ConfigSlurper.

    Custom Configuration

    Custom Configuration script for Groovy ConfigSlurper.

    Script Roots

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

    Authenticate Script

    The name of a connector file that uses a custom REST request to implement the ICF authenticate operation. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Create Script

    The name of a connector file that uses a custom REST request to implement the ICF create operation. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom REST request to implement the ICF update operation. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Delete Script

    The name of a connector file that uses a custom REST request to implement the ICF delete operation. The ICF delete operation lets a connector delete objects on the target system.

    Search Script

    The name of a connector file that uses a custom REST request to implement the ICF search operation. The ICF search operation lets a connector search for objects on the target system.

    Test Script

    The name of a connector file that uses a custom REST request to implement the ICF test operation. The ICF test operation lets a connector test the connector configuration against the target system.

    Sync Script

    The name of a connector file that uses a custom REST request to implement the ICF sync operation. The ICF sync operation lets a connector poll the target system for synchronization events created by changes to target objects.

    Schema Script

    The name of a connector file that uses a custom REST request to implement the ICF schema operation. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports for each object type.

    Resolve Username Script

    The name of a connector file that uses a custom REST request to implement the ICF resolve username operation. The ICF resolve username operation lets a connector resolve an object to its UID, based on its username.

    Script On Resource

    The name of a connector file that uses a custom REST request to implement the ICF script on resource operation. The ICF script on resource operation lets a connector runs a script directly on the target resource.

    Customizer Script

    The name of the file that lets you customize the Apache HTTP client connection pool, proxy, default headers, timeouts, and so on.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Target Directory

    Directory into which to write classes.

    Warning Level

    The warning level of the compiler. If not set, the default value is 1.

    Recompilation Interval

    Sets the minimum of time after a script can be recompiled. If not set, the default value is 100.

    Script Base Class

    Base class name for scripts (must derive from Script).

    Tolerance

    The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. If not set, the default value is 10.

    Debug

    If true, debugging code should be activated.

    Classpath

    The classpath for use during compilation.

    Disabled Global AST Transformations

    Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none are disabled.

    Verbose

    If true, the compiler should produce action information.

    Source Encoding

    The encoding for source files. If not set, the default value is UTF-8.

    Recompile Groovy Source

    If set to true, recompilation is enabled.

  5. Click Connect.

  6. Verify the information in the Details tab.

Scripted Table

The Scripted SQL connector is an implementation of the Scripted Groovy Connector Toolkit. This connector lets you use Groovy scripts to interact with any SQL database. To use this connector, you must write a Groovy script for each operation that you want the connector to perform (create, read, update, delete, authenticate, and so on). For more information, refer to Scripted SQL connector.

Details
  1. In Identity Cloud admin UI, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it is automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    User

    The connection username sent to the JDBC driver to establish a connection.

    Password

    The connection password sent to the JDBC driver to establish a connection.

    JDBC URL

    The URL for the JDBC driver.

    JDBC Driver

    The class name of the driver you are using to connect.

    Create Script

    The name of a connector file that uses a custom SQL command to implement the ICF create operation. The ICF create operation lets a connector create objects on the target system.

    Update Script

    The name of a connector file that uses a custom SQL command to implement the ICF update operation. The ICF update operation lets a connector update (modify or replace) objects on the target system.

    Delete Script

    The name of a connector file that uses a custom SQL command to implement the ICF delete operation. The ICF delete operation lets a connector delete objects on the target system.

    Search Script

    The name of a connector file that uses a custom SQL command to implement the ICF search operation. The ICF search operation lets a connector search for objects on the target system.

    Authenticate Script

    The name of a connector file that uses a custom SQL command to implement the ICF authenticate operation. The ICF authenticate operation lets a connector authenticate an object on the target system, usually with a unique identifier (username) and a password.

    Schema Script

    The name of a connector file that uses a custom SQL command to implement the ICF schema operation. The ICF schema operation lets a connector describe the types of objects that it can handle on the target system and the operations and options that the connector supports foreach object type.

