Identity Cloud

Provision an application

You can set up provisioning so that you can configure:

  • Details about the application.

  • Properties in the target application.

  • Data in the target application.

  • Mappings from Identity Cloud to the target application.

  • Rules that specify the actions to take when certain reconciliation events occur.

  • Reconciliation to ensure data is synchronized between Identity Cloud and the target application.

  • Schedules to run reconciliation of accounts.

You must register an application before you can use the Provisioning tab. Afterward, you can use the Provisioning tab to create and manage connections to a target system like Salesforce.

The object type determines the side tabs that display on the Provisioning tab. Use the object type drop-down list to select an object type, such as 'Group'. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

Provision settings for an application

While the application templates contain the same basic settings, some applications have specific settings that you must configure in the Provisioning tab. The following section lists these provisioner settings.

Active Directory

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The host name or IP address for the Active Directory domain controller.

    Port

    The port for connecting to the Active Directory domain controller.

    Use SSL

    Enable to use SSL to connect to the Active Directory domain controller. The default value is 'true'.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Active Directory users and groups

    The Base context for Active Directory users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the Group Object Classes field, enter the names of object classes a group must have for inclusion.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls. The default value is 'True'.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is 'True'.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is 'changeNumber'.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is 'user'.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is 'sAMAccountName'.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is 'unicodePwd'.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is 'false'.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is 'true'.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is 'uniqueMember'.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is 'entryUUID'.

  15. Click Connect.

  16. Verify the information in the Details tab.

Azure AD

Details

This requires a Microsoft account and a Microsoft Azure application set up.

  1. Set up an Azure application.

  2. Click Certificates and Secrets > New Client Secret.

  3. Enter a description and choose an expiration date.

  4. Click Save.

  5. Copy your client secret.

  6. Click API Permissions.

  7. Select Add a permissions > MS Graph > Application Permissions.

  8. Use the search function to find and select the following 13 permissions:

    ui applications msgraphiap
  9. Click Add permissions.

  10. Click Grant admin consent for default directory.

  11. Copy the following values:

    • application (client) id

    • directory (tenant) id

    • client credentials/secret

  12. In Identity Cloud, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings in the Connection area, click Settings.

  13. Configure the following fields:

    Field Description

    Tenant

    The Azure AD tenant name or id.

    Client ID

    The client ID the connector uses during the OAuth 2.0 flow.

    Client Secret

    The client secret the connector uses during the OAuth 2.0 flow.

    Read Rate Limit

    Define throttling for read operations either per second ("30/sec") or per minute ("100/min").

    Write Rate Limit

    Define throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

    Perform Hard Delete

    If true, the delete operation permanently deletes the Azure object.

  14. Click Connect.

  15. Verify the information in the Details tab.

CSV File

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    CSV File

    The URL where the URL file is hosted. For example, https://example.com/csvData.csv.

    UID Column

    The UID column name in the CSV file; the primary search key. The default value is 'uid'.

    Password Column

    The password column name in the CSV file; the primary search key. The default is 'password'.

    Quote Character

    The default value is ".

    Field Delimiter

    The default value is '.

    Newline String

    The default value is /n.

    Space Replacement String

    The default value is _.

    Sync Retention Count

    The default value is 3.

  3. Click Connect.

  4. Verify the information in the Details tab.

Database Table

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    JDBC Connection Url

    The URl for the JDBC database address that contains the table that you are provisioning. The format of the url depends on the type of database. For example, jdbc:mysql://localhost:3306/contractordb?serverTimezone=UTC or jdbc:oracle:thin:@//localhost:3306/contractordb. The address includes the name of the database you are connecting to.

    JDBC Driver

    The class name of the driver you are using to connect to a database. The name varies depending on the type of database you are using, such as oracle.jdbc.OracleDriver or com.mysql.jdbc.Driver.

    Username

    The connection password sent to the JDBC driver to establish a connection.

    Table

    The name of the table in the JDBC database that contains the user accounts. The default is 'TABLE_NAME'.

    Key Column

    The column value that is the unique identifier for rows in the table. The default is 'KEY_COLUMN'.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Validate resources and passwords

    Enable to validate resources and passwords. After enabling this option, in the Password Column field, enter the name of the column in the table that holds the password values.

    Activate Sync ICF Interface

    Enable to poll for synchronization events, which are native changes to target objects. After enabling this option, in the Change Log Column field, enter the change log column that stores the latest change time.

