PingOne Advanced Identity Cloud

Synchronization types

  • IDM discovers and synchronizes changes from external resources by using reconciliation and liveSync.

  • IDM synchronizes changes made to managed resources by using reconciliation and implicit synchronization.

    Reconciliation

    Reconciliation is the process of ensuring that the objects in two different data stores are consistent. Traditionally, reconciliation applies mainly to user objects, but IDM can reconcile any object, such as groups, roles, and devices.

    In any reconciliation operation, there is a source system (the system that contains the changes) and a target system (the system where the changes will propagate). The source and target system are defined in a mapping. The IDM repository can be the source or the target in a mapping. You can configure multiple mappings for one IDM instance, depending on the external resources you are connecting to.

    To perform reconciliation, IDM analyzes both the source system and the target system to identify their differences. Reconciliation can be a heavyweight process. When working with large data sets, finding all changes can be more work than processing the changes.

    Reconciliation is very thorough. It recognizes system error conditions and catches changes missed by liveSync, and therefore, serves as the basis for compliance and reporting.

    The repeat interval for scheduled reconciliations occurs in milliseconds. If you need to gather data more frequently, you can use liveSync to avoid performance impact.

    LiveSync

    LiveSync captures the changes that occur on an external system and pushes those changes to IDM. IDM uses any defined mappings to replay those changes where they are required—to its managed objects, to another remote system, or to both. Unlike reconciliation, liveSync uses a polling system intended to react quickly to changes as they happen.

    To perform this polling, liveSync relies on a change detection mechanism on the external resource to determine which objects have changed. The change detection mechanism is specific to the external resource. It can be a timestamp, a sequence number, a change vector, or any other method of recording changes that have occurred on the system. For example, DS implements a change log that provides IDM with a list of objects that have changed since the last request. Active Directory implements a change sequence number and certain databases could have a lastChange attribute.

    Implicit synchronization

    Implicit synchronization automatically pushes changes made to IDM managed objects out to external systems.

    For direct changes to managed objects, IDM immediately synchronizes those changes to all mappings configured to use those objects as their source. A direct change can originate as a write request through the REST interface and as an update resulting from reconciliation with another resource.

    Implicit synchronization only synchronizes changed objects to external resources. To synchronize a complete data set, you must run a reconciliation operation. The entire changed object is synchronized during implicit synchronization. To synchronize only the attributes that have changed, you can modify the onUpdate script in your mapping to compare attribute values before pushing changes.

Copyright © 2010-2024 ForgeRock, all rights reserved.