    Sync Script

    The name of a connector file that uses a custom SQL command to implement the ICF sync operation. The ICF sync operation lets a connector poll the target system for synchronization events created by changes to target objects.

    Test Script

    The name of a connector file that uses a custom SQL command to implement the ICF test operation. The ICF test operation lets a connector test the connector configuration against the target system.

    Script Root(s)

    The root folder that stores the scripts. If the value is null or empty, the classpath value is used.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Validation Query

    The SQL query used to validate connections from this pool before returning them to the caller. If specified, this query does not have to return any data, it just can’t throw a SQLException. The default value is null. Example values are SELECT 1(mysql), select 1 from dual(oracle), and SELECT 1(MS Sql Server).

    Validation Interval

    To avoid excess validation, only run validation at most at this frequency - time in milliseconds. If a connection is due for validation, but has been validated previously within this interval, it will not be validated again. The default value is 30000 (30 seconds).

  5. Click Connect.

  6. Verify the information in the Details tab.

ServiceNow

Before you configure ServiceNow, refer to the Before you start section in ServiceNow connector.

Details
  1. In ServiceNow, create an OAuth API endpoint for external clients.

  2. Note your instance url, username, and password.

  3. After auto-generating your secret, copy the client id and client secret.

  4. In the connector configuration, you must include a ServiceNow user who has admin and rest_api_explorer roles.

    If you don’t want to assign the admin role to the ServiceNow user, you must ensure that the user has access to the following tables:

    • sys_user_has_role

    • sys_user_grmember

    • sys_user_delegate

    • sys_user_role

    • sys_user_group

    • core_company

    • cmn_department

    • cmn_cost_center

    • cmn_location

  5. In Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  6. Configure the following settings:

    Field Description

    ServiceNow instance

    URL of the ServiceNow instance. For example, dev00000.service-now.com

    Username

    An API user in ServiceNow that can consume the REST API.

    Password

    Password for the end user.

    Client ID

    Client ID of the OAuth 2.0 application in ServiceNow.

    Client Secret

    Client Secret for the preceding Client ID.

  7. Click Connect.

  8. Verify the information in the Details tab.

Workday

Details
  1. In Identity Cloud admin UI, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • When editing existing settings in the Connection area, click Settings.

  2. Make sure you have the requirements mentioned on the Connect to Workday page.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    Workday Host Name

    The hostname of the Workday instance. For example, example.workday.net.

    Workday Tenant Name

    The Workday tenant that you are connecting to.

    Username

    The username for connecting to the Workday tenant.

    Password

    The password for connecting to the Workday tenant.

  5. To set advanced settings, click Show advanced settings.

  6. Configure the following fields:

    Field Description

    Enforce Connection Timeout

    Enable to set the timeout (in seconds) the application waits for a request to be sent to the Workday instance. After you enable this option, enter a value in the Connection Timeout (seconds) field.

    Enforce Receive Timeout

    Enable to set the timeout (in seconds) the application waits for a response from the Workday instance. After you enable this option, enter a value in the Receive Timeout (seconds) field.

    Use Proxy

    Enable to use an HTTP proxy server to connect to Workday. After you enable this option, set the following fields:

    • Proxy Host Name: The hostname for the proxy.

    • Proxy Port: The port for the proxy.

    Set Effective Date

    Enable to set an effective date or a duration during which access to Workday is granted. After you enable this option, set the Effective Date field. Valid values for the Effective Date field are X-Path function, XML Schema, or Duration. If set to Duration, the effective date is the current date + duration.

  7. Click Connect.

  8. Verify the information in the Details tab.

Manage application attributes

Properties are the application attributes that Identity Cloud creates automatically. You can use the Properties tab to view and modify the properties of an account object or group/organization identity that can access your application.

The tab displays the name, identity type, and other information such as multivalued or required, for a property.

