This guide will outline how to synchronise users between two (or more) instances of OpenIDM. Including all of their user data including passwords and KBA questions and answers. This is achieved through the use of the Scripted CREST connector.
- Two instances of OpenIDM up and running with the managed user object configured according to your requirements.
- KBA should be configured on both instances.
1. Configuring the Scripted CREST Connector
- Examine the provisioner file below. This will be used as the basis for our integration.
Copy the contents of the provisioner file into a new provisioner e.g. /openidm/conf/provisioner.openicf-openidm.json
Ensure the following configuration properties are set according to your environment:
- Ensure the directory specified above has been created: mkdir /usr/local/env/box/openidm_a/tools/scriptedcrest
- Copy the Scripted CREST connector scripts from the samples dir: cp -r /usr/local/env/box/openidm_a/samples/scriptedcrest2dj/tools/ /usr/local/env/box/openidm_a/tools/scriptedcrest
Open the following file in an editor: /usr/local/env/box/openidm_a/tools/scriptedcrest/SchemaScript.groovy and edit the following to ensure it matches the name of your provisioner file (provisioner.openicf-openidm.json or whatever you called it above):
2. Create new mapping
- Navigate to Configure -> Mappings
- Create a new mapping from the Managed User object to the new OpenIDM connector configured above in section 1.
- The mapping should look like this:
- Add a transformation script to decrypt the password ( note the password is decrypted for transmission, the transport used should be secured with TLS or equivalent ):
- Change Behaviours -> Policy to "Default Action" so that new users are actually created in the target.
The sync.json extract for this mapping is below if you just want to copy it:
3. Test synchronization
- Try reconciling users.
- Users that exist in the first IDM instance should be created in the second. With KBA and passwords intact: