ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: Synchronization in IDM

Last updated Jan 12, 2023

The purpose of this FAQ is to provide answers to commonly asked questions regarding synchronization in IDM.

Frequently asked questions

Q. Why can't users log in to IDM with their existing passwords once they have been synced from DS?

A. When users are synced from DS, the users will exist in IDM but cannot log in until their password has been changed. This is because user passwords in DS are one-way encrypted and cannot be retrieved until a password change has occurred. Additionally, you must use the Passthrough authentication method. See PASSTHROUGH for further information.

You can configure a password policy to force users to change their password when they next log in. See Password policy for further information.

Q. How do I resolve the FOUND_ALREADY_LINKED situation for source objects?

A. See How do I resolve the Found Already Linked situation in Identity Cloud or IDM (All versions)? for further information.

Q. Can you configure IDM reconciliation to continue implicit synchronization even when a failure occurs?

A. No, IDM performs implicit synchronization on an all or nothing basis according to the failure compensation configuration. There is no way to have implicit synchronization occur on specific objects within a mapping but not others.

Q. How do I configure IDM to handle large data sets for reconciliation?

A. IDM supports reconciliation paging, which breaks down extremely large data sets into chunks. See Tuning reconciliation performance for further information on this and other approaches to improve reconciliation performance.

See How do I identify reconciliation performance issues in IDM (All versions)? for further information on troubleshooting reconciliation performance.

Q. What is the purpose of the lastSync attribute?

A. The lastSync attribute is used as the state in a managed object to remember what assignments were pushed to the target resources, on a per mapping basis. This attribute prevents divergences between the source and target assignment, especially when mergeWithTarget and removeFromTarget strategies are used.

You must not remove this attribute as it could cause future upgrades to fail.

See Also

FAQ: Clusters in IDM

Synchronization in IDM


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.