Managing Identity Source

OneAccess synchronizes identity data using the "Upstream – Midstream – Downstream" model. Upstream refers to an identity source for enterprise management, midstream is OneAccess, and downstream indicates an application system that synchronizes identity data with the upstream. In this model, OneAccess synchronizes identity data in upstream systems to downstream application systems in real time, ensuring consistency, accuracy, and security of identity data throughout the user lifecycle, covering onboarding, job transfer, and resignation.

An identity source is similar to the identity management system of an enterprise. It stores the details of enterprise users. OneAccess supports standard identity sources, such as WeCom, DingTalk, Active Directory (AD), and Lightweight Directory Access Protocol (LDAP). With only simple configuration, you can synchronize organization and user data of these identity sources to OneAccess. Identity source synchronization suits the following scenarios:

Single identity source
Enterprises that have a single identity source can maintain identity data using its management system.
Multiple independent identity sources
Enterprises that have multiple independent identity sources can maintain identity data in each identity source using its management system. For example, a company has subsidiaries A and B, which have separate identity management systems and correspond to different organizations in OneAccess. The two subsidiaries can main identity data using their own identity management system.
Multiple related identity sources
Enterprises that have multiple related identity sources are advised to create and update identity data through a single source to prevent data overriding during synchronization.

OneAccess allows enterprises to synchronize user and organization information from multiple identity sources. The configuration information varies depending on the identity source. For details, see:

For details about how to add an AD identity source, see Integrating AD Identity Sources.
For details about how to add an LDAP identity source, see Integrating LDAP Identity Sources.

This section describes how to add an identity source. AD identity is used for illustration.

Procedure

Add an identity source in OneAccess.
1. Log in to the administrator portal.
2. On the top navigation bar, choose Users > Identity Sources.
3. On the Identity Sources page, click Add Identity Source in the Operation column of the row that contains AD, enter an identity source name, and click OK.

Configure the import settings.

In the AD identity source list, click View Details in the row that contains the target identity source.

Click the Import Settings tab, set import parameters, and click OK.

Basic Settings: Connection parameters of your AD server to be connected to OneAccess.

**Table 1** Basic settings
Parameter	Description
* Host	Host name or IP address of the AD server.
*TCP Port	TCP/IP port of the AD server. The default port is 389. NOTE: OneAccess can be accessed only over public networks. Provide the public network address of your server and enable port 389.
SSL	Default value: true, which indicates that SSL is used to connect the AD server.
StartTLS	Whether to enable startTLS for encrypted communication. true: StartTLS is enabled, and SSL cannot be set to true. false: Disable StartTLS.
Certificate Verification	Whether to verify the certificate. This parameter is valid only when SSL or StartTLS is set to true. true: Verify the certificate. false: Do not verify the certificate. The certificate must be authenticated by the public network. Self-signed certificates cannot be used.
Protocol Version	Default value: TLSv1.2. Recommended: TLSv1.3 and TLSv1.2.
Principal	Identifier used for AD server authentication. Specify an account that has read permission for the AD domain. The input parameter will contain the domain name, for example, admin@test.com and TEST\admin.
*Password	Password of the principal account.
* Base Contexts	One or more root nodes (for example, OU=huaweitest,DC=test,DC=com) in the AD tree to be considered as the beginning for synchronizing AD users.
*UID Attribute	Name of the AD attribute mapped to the UID attribute.
* Account Object Class	One or more object classes to be used when a new user object is created in the AD tree. If you enter multiple object classes, each item occupies a line. Do not use commas (,) or semicolons (;) to separate multiple object classes. Some object classes may require you to specify all object classes in the class hierarchy.

Optional settings: Whether to synchronize passwords, password attributes to be synchronized, account and organization object classes. Modify these settings if a synchronization error occurs. For certain parameters, you may retain the default settings.

