Sun Identity Manager 8.1 Business Administrator's Guide

Active Sync Adapters

The Identity Manager Active Sync feature allows information that is stored in an authoritative external resource (such as an application or database) to synchronize with Identity Manager user data. Configuring synchronization for an Identity Manager resource enables it to listen or poll for changes to the authoritative resource.

You can configure how resource attribute changes are flowed into Identity Manager by specifying the Input Form in the resource’s synchronization policy (for the appropriate target object type).

Note –

The pages in this chapter focus on how to perform Active Sync tasks using the Administrator interface. To learn about Active Sync in depth, see Chapter 4, Data Loading and Synchronization, in Sun Identity Manager Deployment Guide.

Configuring Synchronization

Identity Manager uses a synchronization policy to enable synchronization for resources.

ProcedureTo Edit or Configure Synchronization

Each resource has its own synchronization policy. Use the following steps to configure or edit a synchronization policy:

  1. In the Administrator interface, click Resources in the menu.

  2. Select the resource in the Resource List for which you want to configure synchronization.

  3. Find the Resource Actions list and select Edit Synchronization Policy.

    The Edit Synchronization page for the resource opens.

    Specify the following options in the Edit Synchronization Policy page to configure synchronization:

    • Target Object Type. Select the type of users to which the policy applies, either Identity Manager Users or Service Provider Users.

      Note –

      In a Service Provider implementation you must configure a synchronization policy (with Service Provider Users specified as the object type) to enable synchronization of data for those users. For more information about service provider users, see Chapter 17, Service Provider Administration.

    • Scheduling Settings. Use this section to specify the start-up method and polling schedule.

      You can specify the following Startup Types:

      • Automatic or Automatic with failover. Starts the authoritative source when the Identity system is started.

      • Manual. Requires that an administrator start the authoritative source.

      • Disabled. Disables the resource.

        Use the Start Date and Start Time options to specify when polling begins. Specify the polling cycles by selecting an interval and entering a value for the interval (seconds, minutes, hours, days, weeks, months).

        Note –

        If you change the start-up method or polling schedule, you must restart the server for those changes to take effect.

        If you set a polling start date and time that is in the future, polling will begin when specified. If you set a polling start date and time that is in the past, Identity Manager determines when to begin polling based on this information and the polling interval.

        For example:

        • You configure active synchronization for the resource on July 18, 2005 (Tuesday).

        • You set the resource to poll weekly, with a start date of July 4, 2005 (Monday) and time of 9:00 a.m.

      In this case, the resource will begin polling on July 25, 2005 (the following Monday).

      If you do not specify a start date or time, then the resource will poll immediately. If you take this approach, each time the application server is restarted, all resources configured for active synchronization will begin polling immediately. The typical approach, is to set a start date and time.

    • Synchronization Servers. In a clustered environment, each server can run synchronization. Select an option to specify which servers will be used to run synchronization for the resource.

      • Select Use any available server if it does not matter where synchronization runs. A server will be chosen from the set of possible servers when synchronization starts.

      • Select Use the settings in to use servers specified there to run synchronization. (This feature is deprecated.)

      • Select Use specified servers, and then select one or more available servers from the Synchronization Servers list, to select specific servers to run synchronization.

    • Resource Specific Settings. Use this section to specify how synchronization will determine the data to be processed for the resource.

    • Common Settings. Specify the general settings for data synchronization activities.

      These settings include:

      • Proxy Administrator. Select the administrator who will process updates. All actions will be authorized through capabilities assigned to this administrator. You should select a proxy administrator with an empty user form.

      • Input Form. Select an input form that will process data updates. This optional configuration item allows attributes to be transformed before they are saved on the accounts.

      • Rules (optional). Select rules to use during the data synchronization process.

        You can specify the following:

        • Process Rule. Select this rule to specify a process rule to run for each incoming account. This selection overrides all other options. If you specify a process rule, the process will be run for every row, regardless of other settings on the resource. It can be either a process name, or a rule evaluating to a process name.

        • Correlation Rule. Select a correlation rule to override the correlation rule specified in the resource’s reconciliation policy. Correlation rules correlate resource accounts to Identity system accounts.

        • Confirmation Rule. Select a confirmation rule to override the confirmation rule specified in the resource’s reconciliation policy.

