Connections Overview
Connections are the foundation of IdentityCenter. They define how the platform communicates with your identity sources to synchronize users, groups, and other objects.
What is a Connection?
A connection is a configured link between IdentityCenter and an external directory service. It stores:
- Server address and port
- Authentication credentials
- SSL/TLS settings
- Base search location (Base DN)
- Connection-specific options
Supported Connection Types
Active Directory
The most common connection type for Windows environments.
| Feature | Support |
|---|---|
| Users | Full sync |
| Groups | Full sync |
| Computers | Full sync |
| Nested Groups | Yes |
| LDAPS | Yes |
| Kerberos Auth | Yes |
Best for: On-premises Windows environments, hybrid configurations
Entra ID (Azure AD)
Connect to Microsoft's cloud identity service.
| Feature | Support |
|---|---|
| Users | Full sync |
| Groups | Full sync |
| Service Principals | Read-only |
| App Registrations | Read-only |
| Conditional Access | Read-only |
Best for: Cloud-first organizations, Microsoft 365 environments
Generic LDAP
Connect to any LDAP v3 compliant directory.
| Feature | Support |
|---|---|
| Users | Configurable |
| Groups | Configurable |
| Custom Objects | Yes |
| Schema Discovery | Yes |
Best for: OpenLDAP, eDirectory, custom LDAP implementations
Connection Architecture
┌─────────────────────────────────────────────────────────────┐
│ IdentityCenter │
├─────────────────────────────────────────────────────────────┤
│ Connection Manager │
│ ├── Connection Pool │
│ ├── Credential Store (encrypted) │
│ └── Health Monitor │
└─────────────────────────────────────────────────────────────┘
│ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐
│ AD │ │Entra ID │ │ LDAP │
│Connection│ │Connection│ │Connection│
└────┬────┘ └────┬────┘ └────┬────┘
│ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐
│ DC01 │ │ Graph │ │ LDAP │
│ DC02 │ │ API │ │ Server │
└─────────┘ └─────────┘ └─────────┘
Connection States
| State | Description | Action |
|---|---|---|
| Active | Connection is working normally | None required |
| Warning | Minor issues detected | Review warnings |
| Error | Connection failed | Troubleshoot immediately |
| Disabled | Manually disabled | Enable when ready |
| Testing | Connection test in progress | Wait for result |
Security Considerations
Credential Storage
- All credentials are encrypted at rest using AES-256
- Passwords are never logged or displayed
- Credentials can be rotated without downtime
Network Security
- Use LDAPS (port 636) for encrypted communication
- Consider VPN or ExpressRoute for cloud connections
- Implement firewall rules to restrict access
Service Account Best Practices
- Create dedicated accounts - Don't reuse existing admin accounts
- Minimum permissions - Grant only read access unless write-back is needed
- Password policies - Use long, complex passwords
- Monitor access - Enable auditing on the service account
- Document accounts - Track which connections use which accounts
Connection Limits
| Edition | Max Connections |
|---|---|
| Standard | 5 |
| Professional | 25 |
| Enterprise | Unlimited |
Common Connection Patterns
Single Forest
One connection to your primary Active Directory forest.
Multi-Forest
Separate connections for each AD forest, with identity matching across forests.
Hybrid
Active Directory connection plus Entra ID connection, matching users across both.
Multi-Cloud
Connections to multiple cloud providers (Entra ID, Okta, etc.) unified in IdentityCenter.
Next Steps
- Creating a Connection - Step-by-step guide
- Active Directory Connection - AD-specific settings
- Entra ID Connection - Azure AD setup
- Connection Troubleshooting - Common issues and solutions