Reconcile the Active Directory accounts

Table of Contents

Reconcile the Active Directory accounts with the data midPoint has imported from HRIS to align AD accounts with their HRIS counterparts. Use marks to label accounts that cannot be processed automatically, and resolve correction cases created where midPoint could not determine the account owners reliably.

What awaits you in this module

You will bring your AD as close to the HRIS as possible. You will first simulate reconciliation to test your configuration and see how close are your Active Directory data to what your HRIS claims to be true.

When you analyze the simulation results, you will use account marks to prevent midPoint from deleting some accounts, such as service accounts that have no counterpart in HRIS.

Once all valid accounts are either marked or correlated, you will reconcile AD on production and resolve the correlation cases that arise when midPoint cannot match some HRIS and AD accounts with 100% certainty.

The production reconciliation will not delete any orphaned and malicious accounts because you have not yet activated the synchronization rule for that.

1. Simulate AD reconciliation

To test your configuration, run a simulated reconciliation task on the development environment.

Follow this guide: Create and Run Tasks in GUI

  1. In your AD resource, create a Reconciliation Task.

  2. Switch on the simulation toggle.

  3. Name the task, e.g., Reconcile AD - development simulation.

  4. On the Execution screen, select the preview mode with the development configuration.

  5. After you create the simulated reconciliation task, run it and inspect the simulation results to see how your data handling rules work.

When reviewing the simulation results in Operational statistics, you will see a result similar to the example below.

Table 1. Synchronization situation transitions
Original state Synchronization start Synchronization end Exclusion reason Succeeded Failed Skipped Total

No record

Unlinked

Linked

47

0

0

47

No record

Disputed

Disputed

3

0

0

5

No record

Unmatched

Unmatched

5

0

0

7

The numbers above say the following:

  • 47 accounts that were found on the resource are unlinked and would be linked, i.e., the account shadows would be linked to their respective focal objects (users in midPoint).

  • 3 accounts cannot be correlated reliably (the empnum did not match, but the first name, surname, and locality did), so they are disputed and correlation case would be created.

  • 5 accounts would stay unmatched because no focus object was found for them. After you activate the delete-unmatched-resource-object synchronization rule, these accounts would be deleted from the AD resource.

This was simulation so none of the reactions actually happened.

The original state of accounts that midPoint has not yet ever seen is always No record. Should you run the task again without changing anything, the original state will match the synchronization start from the previous reconciliation. This only means that midPoint already knows about the accounts, so their original state is not No record anymore. The numbers stay the same.

2. Mark unmatched accounts to prevent deletion

Pay now closer attention to the unmatched accounts. They are safe now because you have not yet activated the synchronization rule that would delete them, but you will, eventually, because that is the desired course of action for such accounts.

The unmatched accounts can be service accounts with no HRIS counterpart, legitimate normal accounts that contain multiple errors (e.g., wrong employee number and one of the names or the locality), or they can be malicious or orphaned accounts that you actually want deleted. You need to decide what to do with them individually, and that is what marking is for.

Refer to Object Marks for more details on the topic.

Here is a possible marking strategy to take:

  • No mark means the account will be deleted.

  • Correlate later mark is for valid accounts that cannot be correlated now due to erroneous data and you want to handle them later.

  • Do not touch mark is for accounts of unknown purpose or origin and need to investigate them.

  • Protected mark is for legitimate service accounts you need to keep with no HRIS counterpart.

The point here is to mark the accounts you want to keep and move on with your deployment even if there are inconsistencies and unknowns in your data. This way you get tangible results soon without having to wait for a solution to every obstacle.

Follow this guide: Mark accounts after simulation

Here are the marks to use on accounts in the MID-301 training data:

Account Mark Note

cn=Mail Service Account,ou=users,dc=example,dc=com

Protected

Service account

cn=Secret Admin,ou=users,dc=example,dc=com

none

Malicious account to be deleted

cn=Spam Assassin Service Account,ou=users,dc=example,dc=com

Protected

Service account

cn=Test123,ou=users,dc=example,dc=com

Do not touch

Account of unknown purpose or origin; resolve later

Be careful if your HR system does not contain or export former employees data your target Active Directory system has data on. In such situation, you would not have the former employees in midPoint and their AD accounts would appear as orphaned. To keep such accounts, mark them.