    Allow empty string

    Enable to allow empty strings instead of null values, except for OracleSQL.

    Quote Database Column Names

    Enable to place specific quote characters around column names in the SQL that is generated to access the database. After enabling this option, in the Quote Characters field, enter the characters to use for quotes.

    Rethrow All SQL Exceptions

    Enable to show SQL Exceptions with code = 0. The default value is 'true'.

    Native Timestamps

    Enable to retrieve timestamp data.

    All Native

    Enable to retrieve in a database-native format.

    Validate Connection

    Enable to specify a SQL query used to validate connections. After enabling this option, in the Validation SQL Query (optional) field, enter the SQL query for validating connections.

    Validation Interval (ms)

    Enter the validation interval in milliseconds. The default value is 3000.

    Validation Connection Query Timeout (ms)

    Enter the validation connection query timeout in milliseconds. The default value is -1.

    Initial Pool size

    Enter the initial pool size. The default value is 10.

    Maximum Idle

    Enter the maximum idle time. The default value is 100.

    Minimum Idle

    Enter the minimum idle time. The default value is 10.

    Maximum Wait (ms)

    Enter the maximum wait time in milliseconds. The default value is 30000.

    Maximum Active

    Enter the maximum active time. The default value is 100.

    Maximum Age (ms)

    Enter the maximum age in milliseconds. The default value is 0.

    Minimum Evictable Idle Time (ms)

    Enter the minimum evictable idle time in milliseconds. The default value is 60000.

    Time Between Eviction Runs(ms)

    Enter the time between eviction checks in milliseconds. The default value is 5000.

    Test Connection When Idle

    Enable to test the connection when idle.

    Test Connection On Borrow

    Enable to test the connection on borrow.

  5. Click Connect.

  6. Verify the information in the Details tab.

Directory Services (DS)

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The host name or IP address for the Directory Services domain controller.

    Port

    The port for connecting to the Directory Services domain controller.

    Use SSL

    Enable to use SSL to connect to the Directory Services domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for Directory Services users and groups

    The Base context for Directory Services users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the Group Object Classes field, enter the names of object classes a group must have for inclusion.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls. The default value is 'True'.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is 'True'.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is 'changeNumber'.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is 'inetOrgPerson'.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is 'uid'.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is 'userPassword'.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is 'false'.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is 'false'.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is 'uniqueMember'.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is 'entryUUID'.

  15. Click Connect.

  16. Verify the information in the Details tab.

Google Workspace

Details
  1. In Identity Cloud, on the Provisioning tab:

    • If setting up provisioning for the first time, click Set up Provisioning.

    • If editing existing settings in the Connection area, click Settings.

  2. Find and copy the Authorized Redirect URI.

  3. Log into https://console.cloud.google.com/.

  4. In credentials area of your project, enter the Authorized Redirect URI you copied in an earlier step.

  5. Save your work.

  6. Return to Identity Cloud.

  7. On the Provisioning tab, set the Client ID and Client Secret.

  8. Click Connect.

  9. When you are redirected to Google, log in using your admin credentials.

  10. On the next screen, click Allow. You are then redirected back to Identity Cloud.

  11. Verify the information in the Details tab.

LDAP

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The host name or IP address for the LDAP domain controller.

    Port

    The port for connecting to the LDAP domain controller.

    Use SSL

    Enable to use SSL to connect to the LDAP domain controller.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs for LDAP users and groups

    The Base context for LDAP users and groups.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the Group Object Classes field, enter the names of object classes a group must have for inclusion.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls. The default value is 'false'.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is 'false'.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is 'changeNumber'.

  8. To set the object classes that OpenIDM uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is 'inetOrgPerson'.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is 'uid'.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is 'userPassword'.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is 'true'.

  12. To have OpenIDM modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is 'false'.

  13. To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is 'uniqueMember'.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is 'entryUUID'.

  15. Click Connect.

  16. Verify the information in the Details tab.

Salesforce

Details
  1. In Identity Cloud, go to the Provisioning tab.

