PingOne Advanced Identity Cloud

Source reconciliation

During source reconciliation and liveSync, IDM iterates through the objects in the source resource. For reconciliation, the list of objects includes all objects that are available through the connector. For liveSync, the list contains only changed objects. IDM can filter objects from the list by using the following:

  • Scripts specified in the validSource property

  • A query specified in the sourceCondition property

  • A query specified in the sourceQuery property

For each object in the list, IDM assesses the following conditions:

  1. Is the source object valid?

    Valid source objects are categorized qualifies=1. Invalid source objects are categorized qualifies=0. Invalid objects include objects that were filtered out by a validSource script or sourceCondition. For more information, refer to Filter source and target objects with scripts.

  2. Does the source object have a record in the links table?

    Source objects that have a corresponding link in the repository’s links table are categorized link=1. Source objects that do not have a corresponding link are categorized link=0.

  3. Does the source object have a corresponding valid target object?

    Source objects that have a corresponding object in the target resource are categorized target=1. Source objects that do not have a corresponding object in the target resource are categorized target=0.

The following diagram illustrates the categorization of four sample objects during source reconciliation. In this example, the source is the managed user repository and the target is an LDAP directory:

sync-situations
Figure 1. Object Categorization During the Source Synchronization Phase

Based on the categorizations of source objects during the source reconciliation phase, the synchronization process assesses a situation for each source object, and executes the action that is configured for each situation.

Not all situations are detected during all synchronization types (reconciliation, implicit synchronization, and liveSync). The following table describes the set of synchronization situations detected during source reconciliation, the default action taken for each situation, and valid alternative actions that can be configured for each situation:

Table 1. Situations Detected During Reconciliation and Source Change Events
Source Qualifies Link Exists Target Objects Found Situation Default Action Possible Actions

NO

NO

0

SOURCE_IGNORED

IGNORE source object

EXCEPTION, REPORT, NOREPORT, ASYNC

NO

NO

1

UNQUALIFIED

DELETE target object

EXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC

NO

NO

> 1

UNQUALIFIED

DELETE target objects

EXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC

NO

YES

0

UNQUALIFIED

DELETE linked target object [1]

EXCEPTION, REPORT, NOREPORT, ASYNC

NO

YES

1

UNQUALIFIED

DELETE linked target object

EXCEPTION, REPORT, NOREPORT, ASYNC

NO

YES

> 1

UNQUALIFIED

DELETE linked target object

EXCEPTION, REPORT, NOREPORT, ASYNC

YES

NO

0

ABSENT

CREATE target object

EXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC

YES

NO

1

FOUND

UPDATE target object

EXCEPTION, IGNORE, REPORT, NOREPORT, ASYNC

YES

NO

1

FOUND_ALREADY_LINKED [2]

EXCEPTION

IGNORE, REPORT, NOREPORT, ASYNC

YES

NO

> 1

AMBIGUOUS [3]

EXCEPTION

REPORT, NOREPORT, ASYNC

YES

YES

0

MISSING [4]

EXCEPTION

CREATE, UNLINK, DELETE, IGNORE, REPORT, NOREPORT, ASYNC

YES

YES

1

CONFIRMED

UPDATE target object

IGNORE, REPORT, NOREPORT, ASYNC

Based on this table, the following situations would be assigned to the previous diagram:

sync-situations2
Figure 2. Situation Assignment During the Source Synchronization Phase

For more information on how to configure the situations and actions to take in the IDM admin UI, refer to Configure situations and actions using the IDM admin UI.


1. In this case (and the two following cases), the DELETE action is applied to the linked target object and not necessarily to the target object(s) found by the correlation query. If the source is no longer valid and a link existed, the correlation logic is skipped.
2. The source object qualifies for a target object and is not linked to an existing target object. There is a single target object that correlates with this source object, according to the logic in the correlation, but that target object is already linked to a different source object.
3. The source object qualifies for a target object, is not linked to an existing target object, but there is more than one correlated target object (that is, more than one possible match on the target system).
4. If the action is CREATE for the situation MISSING, the orphaned link associated with the source object is updated to point to the new target object. When a target object is deleted, the link from the target to the corresponding source object is not deleted automatically. This lets IDM detect and report items that might have been removed without permission or might need review. If you need to remove the corresponding link when a target object is deleted, change the action to UNLINK to remove the link, or to DELETE to remove the target object and the link.
Copyright © 2010-2024 ForgeRock, all rights reserved.