Add or edit a property

  1. On the Properties tab, do one of the following:

    • To add a new property, click Add a Property.

    • To edit a property, double-click a property.

  2. In the Name drop-down field, select a property.

  3. In the Type drop-down field, select a property type.

  4. Set one or more of the following options:

    Field Description

    Multi-valued

    Make the property a multi-value property.

    Required

    Make the property a required property.

    User-specific

    Make the property specific to individual users and not roles. If you don’t check this option, the property appears in the role’s relationship page when you add a role to an application.

  5. Click Show advanced settings and set one or more of the following options:

    Field Description

    Creatable

    Make the property creatable.

    Readable

    Make the property readable. Required for the property to appear in the Users & Roles tab.

    Updatable

    Make the property updatable.

    Returned by default

    Set the property to be returned by default. Requires the Readable option to be checked.

    Enumerated Values

    A list of allowed values that constrain the values you can set for the property. Supported for string and array type properties.

    To define a list of values for this property:

    1. Beside the Values field, click the plus sign.

    2. In the text field, enter the unique identifier for the value.

    3. In the value field, enter the display text for the value.

    4. To add another value, click the plus sign, and repeat steps 2 and 3 above.

    5. To delete a value, click the negative sign beside a value.

  6. Click Save.

Set a property as user-specific

You can set a property to be for a specific user.

  1. On the Properties tab, click a property.

  2. Enable User-specific.

  3. Click Save.

Set the display order of a property

When you add a new user or role, you specify properties for the identity. You can set the display order of the properties.

  1. In the Provisioning page, under the application name and logo, click the drop-down arrow and select a user or role. For example, select User.

  2. On the Properties tab, to set the order of a property, drag and drop a property up or down to the desired location.

  3. To verify your changes, add a new user or role. For example, on the Users & Roles tab, select Users, and click + Assign Users.

  4. The modal should display the properties in the order that you set.

Delete a property

  1. On the Properties tab, to the right of the property, click the ellipsis (...).

  2. Click Delete.

You cannot undo the delete action.

View user access data

After you successfully connect to the target application, review the Data tab to verify the users and groups/organizations that have access to the application.

Customize columns

  1. In the upper right corner of the Data page, click the horizontal ladder icon.

  2. Select the column types to display.

  3. Click Apply.

End-user data sharing

Users who have accounts in target applications can share their data with other applications. After a preference to share data with other applications has been configured, data from the target applications is synchronized with Identity Cloud.

Configure end-user data sharing and synchronization

  1. In Identity Cloud admin UI, on the Provisioning tab, click the Privacy & Consent tab.

  2. To let end users prevent sharing of their personal data, under Consent-based Provisioning, click Activate.

  3. To only share the data of users that have set sharing preferences:

    1. In Identity Cloud admin UI, go to Hosted Pages and select Realm Default theme.

    2. Go to Account Pages and select Layout.

    3. Check the Consent option.

    4. Click Save. The end-user profile page now displays the Personal Data Sharing option.

    5. In Identity Cloud admin UI, on the Provisioning tab, click the Privacy & Consent tab.

    6. Under Preference-based Provisioning, choose one or more preferences. These are the preferences you set up for users.

Manage mappings

The Mapping tab lets you create identity object and attribute mappings between Identity Cloud and an external system application. You define mappings between a source and a target. The definition of source and target depend on the type of mapping:

Outbound mapping

Provision user attributes from Identity Cloud (source) to an external target application (target).

Inbound mapping

Reconcile user attributes from an external authoritative application (source) to Identity Cloud (target).

To avoid inconsistencies between systems, don’t update mappings while a provisioning or reconciliation is in progress.

Create or edit a mapping

  1. In the Identity Cloud admin UI, go to Applications, then select your application, then click the Provisioning tab.

  2. In the left navigation panel, click the Mapping tab.

    • If displayed, click Outbound (shown if your application is connected to external target application).

