Synchronization Overview
Synchronization is the core function of IdentityCenter. It imports identity data from your connected sources, processes it through configurable workflows, and maintains a unified view of all identities in your organization.
What is Synchronization?
Synchronization in IdentityCenter:
- Queries external directory sources for objects (users, groups, computers)
- Transforms the data through configurable attribute mappings
- Matches objects to existing identities or creates new ones
- Updates the IdentityCenter database with current information
- Tracks changes over time for audit and compliance
Key Concepts
Sync Projects
A sync project is a reusable configuration that defines:
- Which connection to use
- What objects to synchronize
- How to process the data
- When to run (schedule)
Workflows
Workflows are the processing pipeline for synchronized data. Each workflow consists of steps that:
- Query the source
- Filter and transform data
- Match to identities
- Commit changes
Identity Objects
When you synchronize an object (like a user from AD), it becomes an Identity Object in IdentityCenter. Multiple identity objects from different sources can be linked to a single Identity (person).
Identity: John Smith
├── Identity Object: AD account (jsmith@corp.local)
├── Identity Object: Entra ID account (john.smith@corp.com)
└── Identity Object: HR System (EMP001)
Attribute Mapping
Attribute mapping defines how source attributes become IdentityCenter fields:
| Source (AD) | IdentityCenter |
|---|---|
| sAMAccountName | Username |
| displayName | Display Name |
| department | Department |
| title | Job Title |
Sync Architecture
┌─────────────────────────────────────────────────────────────┐
│ Sync Engine │
├─────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Scheduler │ │ Executor │ │ Monitor │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Workflow Engine │
│ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │Query │→ │Filter│→ │Map │→ │Match │→ │Commit│ │
│ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘ │
├─────────────────────────────────────────────────────────────┤
│ Data Layer │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Identities │ Identity Objects │ Sync History │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Sync Modes
Full Sync
Queries all objects from the source and reconciles with IdentityCenter.
| Aspect | Description |
|---|---|
| When to use | Initial sync, recovery, periodic reconciliation |
| Duration | Longer (depends on object count) |
| Impact | Higher load on source system |
| Detects | All changes including deletions |
Delta Sync
Queries only objects changed since the last sync.
| Aspect | Description |
|---|---|
| When to use | Regular scheduled syncs |
| Duration | Quick (only changes) |
| Impact | Minimal load on source system |
| Detects | New, modified objects |
Preview Sync
Shows what would change without making actual modifications.
| Aspect | Description |
|---|---|
| When to use | Testing, validation, impact analysis |
| Duration | Same as actual sync |
| Impact | Read-only, no database changes |
| Output | Detailed change report |
Sync Scheduling
Schedule Types
| Type | Description | Example |
|---|---|---|
| Manual | Run on demand only | Ad-hoc syncs |
| Interval | Run every X minutes/hours | Every 15 minutes |
| Daily | Run once per day at a specific time | 2:00 AM daily |
| Weekly | Run on specific days | Sundays at midnight |
| Cron | Advanced scheduling with cron expressions | 0 */4 * * * |
Recommended Schedules
| Scenario | Recommendation |
|---|---|
| Small environment (<1,000 users) | Full sync daily, delta every 15 min |
| Medium environment (1,000-10,000) | Full sync weekly, delta every 30 min |
| Large environment (10,000+) | Full sync monthly, delta hourly |
Sync Results
After each sync run, you'll see:
| Metric | Description |
|---|---|
| Objects Queried | Total objects retrieved from source |
| Objects Processed | Objects that matched your filters |
| Created | New identity objects added |
| Updated | Existing objects modified |
| Unchanged | Objects with no changes |
| Errors | Objects that failed processing |
| Duration | Total sync time |
Best Practices
Start Small
Begin with a limited scope (one OU, specific filter) before expanding.
Use Preview Mode
Always run a preview sync before production changes.
Monitor Performance
Track sync duration over time to identify degradation.
Handle Errors
Review and address sync errors promptly.
Document Mappings
Keep documentation of your attribute mappings current.
Schedule Wisely
Avoid running syncs during business hours if possible.
Common Sync Patterns
User Lifecycle Sync
Import new users, update existing, detect departures.
Group Membership Sync
Keep group memberships current across all sources.
Organizational Hierarchy Sync
Maintain manager relationships and department structure.
Multi-Source Correlation
Match the same person across AD, Entra ID, and HR systems.