Skip to content

platformadmin.com

Paul Homes blogging on SAS® platform administration topics

  • Home
  • Reading List
  • About / Contact
  • RSS Feed
  • LinkedIn
  • GitHub
  • LinkedIn (Metacoda)
  • YouTube (Metacoda)
platformadmin.com

Identity Sync: Finding Your Keys

Using the Metacoda Identity Sync Plug-in with a new SAS installation is easy. All of the defaults are based on common practices for synchronizing Active Directory users and groups with a SAS metadata server. Using the plug-in with an existing installation, where users and groups have already been synchronized using custom code, takes a little more planning. One of the ‘key’ things to do is to configure the plug-in to use the same external identity key id attribute that was used in the custom code. If you have the custom code, you can find the prior key choice in that code. This post is about helping you find and recognize those external identity keys without necessarily having to study the code.

An external identity key is a unique identifier for a user or group in an external identity source (e.g. Active Directory). It connects users within SAS metadata to the equivalent external user, so changes to the external user (including name changes) can be applied to the SAS user at some later date/time. In choosing a key from the external source, it is best to choose one that will stay constant over time, even after user name changes, directory reorganisation etc. There are a few different key choices available, and some are more likely to remain constant over time than others. Later in this post I will show examples of some common external identity key id attributes. The key that is chosen for groups doesn’t have to be the same as the one chosen for users either. I often see sAMAccountName being used for users and distinguishedName being used for groups. At Metacoda we recommend using objectGUID for both users and groups (as explained below). Once a Key Id Attribute has been chosen it is important to continue to use the same one over time. Switching the key choice after it has already been used for a synchronization is not an easy thing to do, so it is good to carefully consider the initial choice before deciding to synchronize users and groups. Of course, sometimes you inherit the process and have no choice in the matter.

When switching from one synchronization process to another, such as custom code to the Metacoda Identity Sync plug-in, it is important to continue to use the same key choice as before. If the key choices are different you might see something like this in the Identity Sync Plug-in, where every user or group looks like it will be (tag) deleted and re-added, and there are associated validation errors that prevent the sync from proceeding.

Metacoda Identity Sync: Users with mismatched keys being added and deleted

In the screenshot above, I have sorted by the Name column and also used the table column selection menu to make sure the normally hidden Key Id column is visible. As you can see, there are clear differences between the Key Id column values for the existing SAS users to be deleted and the ‘new’ Active Directory users to be added. To resolve this we need to use the Metacoda Identity Sync Profile Wizard to modify the profile and choose an appropriate KeyId Attribute to get the external identity keys aligned so the differing users are correctly seen as the same users.

Another way to examine existing external identity key values for synchronized SAS users is to use the standard SAS Management Console User Manager plug-in. Open the Properties dialog for a user or group, then click on the External Identities button. As shown below, this will show you the external key Identifier value for a previously synchronised user or group.

External Identity metadata seen in the SAS Management Console User Management Plug-in

When you use the Identity Sync Profile Wizard to configure synchronization for groups you need to specify the KeyId Attribute. There is a selection list of some common choices:

Metacoda Identity Sync Plug-in: Group Key Id Attribute

You will see this KeyId Attribute list again when configuring synchronization for users:

Metacoda Identity Sync Plug-in: User Key Id Attribute

Here’s a list of the KeyId Attribute choices offered, together with some example values to help you recognise them when you see them.

  • objectGUID: e.g. 289b7b5d-1074-40cb-8008-15b5c82b05c1

    A Globally Unique Id for an Active Directory user or group object. This is a good choice for the key. It will not change over the life of the user or group. We use this as the default key in the Metacoda Identity Sync Plug-in.

  • objectSID: e.g. S-1-5-21-180007768-2294537901-3500589931-1145

    The Active Directory SID value for a user or group object. SID values can sometimes change e.g. when a user object moves from one domain to another.

  • distinguishedName: e.g. CN=Aaron Atkins,CN=Users,DC=corpd,DC=metacoda,DC=com

    An identifier (DN) for an LDAP object based on it’s location in the tree. The DN will change if the tree is reorganised, or any of the objects that make up the DN are renamed.

  • sAMAccountName: e.g. demoaaron

    The Active Directory logon name for a user. There is the possibility this may change if a user has their login changed following a name change (e.g. as can happen after marriage)

If your custom code used an Active Directory attribute that is not shown in the Key Id Attribute selection list, you can just type the attribute name into the field (you are not restricted to the choices present in the list). Just make sure it is a valid Active Directory attribute name.

