Creating a Sync Project
This guide walks you through creating a sync project to import identity data from your directory services into IdentityCenter.
Prerequisites
Before creating a sync project, ensure you have:
- At least one active connection configured
- Administrator access to IdentityCenter
- Understanding of what objects you want to synchronize
Step 1: Navigate to Sync Projects
- Log in to IdentityCenter as an administrator
- Navigate to Synchronization > Projects
- Click New Sync Project
Step 2: Configure Basic Settings
| Field | Description | Example |
|---|---|---|
| Name | Descriptive name for this project | Corporate AD - Users |
| Description | Purpose of this sync | Imports all users from corporate AD |
| Connection | Which connection to use | Corporate AD |
| Object Type | What type of objects to sync | Users |
| Enabled | Whether the project is active | Yes |
Step 3: Define the Source Query
The source query determines which objects are retrieved from the directory.
For Active Directory Users
Basic user query:
(&(objectClass=user)(objectCategory=person))
Exclude disabled accounts:
(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Specific OU only:
(&(objectClass=user)(objectCategory=person))
With Search Base: OU=Employees,DC=corp,DC=local
Specific department:
(&(objectClass=user)(objectCategory=person)(department=Engineering))
For Active Directory Groups
All groups:
(objectClass=group)
Security groups only:
(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
Distribution groups only:
(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
For Computers
All computers:
(objectClass=computer)
Servers only:
(&(objectClass=computer)(operatingSystem=*Server*))
Step 4: Select Attributes
Choose which attributes to synchronize. Common selections:
User Attributes
| Attribute | Description | Include? |
|---|---|---|
| sAMAccountName | Login name | Required |
| userPrincipalName | UPN (email format login) | Recommended |
| displayName | Full display name | Required |
| givenName | First name | Recommended |
| sn | Last name | Recommended |
| Email address | Required | |
| department | Department | Recommended |
| title | Job title | Recommended |
| manager | Manager reference | Recommended |
| memberOf | Group memberships | Optional |
| whenCreated | Account creation date | Optional |
| lastLogonTimestamp | Last login time | Optional |
| userAccountControl | Account status flags | Recommended |
Group Attributes
| Attribute | Description | Include? |
|---|---|---|
| sAMAccountName | Group name | Required |
| displayName | Display name | Recommended |
| description | Group description | Recommended |
| member | Group members | Required |
| managedBy | Group owner | Optional |
| groupType | Group type flags | Recommended |
Step 5: Configure Attribute Mappings
Map source attributes to IdentityCenter fields.
Default User Mappings
| Source Attribute | Target Field | Transform |
|---|---|---|
| sAMAccountName | Username | None |
| displayName | DisplayName | None |
| Lowercase | ||
| givenName | FirstName | None |
| sn | LastName | None |
| department | Department | None |
| title | JobTitle | None |
| manager | ManagerDN | None |
| userAccountControl | Status | UAC to Status |
Custom Transforms
You can apply transforms to attribute values:
| Transform | Description | Example |
|---|---|---|
| Lowercase | Convert to lowercase | JSMITH → jsmith |
| Uppercase | Convert to uppercase | jsmith → JSMITH |
| Trim | Remove whitespace | " John " → "John" |
| Substring | Extract portion | CN=John,OU=... → John |
| Replace | Replace characters | john.smith → john_smith |
| Regex | Pattern extraction | Extract domain from email |
Step 6: Configure Identity Matching
Identity matching determines how synced objects are linked to identities.
Matching Rules
| Rule | Description | Priority |
|---|---|---|
| Email Match | Match by email address | 1 |
| Employee ID | Match by employee number | 2 |
| Username | Match by username | 3 |
| Name Match | Match by name (less reliable) | 4 |
Matching Behavior
| Setting | Description |
|---|---|
| Create New | Create new identity if no match found |
| Link Existing | Only link to existing identities |
| Manual Review | Queue unmatched for manual review |
Step 7: Set Up the Workflow
The workflow defines processing steps for your sync.
Basic Workflow
┌─────────────┐
│ Source Query│
└──────┬──────┘
▼
┌─────────────┐
│ Filter │ (Optional)
└──────┬──────┘
▼
┌─────────────┐
│ Transform │
└──────┬──────┘
▼
┌─────────────┐
│ Match │
└──────┬──────┘
▼
┌─────────────┐
│ Commit │
└─────────────┘
Workflow Steps
- Source Query - Retrieve objects from directory
- Filter - Exclude objects based on rules
- Transform - Apply attribute mappings
- Match - Link to existing identities
- Commit - Save changes to database
Step 8: Configure Scheduling
Manual Only
Run sync manually when needed.
Interval Schedule
Run every: 15 minutes
Daily Schedule
Run at: 02:00 AM
Time zone: Eastern Time
Cron Expression
0 */4 * * * (Every 4 hours)
0 2 * * 0 (Sundays at 2 AM)
0 0 1 * * (First of each month)
Step 9: Save and Test
- Click Save to create the sync project
- Click Preview to see what would be synchronized
- Review the preview results
- If satisfied, click Run Now to execute the sync
Example Configurations
Standard User Sync
Name: Corporate AD Users
Connection: Corporate AD
Object Type: Users
LDAP Filter: (&(objectClass=user)(objectCategory=person))
Search Base: DC=corp,DC=local
Scope: Subtree
Attributes:
- sAMAccountName
- displayName
- mail
- department
- title
- manager
Schedule: Every 30 minutes
Privileged Accounts Sync
Name: Admin Account Sync
Connection: Corporate AD
Object Type: Users
LDAP Filter: (&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local))
Search Base: DC=corp,DC=local
Schedule: Every 15 minutes
Tags: privileged, admin
Department-Specific Sync
Name: Engineering Team Sync
Connection: Corporate AD
Object Type: Users
LDAP Filter: (&(objectClass=user)(department=Engineering))
Search Base: OU=Engineering,DC=corp,DC=local
Schedule: Hourly
Monitoring Your Sync
After creating your sync project:
- Dashboard - View sync status on the main dashboard
- History - Check sync run history and results
- Errors - Review any sync errors or warnings
- Metrics - Track sync performance over time
Troubleshooting
No Objects Found
- Verify LDAP filter syntax
- Check search base DN
- Ensure connection has read permissions
Too Many Objects
- Add more specific filter conditions
- Limit search scope to specific OUs
Sync Timing Out
- Reduce page size
- Limit attributes selected
- Narrow LDAP filter
Duplicate Identities Created
- Review matching rules
- Check for data quality issues (missing email, etc.)