      1. Choose one of the following:

        • To create an outbound mapping:

          1. Click + Add a property to open a mapping configuration modal.

          2. In the drop-down list of targets, select an attribute to update in the external target application.

          3. Click Next.

        • To edit an outbound mapping:

          1. Click a mapping to open its mapping configuration modal.

      2. In the drop-down list of sources, select an Identity Cloud attribute to provide a source value. This step is optional if you intend to apply a transformation script and/or a default value.

    • If displayed, click Inbound (shown if your application is connected to an external authoritative application).

      1. Choose one of the following:

        • To create an inbound mapping:

          1. Click + Add a property to open a mapping configuration modal.

          2. In the drop-down list of targets, select an Identity Cloud attribute to update.

          3. Click Next.

        • To edit an inbound mapping:

          1. Click a mapping to open its mapping configuration modal.

      2. In the drop-down list of sources, select an attribute from the external authoritative application to provide a source value. This step is optional if you intend to apply a transformation script and/or a default value.

  3. (Optional) Apply a transformation script to the mapping.

  4. (Optional) Apply a conditional update to the mapping.

  5. (Optional) Apply a default value to the mapping.

  6. Click Save to save the mapping and close the mapping configuration modal.

Apply a transformation script to a mapping

You can apply a transformation script to a mapping to compute a target value using a combination of source values and string manipulations. For example, you may want to combine first name and last name attributes into a single name attribute.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Check Apply transformation script.

    2. Insert your transformation script into the Transformation Script editor. Refer to these examples:

    3. (Optional) To use custom global variables in the script, refer to Define custom global variables for a script.

    4. Click Save to save the mapping and close the mapping configuration modal.

Source object behavior

The source object in a transformation script changes depending on what you select from the drop-down list of sources:

  • If you select a source attribute, such as source.name, the source object represents just that attribute. For example, to access name.familyName you would reference source.familyName.

  • If you don’t select a source attribute, the source object represents the entire identity object and its attributes. For example, to access name.familyName you would reference source.name.familyName.

Transformation script example 1

source.name ? source.name.familyName : null ;

In this example, the script checks if a value exists for source.name. If it does, we know source.name is an object and familyName is one of the attributes on that object, so the script sets the field with the value of source.name.familyName. Otherwise, the script sets this field to null.

Transformation script example 2

source.givenName + ' ' + source.sn ;

In this example, the script sets the field to a combination of the given name and surname, with a space in the middle; for example, "Jane Fergus".

Transformation script example 3a

source.active ? 'active' : 'inactive';

In this example, the script checks if the source.active property has any value set. If true, the script sets this field to the string active. Otherwise, the script sets the field to inactive.

Transformation script example 3b

You can configure the previous script slightly differently if you prefer (as described in Source object behavior). If you select source.active from the drop-down list of sources, source.active is represented as source in the transformation script. So the transformation script would be:

source ? 'active' : 'inactive';

Apply a conditional update to a mapping

You can apply a conditional update to a mapping so that the target attribute is only updated when certain conditions evaluate to true.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Click Show advanced settings.

    2. Check Apply conditional update.

    3. Choose one of the following ways to conditionally update the attribute:

      • To use filter fields:

        1. Make sure Filter is selected.

        2. Use the fields to set the conditions that must occur to update the attribute.

          For example, if you want to update the attribute only for users in the United States, select "Country" from the list of attributes, select "is" from the list of operators, and enter "United States" in the open text field:

          mapping conditional update filter fields
      • To use a filter query:

        1. Make sure Filter is selected.

        2. Click Advanced Editor.

          If you build a filter with the filter fields, it is automatically populated as a query filter in the advanced editor.
        3. In the editor, edit the query filter.

          For example, if you want to update the attribute only for users in the United States, enter /object/country eq "United States":

          mapping conditional update filter query
      • To use a script:

        1. Click Script.

        2. In the Conditional Update Script field, modify the script that defines the condition.

          For example, if you want to update the attribute only for users in the United States, enter object.country == "United States":

          mapping conditional update script
        3. (Optional) To use custom global variables in the script, refer to Define custom global variables for a script.