Once you have configured the Identity Sync Plug-in to use the appropriate key id attribute, for the values you currently have for users and groups in SAS metadata, the sync process should then proceed normally.

If you are using the Metacoda Identity Sync Plug-in to replace existing custom synchronization code, I hope you’ve found this post useful. Please leave a comment and let me know if you have any questions or feedback based on your experiences. If you’d like to find out more about the Metacoda Identity Sync Plug-in you can contact me or visit the Metacoda web site (where you can also request a free evaluation).

Author Paul HomesPosted on 3 March 201629 December 2024Categories Metacoda Security Plug-insTags Accounts/Logins, Active Directory, Identity Sync, Metacoda Security Plug-ins, SAS, SAS 9.2, SAS 9.3, SAS 9.4, SAS Management Console, SAS Metadata, SAS Metadata Security

Post navigation

Previous Previous post: Identity Sync: Multiple Active Directory Domains (Single Forest)
Next Next post: Tracing Permissions for SAS Metadata Security
RSS Feed Follow me on Mastodon View my LinkedIn® profile Send me a message   Vertical separator   Visit the Metacoda web site

Metacoda - productivity through metadata visibility

Horizontal separator

Tags

  • Accounts/Logins
  • ACT
  • Active Directory
  • Base SAS
  • Best Practices
  • Blogging
  • Identity Sync
  • IWA
  • Kerberos
  • Linux
  • Logging
  • Metacoda Plug-ins
  • Metacoda Plug-ins Tip
  • Metacoda Security Plug-ins
  • Metadata API
  • Metadata Migration
  • Metadata Promotion
  • Metadata Security Testing
  • Mid-Tier
  • PAM
  • platformadmin.com
  • Roles & Capabilities
  • SAS
  • SAS 9.1
  • SAS 9.2
  • SAS 9.3
  • SAS 9.4
  • SAS Architecture
  • SAS Configuration
  • SAS Enterprise Guide
  • SAS Global Forum
  • SAS Information Delivery Portal
  • SAS Installation
  • SAS Management Console
  • SAS Metadata
  • SAS Metadata Security
  • SAS Papers
  • SAS Training
  • SAS Usage Notes
  • SAS Viya
  • SPN
  • Ubuntu
  • UNIX
  • Windows
  • Windows 2008 R2

Blog Roll [ ... and links to blog rolls]

  • [ … blogs.sas.com]
  • [ … SAS RSS Feeds]
  • NOTE: The blog of RTSL.eu
  • The SAS Dummy

Metacoda Links

  • Metacoda
  • Metacoda Security Plug-ins
  • Metacoda Support

SAS Communities

  • SAS Communities
  • Stack Overflow / SAS tag
  • Super User / SAS tag

SAS Institute Links

  • SAS
  • SAS Australia
  • SAS Customer Support

SAS User Groups

  • [ … other SAS user groups]
  • SAS Global Forum
  • SUGA

Categories

  • General
  • Guest Posts
  • Interesting SAS Usage Notes
  • Linux
  • Metacoda
  • Metacoda Custom Tasks
  • Metacoda Plug-ins
  • Metacoda Security Plug-ins
  • SAS Architecture
  • SAS Books
  • SAS Configuration
  • SAS Documentation
  • SAS Enterprise Guide
  • SAS Environment Manager
  • SAS Installation
  • SAS Management Console
  • SAS Metadata
  • SAS Metadata Security
  • SAS Open Metadata API
  • SAS Software
  • SAS Support Resources
  • SAS Training
  • SAS User Groups
  • SAS Viya
  • Solaris
  • VirtualBox
  • Windows

Archives

  • October 2023
  • September 2023
  • August 2023
  • March 2023
  • February 2023
  • March 2022
  • July 2021
  • May 2021
  • March 2021
  • October 2020
  • March 2020
  • June 2019
  • April 2019
  • March 2019
  • February 2019
  • October 2018
  • September 2018
  • August 2018
  • May 2018
  • February 2018
  • September 2017
  • August 2017
  • June 2017
  • April 2017
  • January 2017
  • July 2016
  • April 2016
  • March 2016
  • November 2015
  • September 2015
  • July 2015
  • June 2015
  • March 2015
  • February 2015
  • January 2015
  • October 2014
  • May 2014
  • March 2014
  • February 2014
  • December 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • Home
  • Reading List
  • About / Contact
  • RSS Feed
  • LinkedIn
  • GitHub
  • LinkedIn (Metacoda)
  • YouTube (Metacoda)

Copyright © 2010-2025 Paul Homes. All rights reserved. | Legal Notices | Admin