  2. On the Provisioning tab, click Set up Provisioning.

  3. In the Callback URI field, copy the callback URI. You will enter the URI in Salesforce.

  4. In another browser, log into https://login.salesforce.com/.

  5. In platform tools, go to the app manager.

  6. Create a new connected app button.

  7. Configure the following settings:

    • Connected App Name

    • API Name

    • Contact email

  8. Enable OAuth 2.0 settings.

  9. Enter the callback URI from Identity Cloud.

  10. Select the following OAuth 2.0 scopes:

    • Access the identity URL service (id, profile, email, address, phone)

    • Manage user data via APIs (API)

    • Manage user data via Web Browsers (web)

    • Perform requests at any time (refresh_token, offline_access)

  11. Choose to require a secret for the web server flow.

  12. Choose to require a secret for the refresh token flow.

  13. Save your work

  14. Make note of your consumer key and consumer secret.

  15. In Identity Cloud, click Next.

  16. Choose a development environment:

    • Production

    • Sandbox

    • Custom

  17. (Custom environment only) Enter the Login URL for the application.

  18. Enter the Consumer Key.

  19. Enter the Consumer Secret.

  20. Click Connect. You are redirected to Salesforce.

  21. Log into Salesforce. You are redirected to Identity Cloud.

  22. Verify the information in the Details tab.

SCIM

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    SCIM Endpoint

    The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim).

    SCIM Protocol Version

    Choose version 1 or version 2. The default is 1.

    Authentication Method

    The method for authenticating on the remote server: BASIC, OAUTH, or TOKEN. The default is OAUTH.

  3. If you chose OAUTH, fill in the following fields:

    Field Description

    Token Endpoint

    The endpoint where a new access token is requested for OAuth 2.0.

    Client Id

    The secure client identifier for OAuth 2.0.

    Client Secret

    The secure client secret for OAuth 2.0.

    Grant Type

    The OAuth2 grant type to use.

  4. If you chose BASIC, configure the following fields:

    Field Description

    User

    The username for SCIM.

    Password

    The password for SCIM.

  5. If you chose TOKEN, configure the following fields:

    Field Description

    Auth Token

    The auth token for SCIM.

  6. Fill out the following fields:

    Field Description

    Scope

    The OAuth2 scope to use.

    Grant Type

    The OAuth2 grant type to use.

    Use TLS Mutual Authentication

    Select to use TLS Mutual Authentication.

    Maximum Connections

    The maximum size of the http connection pool. The default is 10 connections.

  7. If you selected Use TLS Mutual Authentication, configure the following fields:

    Field Description

    Client Certificate

    The client certificate.

    Client Certificate Password

    The client certificate password.

  8. To configure advanced settings, click Show advanced settings.

  9. Configure the following settings:

    Field Description

    Disable Http Compression

    Content compression is enabled by default. Select this property to true to disable it.

    Use an HTTP Proxy

    Select to use an HTTP proxy.

    Connection Timeout

    Define a timeout (in seconds) for the underlying http connection. The default is 30 seconds.

    Debug/Test settings

    Enable for test environments. Do not enable for production environments. After enabling the setting, configure the following fields:

    After you enable this option, set the following fields:

    • Accept Self Signed Certificates: Enable to accept self-signed certificates.

    • Disable Host name verifier: Enable to disable host name verifiers.

  10. Click Connect.

  11. Verify the information in the Details tab.

Scripted Table

Details
  1. In Identity Cloud, on the Provisioning tab:

  2. Configure the following fields:

    Field Description

    User

    Enter the user for the scripted SQL root.

    Password

    Enter the password for connecting to the scripted SQL.

    JDBC URL

    Enter the JDBC URL.

    JDBC Driver

    The class name of the driver you are using to connect.

    Create Script

    The name of the file for creating the script.

    Update Script

    The name of the file for updating the script.

    Delete Script

    The name of the file for deleting the script.

    Search Script

    The name of the file for the script search.

    Authenticate Script

    The name of the file for authentication operation.

    Schema Script

    The name of the file for the schema operation.

    Sync Script

    The name of the file for the sync operation.

    Test Script

    The name of the file for the test operation.

    Script Root(s)

    The root folder to load the scripts from.

  3. To set advanced settings, click Show advanced settings.

  4. Configure the following fields:

    Field Description

    Auto-commit

    The default auto-commit state of connections. If not set, default is JDBC driver default.

    Validation Query

    Enter the query to use for validation.

    Validation Interval

    Enter the time interval for validation.

    Test On Borrow

    Enter a value for testing on borrow.

  5. Click Connect.

  6. Verify the information in the Details tab.

ServiceNow

Details
  1. In ServiceNow, create an OAuth API endpoint for external clients.