    4. Click Save to save the mapping and close the mapping configuration modal.

Apply a default value to a mapping

You can apply a default value to a mapping. The default value is applied to a target attribute if the result of a mapping (including after any transformation script or conditional update) is a value of null.

  1. Refer to steps 1–4 in Create or edit a mapping.

  2. In the mapping configuration modal:

    1. Click Show advanced settings.

    2. Check Apply a default if value is null.

    3. Insert your default value into the editor.

    4. Click Save to save the mapping and close the mapping configuration modal window.

Define custom global variables for a script

  1. In the Transformation Script field or the Conditional Update Script field, click + Add Variables.

  2. To specify the variables in a JSON format, check the JSON toggle.

  3. To give the variable a name, enter a name in the Name field.

  4. To give the variable a value, enter a value in the Value field.

  5. To add more global variables for your script, click the plus sign and repeat the previous two steps.

  6. Click Save.

Preview an outbound mapping

Previewing provides an example of how user mapping appears from source to target.

  1. In the left navigation panel, click the Mapping tab, then click Outbound.

  2. Click Preview.

  3. In the drop-down list, choose an end user to preview. The page displays a preview of the target object that will be created when provisioning.

  4. Click Done.

Delete a mapping

  1. In the Identity Cloud admin UI, go to Applications, then select your application, then click the Provisioning tab.

  2. In the left navigation panel, click the Mapping tab.

    • If displayed, click Outbound (shown if your application is connected to external target application).

    • If displayed, click Inbound (shown if your application is connected to an external authoritative application).

  3. Click a mapping.

  4. Find the mapping you want to delete and click its ellipsis icon (more_horiz), then click Delete.

  5. In the Delete Mapping? modal, click Delete.

Reconcile and synchronize end-user accounts

A reconciliation operation involves a target system (the system with user account updates) and Identity Cloud admin UI (the system that receives the updates). For example, a Salesforce application and Identity Cloud admin UI. Mappings define the relationship between the target system and Identity Cloud admin UI.

The goal of reconciliation is to ensure synchronization and consistency between Identity Cloud admin UI and the external system application. Reconciliation uses the details you define in the Mappings tab to determine how to map and update properties.

Running reconciliation syncs end-user account changes (New accounts, updated accounts, deleted accounts) and user-associated non-account objects (like Groups) from an authoritative application to Identity Cloud. This is for an inbound mapping.

The Reconciliation tab prepares an application to run reconciliation jobs; however, to schedule full and incremental reconciliation, go to the Reconciliation > Reconcile > Schedules tab.

Preview associations

To discern how your data reconciles between an external system and Identity Cloud admin UI, you can preview associations before you run reconciliation.

On the Reconciliation > Reconcile tab, click Preview Associations.

Synchronize an identity

You can synchronize an identity in Identity Cloud with an identity that exists in a target system. To achieve this, Identity Cloud models the identity in the target system and makes it available for mapping as a series of objects and properties:

Account object

The account object represents the user entity in the target system. Examples of account object properties are name and email.

For example, in a Salesforce application, the account.email object property is mapped to mail in the Identity Cloud user identity.

Non-account object

Non-account objects represent entities linked to the user entity in the target system. Examples of non-account objects are roles, groups, departments, permissions, and licenses.

For example, in a Salesforce application, the group object property is mapped to the GroupIds field in the Identity Cloud user identity.

Each templated application in Identity Cloud contains an account object and may contain one or more non-account objects that are modelled specifically to the target system.

Manually set non-account objects for an account object

After you create certain connectors and run reconciliation, you can start mapping the account object to various non-account objects. These non-account objects are predefined. For more information about connectors with predefined non-account objects, refer to Connectors with predefined non-account objects.

