How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I merge multiple external accounts to a single managed/user object in IDM (All versions)?

Last updated Jan 19, 2023

The purpose of this article is to provide information on merging multiple external accounts to a single managed/user object in IDM. This is useful when you hold data in multiple external accounts that you want to bring together in IDM and assumes that there is a common naming attribute in all the external accounts. You can then synchronize this managed/user object (with merged data) to an external account such as DS.

1 reader recommends this article

Merging multiple accounts


You can also link multiple accounts from the same target system to a managed user record as detailed in Map a Single Source Object to Multiple Target Objects and Link Multiple Accounts to a Single Identity.

For the following scenario:

  • 2 external source accounts (LDAP1 and LDAP2)
  • Common naming attribute = mail (email address)
  • 1 external destination account (DS)

You can merge these accounts to a single managed/user object in IDM as follows:

  1. Create and configure separate LDAP connector provisioner configuration files in the /path/to/idm/conf directory for your external accounts (for example, provisioner.openicf-ldap1.json and provisioner.openicf-ldap2.json).
  2. Create separate mappings for each external account to your managed/user object in the sync.json file (located in the /path/to/idm/conf directory), defining which attributes you want from each account.
  3. Determine which source will be the Primary source (used to create managed/user objects during reconciliation) and which source will be the Secondary source.

The Primary source must have the ABSENT situation action set to CREATE within its mappings' policies. Reconciliation must be performed against the Primary source initially in order to create the Managed User objects within the IDM repository.

  1. Update the policies for the Secondary source mapping within the sync.json file by setting the ABSENT situation action to UPDATE. For example: { "situation" : "ABSENT", "action" : "UPDATE" },

When performing reconciliation against the Secondary source, any attributes which are common to the two source systems will be overwritten by the Secondary source, unless you explicitly add business logic to either merge or selectively overwrite attribute values.

  1. Define a correlation query based on the common mail naming attribute for each mapping. For example: "correlationQuery" : { "type" : "text/javascript", "source" : "var query = {'_queryId' : 'get-by-field-value', 'field' : 'mail', 'value' : source.mail}; query;" },
  2. Create a mapping in the sync.json file from your managed/user to DS.

The sync-with-ldap sample (sample2) is a good starting point as it includes LDAP connector configurations and a basic mapping for an external LDAP account to the managed/user object.

See Also

How do I provision external accounts in a pre-defined order in IDM (All versions)?

LDAP connector

Mapping Data Between Resources

Correlating Source Objects With Existing Target Objects

One Way Synchronization From LDAP to IDM

Related Training

ForgeRock Identity Management Deep Dive (IDM-420)

Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.