        • Resolve Process Rule. Select this rule to specify the name of a Task Definition to run in case of multiple matches to a record in the data feed. This should be a process that prompts an administrator for manual action. It can be a process name or a rule evaluating to a process name.

        • Delete Rule. Select a rule, which returns true or false, that will be evaluated for each incoming user update to determine if a delete operation should occur.

      • Create Unmatched Accounts. When this option is enabled (true), the adapter will attempt to create accounts that it does not find in the Identity Manager system. If not enabled, the adapter will run the account through the process returned by the Resolve Process Rule.

      • Logging Settings. Specify a value for the logging options.

        The logging options consist of the following:

        • Maximum Log Archives. If greater than zero, retain the latest N log files. If zero, then a single log file is reused. If -1, then log files are never discarded.

        • Maximum Active Log Age. After this period of time has elapsed, the active log will be archived. If the time is zero, then no time-based archival will occur. If Maximum Log Archives is zero, then the active log will instead be truncated and reused after this time period. This age criteria is evaluated independently of the time criteria specified by Maximum Log File Size.

          Enter a number, and then select the unit of time (Days, Hours, Minutes, Months, Seconds, or Weeks). Days is the default unit.

        • Log File Path. Enter the path to the directory in which to create the active and archived log files. Log file names begin with the resource name.

        • Maximum Log file Size. Enter the maximum size, in bytes, of the active log file. The active log file will be archived when it reaches maximum size. If Maximum Log Archives is zero, then the active log will instead be truncated and reused after this time period. This size criteria is evaluated independently of the age criteria specified by Maximum Active Log Age.

        • Log Level. Specify a logging level.

          The following logging levels are available:

          • 0. No logging

          • 1. Error

          • 2. Information

          • 3. Verbose

          • 4. Debug

  4. Click Save to save the policy settings for the resource.

Editing Active Sync Adapters

Before editing an Active Sync adapter, stop synchronization.

ProcedureTo Stop Synchronization

  1. Open the Edit Synchronization page. (For instructions, see To Edit or Configure Synchronization.)

  2. Under Scheduling Settings, locate Startup Type and select Disabled.

    For Service Provider users deselect the Enable Synchronization option.

    A warning message will appear to indicate that active synchronization is disabled.

  3. Click Save.

    Disabling synchronization for a resource will result in stopping the synchronization task when the changes are saved.

Tuning Active Sync Adapter Performance

Because synchronization is a background task, Active Sync adapter configuration can affect server performance.

Tuning Active Sync adapter performance involves these tasks:

Manage Active Sync adapters through the resources list. Select an Active Sync adapter, and then access start, stop, and status refresh controls actions from the Synchronization section of the Resource Actions list.

Changing Polling Intervals

The polling interval determines when the Active Sync adapter will start processing new information. Polling intervals should be determined based on the type of activity being performed. For example, if the adapter reads in a large list of users from a database and updates all users in Identity Manager each time, consider running this process daily in the early morning hours. Some adapters may have a quick search for new items to process and could be set to run every minute.

Specifying the Host Where the Adapter Will Run

To specify the host where the adapters will run, you must edit the sources.hosts property in the file.

Specify one of the following settings:

Active Sync adapters that require more memory and CPU cycles can be configured to run on dedicated servers to help load balance the systems.

Starting and Stopping

Active Sync adapters can be disabled, manually started, or automatically started. You must have the appropriate administrator capability to change Active Sync resources in order to start or stop Active Sync adapters. For information about administrator capabilities, see Capabilities Categories.

When an adapter is set to automatic, the adapter restarts when the application server does. When you start an adapter, it will run immediately and execute at the specified polling interval. When you stop an adapter, the next time the adapter checks for the stop flag, it will stop.

Adapter Logging

Adapter logs capture information about the adapter currently processing. The amount of detail that the log captures depends upon the logging level of the logging you have set. Adapter logs are useful for debugging problems and watching the adapter process progress.

Each adapter has its own log file, path, and log level. You specify these values in the Logging section of the Synchronization Policy for the appropriate user type (Identity Manager or Service Provider).

Delete Adapter logs only when the adapter has been stopped. In most cases, it is a good practice to make a copy of an adapter log for archive purposes before you delete the log.