However, connectors for non-authoritative applications, such as a Scripted REST connector, a Scripted Groovy connector, or a Scripted Table connector, don’t have predefined non-account objects. The reason is that these types of connectors can have different non-account objects. These non-account objects are nonpredefined objects.

For connectors for non-authoritative applications, you must manually select the non-account objects that map to specific properties for an account object.

  1. Select the Provisioning tab.

  2. Select the Properties tab.

  3. Edit a property.

  4. On the Edit Property screen, enable Constrain values for this property.

  5. On the Edit Property screen, enable Application Object Type.

  6. In the Select Object Type drop-down field, select a non-account object type to map to the current property.

  7. On the Edit Property screen, enable Entitlement.

  8. Click Save.

Connectors with predefined non-account objects

The following connectors have predefined non-account object types. After creating a connector that is listed in the table and running reconciliation, you can associate the account object in the second column with the non-account objects in the third column.

Connector Account object Predefined non account objects

Active Directory

ldapGroups

Group

Azure AD

  • __roles__

  • memberOf

  • __servicePlanIds__

  • Directory Role

  • Group

  • servicePlan

Google Workspace

  • __ROLES__

  • __GROUPS__

  • __LICENSE_ASSIGNMENTS__

  • Role

  • __GROUP__

  • __LICENSE_ASSIGNMENTS__

LDAP

ldapGroups

Group

Powershell

Dynamic

N/A

Salesforce

  • __PermissionSetIds__

  • __GroupIds__

  • Profile Id

  • UserRoleId

  • FeatureLicenses

  • Permission Set

  • Group

  • Profile

  • UserRole

  • FeatureLicense

SAP SuccessFactors

__GROUP__

Group

SCIM

groups

Group

Sripted Groovy

Dynamic

N/A

Scripted REST

Dynamic

N/A

Sripted SQL

Dynamic

N/A

ServiceNow

  • location

  • costcenter

  • company

  • department

  • group

  • roles

  • location

  • costcenter

  • company

  • department

  • group

  • role

Map target system object properties to Identity Cloud

To ensure all properties that are associated with a user account or role account synchronize during reconciliation, perform the following steps.

  1. If your connector is not predefined, perform the steps in Manually set non-account objects for an account object.

  2. Select the Provisioning tab.

  3. Click Mapping.

  4. Click Inbound.

  5. Follow steps 3 to 6 in Create or edit a mapping.

Run a reconciliation

Before you perform the following steps, to ensure you synchronize all information for the identity, map all relevant object properties with the identity.

  1. On the Reconciliation > Reconcile tab, click the ellipsis (…​) to the right of a mapping.

  2. Click Reconcile Identity.

  3. Verify the information on the page, and click Reconcile Identity.

  4. After the reconciliation process is complete, click Done.

View a report about the last reconciliation

You can view information about the last reconciliation, such as:

  • The percent of all accounts successfully reconciled.

  • Information about each reconciled account: mapping source, mapping target, attempted action, and the result of the reconciliation.

Before you perform the following steps, make sure you run reconciliation.

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. To view a searchable table report of the last reconciliation results, set Persist Associations to true.

    • If set to true, the UI displays a reconciliation report table and a search field that lets you search the table. The table displays below the reconciliation percentage graphic and percentage bars.

    • If set to false, the UI does not display a reconciliation report table.
      To filter the report results, enter text in the Search users field.
      To view different subsets of the report (1-to-1 match / no match), click View and select an item from the drop-down list.

For large reconciliations jobs:
To avoid performance issues, ForgeRock recommends that you leave Persist Associations set to false.

Manage reconciliation schedules

The Schedules section of the Reconciliation > Settings tab lets you view and schedule reconciliation events for accounts or groups/organizations that have access to your application.

You can schedule two types of reconciliation:

  • Full Reconciliation: A process that completely synchronizes the source and target. This process usually happens once a week on a weekend or once a month but at longer intervals. The long intervals are because the synchronization process is very labor-intensive and can take a large amount of time depending on the reconciliation data.