  2. Note your instance url, username, and password.

  3. After auto-generating your secret, copy the client id and client secret.

  4. In Identity Cloud, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings in the Connection area, click Settings.

  5. Configure the following settings:

    Field Description

    ServiceNow instance

    URL of the ServiceNow instance. For example, dev00000.service-now.com

    Username

    An API user in ServiceNow that can consume the REST API.

    Password

    Password for the end user.

    Client ID

    Client ID of the OAuth 2.0 application in ServiceNow.

    Client Secret

    Client Secret for the preceding Client ID.

  6. Click Connect.

  7. Verify the information in the Details tab.

Workday

Details
  1. In Identity Cloud, on the Provisioning tab:

    • If setting up provisioning for the first time, on the Provisioning tab, click Set up Provisioning.

    • If editing existing settings in the Connection area, click Settings.

  2. Make sure you have the requirements mentioned on the Connect to Workday page.

  3. Click Next.

  4. Configure the following fields:

    Field Description

    Workday Host Name

    The host name of the Workday instance. For example, example.workday.net.

    Workday Tenant Name

    The Workday tenant that you are connecting to.

    Username

    The username for connecting to the Workday tenant.

    Password

    The password for connecting to the Workday tenant.

  5. To set advanced settings, click Show advanced settings.

  6. Configure the following fields:

    Field Description

    Enforce Connection Timeout

    Enable to set the timeout (in seconds) the application waits for a request to be sent to the Workday instance. After you enable this option, enter a value in the Connection Timeout (seconds) field.

    Enforce Receive Timeout

    Enable to set the timeout (in seconds) the application waits for a response from the Workday instance. After you enable this option, enter a value in the Receive Timeout (seconds) field.

    Use Proxy

    Enable to use an HTTP proxy server to connect to Workday. After you enable this option, set the following fields:

    • Proxy Host Name: The host name for the proxy.

    • Proxy Port: The port for the proxy.

    • Proxy Username: The username for the proxy.

    • Proxy Password: The password for the proxy.

    Set Effective Date

    Enable to set an effective date or a duration during which access to Workday is granted.

    Valid values: Date (X-Path function or XML Schema) or Duration. If set to Duration, the effective date is the current date + duration.

  7. Click Connect.

  8. Verify the information in the Details tab.

    Provisioning tab Description Related sections

    Details

    View and manage an application, including name, id, and native type.

    Properties

    View and manage properties for the selected object type.

    Data

    View data about the selected object type.

    Mapping

    View and manage mappings from ForgeRock properties to external system properties (Outbound mappings), and from external system properties to ForgeRock properties (Inbound mappings).

    Reconciliation

    Preview inbound mappings between external systems and ForgeRock, and reconcile the data between the two systems.

    View and manage rules for the users and groups that use your application.

    View and manage schedules for Full and Incremental reconciliation.

Manage application attributes

Properties are the application attributes that Identity Cloud creates automatically. You can use the Properties tab to view and modify the properties of an account identity or group/organization identity that can access your application.

The tab displays the name, identity type, and other information such as multivalued or required, for a property.

Add or edit a property

  1. On the Properties tab, do one of the following:

    • To add a new property, click Add a Property.

    • To edit a property, double-click a property.

  2. In the Name drop-down field, select a property.

  3. In the Type drop-down field, select a property type.

  4. Set one or more of the following options:

    Field Description

    Multi-valued

    Make the property a multi-value property.

    Required

    Make the property a required property.

    User-specific

    Make the property specific to individual users and not roles. If you do not check this option, the property appears in the role’s relationship modal when you add a role to an application.

  5. Click Show advanced settings and set one or more of the following options:

    Field Description

    Creatable

    Make the property creatable.

    Readable

    Make the property readable.

    Updatable

    Make the property updatable.

    Returned by default

    Set the property to be returned by default.

    Enumerated Values

    A list of allowed values that constrain the values you can set for the property. Supported for string type properties.

    To define a list of values for this property:

    1. Beside the Values field, click the plus sign.

    2. In the text field, enter the unique identifier for the value.

    3. In the value field, enter the display text for the value.

    4. To add another value, click the plus sign, and repeat steps 2 and 3 above.

    5. To delete a value, click the negative sign beside a value.

  6. Click Save.

Set a property as user-specific

You can set a property to be for a specific user.

  1. On the Properties tab, click a property.

  2. Enable User-specific.

  3. Click Save.

Delete a property

  1. On the Properties tab, to the right of the property, click the ellipsis (…​).

  2. Click Delete.

You cannot undo the delete action.