**Table 2** Optional settings
Parameter	Description
Domain	If a domain name exists, it should be excluded from the reclaimed username. If there are multiple domain names, separate them with commas (,). The default username excludes the domain name.
Account Username Attribute	Saves one or more attributes of an account username. During authentication, these attributes are used to search for the AD entry of the username to be authenticated.
Organization Object Class	One or more object classes that will be used when a new organization object is created in the AD tree. If you enter multiple object classes, each item occupies a line. Do not use commas (,) or semicolons (;) to separate multiple object classes. Some object classes may require you to specify all object classes in the class hierarchy.
Organization Name Attribute	Stores one or more attributes of the organization name. During authentication, these attributes are used to search for the AD entry of the organization name to be authenticated.
Failover Servers	Lists all servers that will be used for failover when the preferred server fails. If the preferred server fails, JNDI will connect to the next available server in the list. Lists all servers in the "ldap://ldap.example.com:389/" format (compliant with the standard AD v3 URL described in RFC 2255). Only the host and port parts of the URL are relevant in this setting.
Password Attribute	Name of the AD attribute used to store passwords. When the password of a user is changed, a new password will be set for this attribute.
AD Filter	Optional AD filter used to control the accounts returned from AD resources. If no filter is specified, only accounts containing all specified object classes are returned.
Password Hash Algorithm	Algorithm used by the identity system to hash passwords. Currently, SSHA, SHA, SMD5, and MD5 are supported. A null value indicates that the system does not hash the password. Unless the LDAP server performs hashing (Netscape Directory Server and iPlanet Directory Server perform hashing), this will result in plaintext passwords being stored in AD.
Preferentially process the change of the resource password policy after reset	If this resource is specified in the login module (i.e., this resource is the passing verification target) and the password policy of the resource is configured to change after reset, users who have reset the resource account password for management purpose need to change the password after successful verification.
Use VLV Controls	Specifies whether to forcibly use the VLV control on the standard AD control. The default value is false.
VLV Sort Attribute	Sorting attribute used for VLV indexes on resources.
Read Schema	If the value is TRUE, the connector reads the schema from the server. If FALSE, the connector provides a default schema based on the object class in the configuration. To use the extended object class, this attribute must be set to TRUE.
Basic Contexts to Synchronize	One or more starting points in the AD tree that are used to determine whether changes should be synchronized. If this attribute is not set, the base context attribute is used to synchronize changes.
Object Class to Synchronize	Object class to be synchronized. The change log is for all objects; it filters updates based on the listed object classes. You should not list the superclasses of an object class unless you want to synchronize the object with any superclass value. For example, if only the "inetOrgPerson" object should be synchronized, but the superclasses ("person", "organizationalperson", and "top") of "inetOrgPerson" should be filtered out, only "inetOrgPerson" should be listed here. All objects in AD are derived subclasses of "top". Therefore, "top" should never be listed. Otherwise, no object can be filtered.
Attribute to Synchronize	Name of the attribute to be synchronized. When this option is set, if updates in the change log do not update any named attributes, these updates are ignored. For example, if only "department" is listed, only changes that affect "department" are processed and all other updates are ignored. If you leave it blank (default setting), all changes are processed.
AD Filter for Accounts to Synchronize	Optional AD filter used during object synchronization. Because the change log applies to all objects, this filter updates only the objects that meet the specified filter criteria. If a filter is specified, the object is synchronized only when the object meets the filter conditions and contains the synchronized object class.
Change Log Block Size	Number of change log entries obtained by each query.
Change Number Attribute	Change the number attribute.
Filter with Or Instead of And	Typically, the filter used to obtain change log entries is to retrieve change entries over a period of time based on the AND condition. If this attribute is set, the OR condition will be used as the filter for the required number of changes.
Remove Log Entry Object Class from Filter	If this attribute is set (default), the filter used to obtain change log entries will not contain the "changeLogEntry" object class because the change log should not contain entries of other object classes.
Password Attribute to Synchronize	Name of the password attribute to be synchronized.
Status Management Class	Used to manage the enabling/disabling status. If no class is specified, identity status management cannot be performed.
Whether to search for passwords	Indicates whether to retrieve the user password during search. Default value: No.
DN attribute	DN attribute name of an item. The default value is entryDN.
AD Filter	An optional AD filter that controls the groups returned from AD resources. If no filter is specified, only groups containing all specified object classes are returned.
Read Timeout (ms)	Time for waiting for a response. If no response is received within the specified time, the read attempt is aborted. If the value is 0 or less than 0, there is no limit.
Connection Timeout (ms)	Waiting time for opening a new server connection. The value 0 indicates that the TCP network timeout will be used, which may be several minutes. If the value is less than 0, there is no limit.
Account DN Prefix	The default value is cn. You can also set it to another attribute name used as the DN prefix, such as uid.