  • Incremental Reconciliation: Also referred to as liveSync, incremental reconciliation is a process that only synchronizes the deltas between the source and target. You can run incremental reconciliation every few minutes to get new updates. For example, if you run an incremental reconciliation at 12:55 PM, then again at 2:00 PM, Identity Cloud admin UI only looks at the timeframe in between to update, create, or delete data if anything changes in the source or target. Depending on the application, a timestamp or change number is used to synchronize the delta.

You can edit existing schedules and activate or deactivate them.

Set up a full or incremental reconciliation schedule

The initial state of a schedule is inactive.

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an inactive schedule: Full Reconciliation or Incremental Reconciliation.

  3. Choose one of the following ways to edit the schedule:

    • Edit the fields on the Set up page and click Save Schedule.

    • To use a text editor to edit the schedule:

      1. Enable the Use cron toggle.

      2. Enter a valid cron string in the Frequency field.

      3. Click Save Schedule.

Deactivate a schedule

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an active schedule.

  3. Click Deactivate Schedule.

Manage reconciliation rules

You use rules to define the actions you want Identity Cloud to perform when certain events occur during reconciliation. For example, if reconciliation detects that an identity object exists in Identity Cloud but not in the target application, Identity Cloud creates an identity object in the target application and links it to a source object in Identity Cloud if both of the following are true:

  • Reconciliation detects that the identity object exists in Identity Cloud but not in the target application.

  • You select Identity Cloud to take the action CREATE.

Each rule has an action. Identity Cloud performs the action when a rule triggers an action to be performed on a record. Identity Cloud evaluates each record. When an event meets a rule condition, Identity Cloud performs the action you have defined for that rule.

The Situation Rules section of the Reconciliation > Settings tab displays the name and action of the rules for your application.

Situation (application) rules

Situation rule Description

Ambiguous

The source identity object matches multiple target identity objects based on the defined unique attribute. There must be a one-to-one link between a source and target identity object. can’t accurately make this link due to ambiguity.

Source Missing

For authoritative apps only.

The target identity object links to a missing source. This usually means the source identity object was deleted.

Missing

The source links to a missing target identity object. This usually means the target identity object was deleted.

Found Already Linked

The target identity object is linked to an old source object, usually deleted, and can’t be linked to the new source identity object. This usually the source identity object was deleted and tried to recreate the source object. On reconciliation, Identity Cloud identified that it already found a source and target identity object linked. For more information on Found Already Linked, refer to the knowledge base article How do I resolve the Found Already Linked situation in Identity Cloud?.

Unassigned

The reconciliation finds a valid target identity object with no link established. This usually means another reconciliation needs to happen to establish a link (if you set the action to Link).

Unqualified

The source identity object doesn’t qualify, but target identity objects were found.

Link Only

A link is found, but the target identity object is missing. Identity Cloud had a matching source and target with a link but can no longer find the target identity object.

Confirmed

The ideal situation for a record. The source and target identity objects both exist and a valid link between the two are present. This means the source and target both have a unique identifier that can only match one-to-one, and Identity Cloud established a link between the two.

Found

A valid source and target identity object match; however, there is no link between the two. On a subsequent reconcilation, Identity Cloud creates a link and the record moves from Found to the Confirmed rule.

Absent

The source identity object doesn’t find a target identity object. This usually means a new record was created on the source, and typically, the action is Create. This creates a target identity object and links the source and target identity object.

Rule action types

When a reconciliation determines the situation of a record, you must specify the action to be taken. There can only be one action per situation rule.

Action Description

Async

An asynchronous process has started. Don’t perform any action or generate any report.

Create

Create a target identity object and link the source and target.

Delete

Delete the target identity object and unlink the source and target.

Exception

Flag the link situation as an exception and log the incident.

Ignore

Don’t change the link or target object state.