View user access data

After you successfully connect to the target application, review the Data tab to verify the users and groups/organizations that have access to the application.

Customize columns

  1. In the upper right corner of the Data page, click the horizontal ladder icon.

  2. Select the column types to display.

  3. Click Apply.

Manage mappings to and from ForgeRock

From the Mapping tab, you can create and synchronize mappings between objects and their attributes in Identity Cloud, and an external system application. Mappings are defined from a source to a target, whether the source is Identity Cloud or an external application.

There are two types of mappings you can configure:

  • Outbound: This specifies how to configure and map user attributes from Identity Cloud to an external target application.

  • Inbound: This specifies how to configure and map user attributes from an external authoritative application to Identity Cloud.

You can update mappings while the server is running. However, to avoid inconsistencies between systems, do not update mappings while a reconciliation is in progress for that mapping.

Add or edit a mapping

  1. In the left navigation panel, click the Mapping tab.

  2. Click Outbound or Inbound.

  3. To create a property:

    1. Click Add a property.

    2. In the drop-down list, select a property.

    3. Click Next.

    4. In the drop-down list, select a property.

    5. To use a script to set the property, enable Show Script Editor, and edit the source value script.

  4. To edit a property:

    1. Double-click a mapping.

    2. In the drop-down list, edit the property.

    3. To use a script to set the property, enable Show Script Editor, and edit the source value script.

  5. To conditionally update a property mapping or set a default value for a property, click Show advanced settings.

  6. If you selected Outbound, make a selection in the When to update field.

    • To enable conditional updating:

      1. Enable Apply conditional update.

      2. In the Conditional Update Script, update the script. An update only occurs if the script evaluates to true.

    • To apply a default value if the value is null:

      1. Enable Apply a default if value is null.

      2. Enter a default value in the Default value field.

  7. Click Save.

Preview an outbound mapping

Previewing provides an example of how user mapping appears from source to target.

  1. In the left navigation panel, click the Mapping tab, then click Outbound.

  2. Click Preview.

  3. In the drop-down list, choose an end user to preview. The page displays a preview of the target object that will be created when provisioning.

  4. Click Done.

Delete a map property

  1. In the left navigation panel, click the Mapping tab, then click Outbound or Inbound.

  2. Click the ellipsis (…​)on the right side of a mapping.

  3. Select Delete.

You cannot undo this action.

Reconcile and synchronize end-user accounts

A reconciliation operation involves a target system (the system with user account updates) and Identity Cloud (the system that receives the updates). For example, a Salesforce application and Identity Cloud. Mappings define the relationship between the target system and Identity Cloud.

The goal of reconciliation is to ensure synchronization and consistency between Identity Cloud and the external system application. Reconciliation uses the details you define in the Mappings tab to determine how to map and update properties.

Running reconciliation syncs end-user account changes (New accounts, updated accounts, deleted accounts) from an authoritative application to Identity Cloud. This is for an inbound mapping.

The Reconciliation tab prepares an application to run reconciliation jobs; however, to schedule full and incremental reconciliation, go to the Reconciliation > Reconcile > Schedules tab.

After configuring provisioning for a Scripted table, the Reconciliation tab is not immediately visible. To make the tab visible, you must add or edit a property. Afterward, you can delete the property and perform tasks using the Reconciliation tab.

Preview associations

To discern how your data reconciles between an external system and ForgeRock, you can preview associations before you run reconciliation.

On the Reconciliation > Reconcile tab, click Preview Associations.

View a report about the last reconciliation

You can view information about the last reconciliation, such as:

  • The percent of all accounts successfully reconciled.

  • Information about each reconciled account: mapping source, mapping target, attempted action, and the result of the reconciliation.

Before you perform the following steps, make sure you run reconciliation.

  1. On the Reconciliation > Reconcile tab, click View report.

  2. To filter the report results, enter text in the Search users field.

  3. To view different subsets of the report (1-to-1 match / no match), click View and select an item from the drop-down list.

Synchronize an identity

You can synchronize an identity that exists in an external application and Identity Cloud.

  1. On the Reconciliation > Reconcile tab, click the ellipsis (…​) to the right of a mapping.

  2. Click Reconcile Identity.

  3. Verify the information on the page, and click Reconcile Identity.

  4. After the reconciliation process is complete, click Done.

Change an end-user association

  1. On the Reconciliation > Reconcile tab, click the ellipsis (…​) to the right of a mapping.

  2. Click Change User Association.

  3. Choose a ForgeRock user to associate.

  4. Click Save.

Manage reconciliation schedules

The Schedules section of the Reconciliation > Settings tab lets you view and schedule reconciliation events for accounts or groups/organizations that have access to your application.