Advanced Settings: Policies for mapping higher-level organizations, organizations, and users.

**Table 3** Advanced settings
Parameter	Description
Enable timer for recycling	You can set whether to enable scheduled reclamation. If scheduled reclamation is enabled, the reclamation task is executed at a specified time every day.
Timer frequency	Fixed: one day NOTE: Displayed when scheduled reclamation is enabled.
Select a recycling start time	You can set the reclamation start time in the drop-down list box. NOTE: This parameter needs to be set only when scheduled reclamation is enabled.
Organization	Parent organization in OneAccess to which organizations will be synchronized from AD. A new top-level organization will be automatically created if this parameter is not set.
Organization Matching	Mapping between the enterprise AD and OneAccess organizations. This policy is used when OneAccess synchronizes organizations from the enterprise AD. For example, OneAccess has an organization attribute Code and your AD has a similar attribute Organization Code. Organizations in your AD will be mapped to OneAccess, and their codes in the AD will be identified as organization codes in OneAccess.
Create Organization	Enabled by default, indicating that OneAccess will automatically create organizations that do not match any organizations in OneAccess. To ensure data integrity, enable this option.
Update Organization	Enabled by default, indicating that organizations in OneAccess that match those synchronized from the identity source will be updated. To ensure data accuracy, keep this option enabled.
Delete Organization	After organization data is synchronized from the AD to OneAccess, if you want to delete organizations from the AD, OneAccess compares the number of deleted organizations with the configured deletion threshold. If the ratio of the number of deleted organizations to the total number of data records synchronized last time is greater than the threshold, the deletion fails; if the ratio of the number of deleted organizations to the total number of data records synchronized last time is less than the threshold, the deletion is successful.
User Matching	Mapping between an AD user and a OneAccess user. Used when OneAccess synchronizes users from the enterprise AD. For example, OneAccess has a user attribute User ID and your AD has a similar attribute Employee ID. Users in your AD will be mapped to OneAccess, and their employee IDs in the AD will be identified as user IDs in OneAccess.
Create User	Enabled by default, indicating that OneAccess will automatically create users who do not match any users in OneAccess. To ensure data integrity, enable this option.
Update User	Enabled by default, indicating that users in OneAccess that match those synchronized from the identity source will be updated. To ensure data accuracy, keep this option enabled.
Delete User	After AD user data is successfully synchronized to OneAccess, if you want to delete a user from AD, OneAccess compares the number of deleted users with the configured deletion threshold. If the ratio of the number of deleted users to the total number of users synchronized last time is greater than the threshold, the deletion fails; if the ratio of the number of deleted users to the total number of data records synchronized last time is less than the threshold, the deletion is successful.
Disable User Threshold Adjustment	The default value is 20%. This is a customizable protection mechanism provided by the platform. When the number of data records disabled or deleted by the upstream identity source application exceeds the threshold, the platform will not disable or delete the data synchronously after receiving the instruction.

(Optional) Set the object models.

Click the Object Models tab on the identity source details page. Then add, modify, or delete users and organization attributes and mapping rules.

**Table 4** Object model
Parameter		Description
User	Attributes	User attributes in the AD identity source.
User	Mappings	Data conversion rules for synchronizing user data from AD to OneAccess. Script-based conversion is supported.
Organization Object	Attributes	Organization attributes in the AD identity source.
Organization Object	Mappings	Data conversion rules for synchronizing organization data from AD to OneAccess. Script-based conversion is supported.

Add an attribute.
1. On the Attribute tab page, click Add. The Add Attribute dialog box is displayed.
2. Select the optional attributes of the identity source, and enter the display tag and description.
3. Select a type. When Type is set to Text, you need to set Format.
4. Set whether the attribute is mandatory and click OK. The attribute is added.
Set the mapping rule.
On the Mapping Definition tab page, click Modify. Set the conversion mode, script expression mode, execution mode, and system user for the mapping rule.