Link

Create a link between the source and the correlated target identity object.

No Report

Don’t perform any action or generate any report.

Report

Don’t perform any action but report what would happen if the default action were performed.

Unlink

Unlink the linked target from the source.

Update

Update the target identity object and create a link between source and target.

Configure basic and advanced correlation between accounts

You can correlate the user accounts in an application to user accounts in Identity Cloud admin UI. This correlation is important because account attributes in the application may have different names than account attributes in Identity Cloud admin UI.

The Account Correlation section of the Reconciliation > Settings tab lets you choose the attribute(s) to use to match users in your application to users in Identity Cloud admin UI.

  1. On the Reconciliation > Settings tab, navigate to the Account Correlation section.

  2. Click Match using.

  3. In the Attribute(s) to Match drop-down list, choose the attribute(s) to use to match users in the target system to users in Identity Cloud admin UI.

  4. To use a query to set or edit match attributes, click Use advanced query.

    • For an authoritative application:

      1. Choose to correlate a user if any or all attributes are matched.

      2. Use the User property field to set the user property(s) to match.

    • For a target application:

      1. Edit the correlation query script.

  5. Click Save.

Manage reconciliation events

Event hooks allow you to set an action that occurs when a specific event happens.

The Event Hooks section of the Reconciliation > Settings tab lets you view and define event hooks for reconciliation events.

Add an event hook

  1. On the Reconciliation > Settings tab, navigate to the Event Hooks section.

  2. To the right of an event hook, click + Add.

  3. Edit the script for the event hook.

  4. Click Save or Save and Close.

Restrict reconciliation to specific identities

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. Configure the following settings:

    • To restrict reconciliation to specific identities in an application by defining an explicit source query:

      1. Enable Filter Source.

      2. Choose to filter the source if Any or All conditions are met.

      3. Use the remaining fields to define the explicit source query. You can define the query using all the properties available in the target system.

    • To restrict reconciliation to specific identities in Identity Cloud by defining an explicit target query:

      1. Enable Filter Target.

      2. Choose to filter the target if Any or All conditions are met.

      3. Use the remaining fields to define the explicit target query. You can define the query using all the properties available in Identity Cloud.

    • To filter the application identities that are included in reconciliation using a script:

      1. Enable Valid Source Script.

      2. Edit the script.

    • To view a searchable table report of the last reconciliation results, set Persist Associations to true. For more information, refer to View a report about the last reconciliation.

    • To filter the Identity Cloud admin UI identities that are included in reconciliation using a script:

      1. Enable Valid Target Script.

      2. Edit the script.

    • To allow correlation of source objects to empty target objects, enable Correlate empty target objects.

    • To prefetch each link in the database before processing each source or target object, enable Prefetch Links.

    • To allow reconciliations from an empty source to delete all data in a target resource, enable Allow reconciliations from an Empty Source.

    • To tune performance by adjusting the number of concurrent threads dedicated to reconciliation, in the Threads Per Reconciliation field, enter the number of concurrent threads.

    • To set the synchronization token used for incremental inbound reconciliation, enter a value in the Sync Token field.

  3. Click Save.

Reset the last reconciliation job

You may need to reset the last reconciliation job if it failed or if it made a change you want to revert; for example, if the last reconciliation job added a new application user.

To reset the last reconciliation job, you must reset the sync token attribute. The sync token attribute stores the value of the last incremental reconciliation job that synced data inbound from a target system to Identity Cloud.

  1. In your target system, get or create the reset value for the sync token attribute. To understand how to do this, refer to the documentation provided by the vendor of your target system.

  2. In Identity Cloud admin UI, navigate to Applications > Provisioning > Reconciliation.

  3. Click the Settings tab.

  4. Scroll down and click Show advanced settings.

  5. In the Sync Token text field, enter a new value for the sync token attribute.

  6. Click Save.

Copyright © 2010-2024 ForgeRock, all rights reserved.