Using the Metacoda Identity Sync Plug-in with a new SAS installation is easy. All of the defaults are based on common practices for synchronizing Active Directory users and groups with a SAS metadata server. Using the plug-in with an existing installation, where users and groups have already been synchronized using custom code, takes a little more planning. One of the ‘key’ things to do is to configure the plug-in to use the same external identity key id attribute that was used in the custom code. If you have the custom code, you can find the prior key choice in that code. This post is about helping you find and recognize those external identity keys without necessarily having to study the code.
An external identity key is a unique identifier for a user or group in an external identity source (e.g. Active Directory). It connects users within SAS metadata to the equivalent external user, so changes to the external user (including name changes) can be applied to the SAS user at some later date/time. In choosing a key from the external source, it is best to choose one that will stay constant over time, even after user name changes, directory reorganisation etc. There are a few different key choices available, and some are more likely to remain constant over time than others. Later in this post I will show examples of some common external identity key id attributes. The key that is chosen for groups doesn’t have to be the same as the one chosen for users either. I often see sAMAccountName being used for users and distinguishedName being used for groups. At Metacoda we recommend using objectGUID for both users and groups (as explained below). Once a Key Id Attribute has been chosen it is important to continue to use the same one over time. Switching the key choice after it has already been used for a synchronization is not an easy thing to do, so it is good to carefully consider the initial choice before deciding to synchronize users and groups. Of course, sometimes you inherit the process and have no choice in the matter.
When switching from one synchronization process to another, such as custom code to the Metacoda Identity Sync plug-in, it is important to continue to use the same key choice as before. If the key choices are different you might see something like this in the Identity Sync Plug-in, where every user or group looks like it will be (tag) deleted and re-added, and there are associated validation errors that prevent the sync from proceeding.
In the screenshot above, I have sorted by the Name column and also used the table column selection menu to make sure the normally hidden Key Id column is visible. As you can see, there are clear differences between the Key Id column values for the existing SAS users to be deleted and the ‘new’ Active Directory users to be added. To resolve this we need to use the Metacoda Identity Sync Profile Wizard to modify the profile and choose an appropriate KeyId Attribute to get the external identity keys aligned so the differing users are correctly seen as the same users.
Another way to examine existing external identity key values for synchronized SAS users is to use the standard SAS Management Console User Manager plug-in. Open the Properties dialog for a user or group, then click on the External Identities button. As shown below, this will show you the external key Identifier value for a previously synchronised user or group.
When you use the Identity Sync Profile Wizard to configure synchronization for groups you need to specify the KeyId Attribute. There is a selection list of some common choices:
You will see this KeyId Attribute list again when configuring synchronization for users:
Here’s a list of the KeyId Attribute choices offered, together with some example values to help you recognise them when you see them.
-
objectGUID: e.g. 289b7b5d-1074-40cb-8008-15b5c82b05c1
A Globally Unique Id for an Active Directory user or group object. This is a good choice for the key. It will not change over the life of the user or group. We use this as the default key in the Metacoda Identity Sync Plug-in.
-
objectSID: e.g. S-1-5-21-180007768-2294537901-3500589931-1145
The Active Directory SID value for a user or group object. SID values can sometimes change e.g. when a user object moves from one domain to another.
-
distinguishedName: e.g. CN=Aaron Atkins,CN=Users,DC=corpd,DC=metacoda,DC=com
An identifier (DN) for an LDAP object based on it’s location in the tree. The DN will change if the tree is reorganised, or any of the objects that make up the DN are renamed.
-
sAMAccountName: e.g. demoaaron
The Active Directory logon name for a user. There is the possibility this may change if a user has their login changed following a name change (e.g. as can happen after marriage)
If your custom code used an Active Directory attribute that is not shown in the Key Id Attribute selection list, you can just type the attribute name into the field (you are not restricted to the choices present in the list). Just make sure it is a valid Active Directory attribute name.
Once you have configured the Identity Sync Plug-in to use the appropriate key id attribute, for the values you currently have for users and groups in SAS metadata, the sync process should then proceed normally.
If you are using the Metacoda Identity Sync Plug-in to replace existing custom synchronization code, I hope you’ve found this post useful. Please leave a comment and let me know if you have any questions or feedback based on your experiences. If you’d like to find out more about the Metacoda Identity Sync Plug-in you can contact me or visit the Metacoda web site (where you can also request a free evaluation).