You can schedule two types of reconciliation:

  • Full Reconciliation: A process that completely synchronizes the source and target. This process usually happens once a week on a weekend or once a month but at longer intervals. The long intervals are because the synchronization process is very labor-intensive and can take a large amount of time depending on the reconciliation data.

  • Incremental Reconciliation: A process that only synchronizes the deltas between the source and target. This process usually runs regularly, like once a day. For example, if you run an incremental reconciliation at 12:55 PM, then again at 2:00 PM, Identity Cloud only looks at the timeframe in between to update, create, or delete data if anything changes in the source or target. Depending on the application, a timestamp or change number is used to synchronize the delta.

You can edit existing schedules and activate or deactivate them.

The scheduler service lets you schedule reconciliation and synchronization tasks. You can perform a scheduled batch scan for a specific date in Identity Cloud data, and then automatically run a task when the date occurs.

Set up a full or incremental reconciliation schedule

The initial state of a schedule is inactive.

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an inactive schedule: Full Reconciliation or Incremental Reconciliation.

  3. Choose one of the following ways to edit the schedule:

    • Edit the fields on the Set up page and click Save Schedule.

    • To use a text editor to edit the schedule:

      1. Enable the Use cron toggle.

      2. Enter a valid cron string in the Frequency field.

      3. Click Save Schedule.

Deactivate a schedule

  1. On the Reconciliation > Settings tab, navigate to the Schedules section.

  2. Click an active schedule.

  3. Click Deactivate Schedule.

Manage reconciliation rules

You use rules to define the actions you want Identity Cloud to perform when certain events occur during reconciliation. For example, if reconciliation detects that an identity object exists in Identity Cloud but not in the target application, Identity Cloud creates a target identity object and links the source Identity Cloud and target application.

Each rule has an action. Identity Cloud performs the action when a rule triggers against a record. Identity Cloud evaluates each record. When an event meets a rule condition, Identity Cloud performs the action that you defined for that rule.

The Situation Rules section of the Reconciliation > Settings tab displays the name and action of the rules for your application.

Target application rules

In the following list, the term source in this scenario means Identity Cloud and target means the application.

  • Ambiguous: The source identity object correlates to multiple target identity objects without a link. This means the source can link to multiple targets. This is an issue because the source and target will have a unique link.

  • Missing: The source links to a missing target identity object. Identity Cloud had a matching source and target record but can no longer find the target identity object it identifies as missing. This usually means the identity object was deleted in the target system.

  • Found Already Linked: The correlation from the source points to a target identity object already link to a different source. Identity Cloud found a target that links to a different source. The record is not unique.

  • Unassigned: A valid target is found with no link established between the source and target identity object. This usually means another reconciliation needs to happen to establish a link (if the action is set to link).

  • Unqualified: The source identity object does not qualify, but target identity objects have been found.

  • Link Only: A link is found, but the target identity object is missing. Identity Cloud had a matching source and target with a link but can no longer find the target identity object.

  • Confirmed: The source and target identity objects both exist and a valid link between the two is present. This is the ideal situation for a record to be in. This means the source and target both have a unique identifier that can only match one to one, and Identity Cloud establishes a link between the two.

  • Found: The correlation query from the source points to one target identity object. Identity Cloud puts a record into this state before moving it to the Confirmed bucket. This means that Identity Cloud found a source and target identity object that have a unique match, but there is no link between the two. If a reconciliation runs again, Identity Cloud puts the record into the Confirmed bucket and creates a link.

  • Absent: The source does not have a matching target identity object, nor is there an existing link present. This usually means that there is a new record in the source and a specific action needs to be made (usually Create).

Authoritative application rules

In the following list, the term source in this scenario means Identity Cloud and target means the application.

  • Ambiguous: The source identity object correlates to multiple target identity objects without a link. This means the source can link to multiple targets. This is an issue because the source and target will have a unique link.

  • Missing: The source links to a missing target identity object. Identity Cloud had a matching source and target record but can no longer find the target identity object it identifies as missing. This usually means the identity object was deleted in the target system.

  • Found Already Linked: The correlation from the source points to a target identity object already link to a different source. Identity Cloud found a target that links to a different source. The record is not unique.