Now, if you run the simulated reconciliation task again, you would see a new entry in the Operational statistics table telling you how many unmatched accounts are excluded and for what reason (you marked them).

Table 2. Synchronization situation transitions

Original state

Synchronization start

Synchronization end

Exclusion reason

Succeeded

Failed

Skipped

Total

Unlinked

Unlinked

Linked

47

0

0

47

Disputed

Disputed

Disputed

3

0

0

3

Unmatched

No record

No record

Protected

0

0

4

4

Unmatched

Unmatched

Unmatched

1

0

0

1

2.1. Use filters to check account status and marks

Aside viewing the task simulation results, you can use the resource account list to confirm your setup behaves as expected. Even when you simulate reconciliation, the situations of the accounts in the list reflect the results of the simulation.

  1. Under the AD resource, go to  Accounts.

  2. Use the Situation menu above the account list to select an account state you wish to filter.

  3. Click  Basic to confirm the selected search criterion.

The list also shows the marks on the accounts. Using the menu at the far right of the account row, you can modify the marks.

Use the × button next to the Situation menu to clear the filter.

Account list showing unmatched accounts with marks
Figure 1. Account list showing unmatched accounts with marks

3. Reconcile your AD accounts

Once you confirm that your AD configuration works as expected and you mark accounts as needed, run the real AD reconciliation.

  1. Switch the lifecycle state of the AD resource to Active.

    • Ensure all the configurations are active as well:

      • Mapping rules

      • Synchronization rules

        • Keep the delete-unmatched-resource-object rule in Draft until later.

      • Correlation rules

      • Object types

  2. Create a new reconciliation task, same as you did before.

    • Switch on the simulation toggle.

    • Name the task, e.g., Reconcile AD - production simulation.

    • On the Execution screen, select the preview mode with the production configuration.

      • This production simulation is the last check as close to production as possible before you deploy.

    • Run the task and inspect the results.

  3. Lastly, create a new reconciliation task; this time, for production.

    • Keep the simulation toggle off.

    • Name the task, e.g., Reconcile AD - real production.

    • Run the production reconciliation task.

The expected result of running the production reconciliation task is that:

  • All accounts that match "cleanly" between HRIS and AD are linked and their focal objects (users) have two projections now.

  • MidPoint creates correlation cases for accounts it cannot reconcile with 100% certainty (e.g., when empnum differs in HRIS and AD).

  • The accounts you need to get rid of (e.g., the hacker account in our data) are not yet deleted from the AD server.

User with two projections to HRIS and AD systems
Figure 2. User with two projections to the HRIS and AD systems

4. Resolve correlation cases

As per your synchronization rules, if midPoint cannot reliably determine an AD account owner (focus), it sets the account as disputed and creates a correlation case.

In the case of this guide, when the employeeNumber AD attribute does not match the empnum HRIS attribute for an account, midPoint uses the last-resort-correlation rule you have set up earlier and correlates the two connected with a lower certainty. Accounts correlated like this are not linked automatically but are, according to the create-correlation-case-for-disputed synchronization rule, rather presented in a correlation case to a human operator for a manual resolution.

A correlation case is the way for you to efficiently find an owner for disputed accounts, particularly thanks to the suggestions from which you can select.

Follow this guide: Resolve Correlation Cases

A correlation case workitems screen showing a suggested resource object owner candidate
Figure 3. A correlation case workitems screen showing a suggested resource object owner candidate
Resolving a correlation case does not correct the wrong data

In our training data, it is the CFO Anna Lopez with the employee number 1002, who has a wrong number in Active Directory and, hence, does not get correlated automatically. After you resolve her correlation case, her accounts are assigned correctly, yet her employee number does not get magically fixed in AD. That will have to wait until later modules where you learn how to enable Active Directory provisioning.

Next steps

You have reached another important milestone in your IGA journey and, should this be a real-world project for you in your organization, you have the next batch of tangible results to present to your peers.

The next step is to move away from using employee numbers as usernames and introduce something more human-friendly.

link

Was this page helpful?
YES NO
Thanks for your feedback