Service ProviderUser Synchronization

Synchronization for Service Provider users is enabled through the Synchronization Policy. To synchronize changes to attributes on resources with Identity Manager for service provider users, you must configure Service Provider Synchronization.

The following topics explain how to enable synchronization in a service provider implementation:

• Configure Synchronization

• Monitor Synchronization

• Start and Stop Synchronization

• Migrate Users

Service Provider synchronization is configured from the list of resources in the Resources area of Identity Manager.

Configure Synchronization

To configure Service Provider synchronization, you edit the Synchronization Policy for resources as described in To Edit or Configure Synchronization.

When editing the Synchronization Policy, the following options must be specified to enable the synchronization processes for service provider users.

• Select Service Provider User as the Target Object Type.

• In the Scheduling Settings section, select Enable Synchronization.

Follow the instructions in To Edit or Configure Synchronization to specify other options as appropriate for your environment. The default synchronization interval for Service Provider synchronization tasks defaults to 1 minute.

The confirmation rule and form must use the IDMXUser view and not the Identity Manager input user view (see Sun Identity Manager Service Provider 8.1 Deployment for more information).

This is required because confirmation rules access a user view for each user identified in the correlation rule, impacting synchronization performance.

Click Save to save the policy definition. If synchronization is not disabled in the policy, it will be scheduled as specified. If disable synchronization is specified, the synchronization service is stopped, if currently running. If enabled, synchronization will be started when the Identity Manager server is restarted, or when Start for Service Provider is selected under the Synchronization Resource Action.

Monitor Synchronization

Identity Manager provides the following methods for monitoring Service Provider synchronization.

• View the synchronization status in the description field on the Resource list.

• Use the JMX interface to monitor synchronization metrics.

Start and Stop Synchronization

Service Provider synchronization is enabled by default when you configure Identity Manager for a service provider implementation.

To Disable Service Provider Active Sync

1. In the Administrator interface, click Resources on the menu.

   The List Resources page opens.

2. In the Service Provider area, select the resource and click Edit Synchronization Policy to edit the policy.

3. Clear the Enable Synchronization check box.

4. Click Save.

   When the policy is saved synchronization stops.

   To stop synchronization without disabling it, select Stop for Service Provider from the Synchronization resource action.

   ---

   Note –

   If you stop synchronization by using the resource action, without disabling synchronization, it will be started again when any Identity Manager server is started.

   ---

Migrate Users

The Service Provider functionality contains an example user migration task and associated scripts. This task migrates existing Identity Manager users to the Service Provider User directory. This section describes how to use the example migration task. You are encouraged to modify this example for use in your situation.

To Migrate Existing Identity Manager Users

1. In the Administrator interface, click Server Tasks on the menu.

   The Find Tasks page opens.

2. Click Run Tasks in the secondary menu.

3. Click SPE Migration.

4. Enter a unique Task Name.

5. Select a Resource from the list.

   This is a resource in Identity Manager that represents the Service Provider directory server. Links to this resource found in Identity Manager users are not migrated.

6. Enter an Identity Attribute.

   This is the Identity Manager user attribute that contains the short unique identity for the directory user.

7. Select an Identity Rule from the list.

   This is an optional rule that may calculate the name of the directory user from attributes of the Identity Manager user. The Identity rule can calculate a simple name (typically UID) which is then processed through the identity template of the Resource to form the directory server distinguished Name (DN.) The rule may also return a full specified DN which avoids the id template.

8. Click Launch to start the background migration task.