  • Unassigned: A valid target is found with no link established between the source and target identity object. This usually means another reconciliation needs to happen to establish a link (if the action is set to Link).

  • Unqualified: The source identity object does not qualify, but target identity objects have been found.

  • Link Only: A link is found, but the target identity object is missing. Identity Cloud had a matching source and target with a link but can no longer find the target identity object.

  • Confirmed: The source and target identity objects both exist and a valid link between the two are present. This is the ideal situation for a record to be in. This means the source and target both have a unique identifier that can only match one to one, and Identity Cloud establishes a link between the two.

  • Found: The correlation query from the source points to one target identity object. Identity Cloud puts a record into this state before moving it to the Confirmed bucket. This means that Identity Cloud found a source and target object that have a unique match, but there is no link between the two. If a reconciliation runs again, Identity Cloud puts the record into the Confirmed bucket and creates a link.

  • Absent: The source does not have a matching target identity object, nor is there an existing link present. This usually means that there is a new record in the source and a specific action needs to be made (usually Create).

Rule action types

Rules can only have one action.

  • Perform Action: These are predefined behaviors Identity Cloud can take. These actions consist of:

    • Async: An asynchronous process has started. Do not perform any action or generate any report

    • Create: Creates a target identity object and links the source and target.

    • Delete: Deletes the target identity object and unlinks the source and target.

    • Exception: Flag the link situation as an exception.

    • Ignore: Do not change the link or target object state.

    • Link: Creates a link between the source and the correlated target identity object.

    • No Report: Do not perform any action or generate any report.

    • Report: Do not perform any action but report what would happen if the default action were performed.

    • Unlink: Unlinks the linked target from the source.

    • Update: Updates the target identity object and creates a link between source and target.

Configure basic and advanced correlation between an application and ForgeRock

You can correlate the user accounts in an application to user accounts in Identity Cloud. This correlation is important because account attributes in the application may have different names than account attributes in Identity Cloud.

The Account Correlation section of the Reconciliation > Settings tab lets you choose the attribute(s) to use to match users in your application to users in ForgeRock.

  1. On the Reconciliation > Settings tab, navigate to the Account Correlation section.

  2. Click Match using.

  3. In the Attribute(s) to Match drop-down list, choose the attribute(s) to use to match users in the target system to users in ForgeRock.

  4. To use a query to set or edit match attributes, click Use advanced query.

    • For an authoritative application:

      1. Choose to correlate a user if any or all attributes are matched.

      2. Use the User property field to set the user property(s) to match.

    • For a target application:

      1. Edit the correlation query script.

  5. Click Save.

Manage reconciliation events

Event hooks allow you to set an action that occurs when a specific event happens.

The Event Hooks section of the Reconciliation > Settings tab lets you view and define event hooks for reconciliation events.

Add an event hook

  1. On the Reconciliation > Settings tab, navigate to the Event Hooks section.

  2. To the right of an event hook, click + Add.

  3. Edit the script for the event hook.

  4. Click Save or Save and Close.

Restrict reconciliation to specific identities

  1. On the Reconciliation > Settings tab, click Show advanced settings.

  2. Configure the following settings:

    • To restrict reconciliation to specific identities in an application by defining an explicit source query:

      1. Enable Filter Source.

      2. Choose to filter the source if Any or All conditions are met.

      3. Use the remaining fields to define the explicit source query.

    • To restrict reconciliation to specific identities in ForgeRock by defining an explicit target query:

      1. Enable Filter Target.

      2. Choose to filter the target if Any or All conditions are met.

      3. Use the remaining fields to define the explicit target query.

    • To filter the application identities that are included in reconciliation using a script:

      1. Enable Valid Source Script.

      2. Edit the script.

    • To filter the ForgeRock identities that are included in reconciliation using a script:

      1. Enable Valid Target Script.

      2. Edit the script.

    • To allow correlation of source objects to empty target objects, enable Correlate empty target objects.

    • To prefetch each link in the database before processing each source or target object, enable Prefetch Links.

    • To allow reconciliations from an empty source to delete all data in a target resource, enable Allow reconciliations from an Empty Source.

    • To tune performance by adjusting the number of concurrent threads dedicated to reconciliation, in the Threads Per Reconciliation field, enter the number of concurrent threads.

  3. Click Save.

Copyright © 2010-2023 ForgeRock, all rights reserved.