T-Shoot/Configure WorkspaceOne AD Sync
Workspace One integrates with Active Directory services so it can authenticate user and fetch all active directory attributes for many purpose as below:
1) Workspace One can pass AD attributes in SAML token that will help SAML enabled application to authorize the user.
2) Workspace One sync AD over the interval defined in settings, it will make sure that new users are having access to default application once they are created in AD and Access removed from workspace one for all applications once the account is disabled.
3) We can create Local Smart groups of users based on attributes like their Office location , Country location, Employee tatus, department, Manager, joining dates.
4) Mapping AD attributes to custom attributes that application needs in SAML token.
5) Workspace One will only sync groups as we want based on User&Groups DN's defined.
Once Active directory is configured, Workspace One will start syncing Users&Groups based on sync frequency set.
Some times AD sync fails, we will see what are options we have to check for problems and fix the same.
When We add Sync frequency on the admin portal , there is entry of the same in UI database and one entry goes to the config-state.json file available in sync connector.
For example we have set sync frequency as hourly by selecting "Every Hour". Now once you hit save, It should update value in both the places as Database and config-state.json file in connector.
Lets see if this updates config-state.json file on sync connector or not
move to /usr/local/horizon/conf/states/ws1-ui
We can see one number directory, this is a worker that gets created per AD as we add directory into sync settings. Inside this worker directory is our config-state.json file. Open that file with an editor and search for syncSchedule.
type command vi config-state.json to open file in linux vi editor type / and again type syncSchedule and hit Enter to make a search.
Once you hit enter you will go to syncSchedule settings page there you will see frequency as "hourly".
if this value is not updating properly then there is some thing wrong, most of the cases this happens when connector is not able to talk to service (User Interface service). Check if any firewall in place which might be issue for the communication or any other network/DNS issue.
Type of Syncs : Workspace One Active Directory syncs are of two types
1) Live Run
2) Dry Run
A Live Run is a sync that is automatically running due to sync settings in place. (hourly,daily,monthly etc.)
A Dry Run is a sync that administrator run Manually to come over automatic sync failure.
When a sync fails and administrator try to run sync manually, how to identify if the sync which is running is a Automatic sync or Manual sync. We can check the same in connector.log.
All directory sync and SAML authentication logs are saved in connector.log files under below directory
grep -i "BEGIN SYNC" connector.log or grep -i "BEGIN SYNC" connector.log* (search in all logs)
grep -i "END SYNC" connector.log or grep -i "END SYNC" connector.log* (search in all logs)
in above picture we can see two BEGIN SYNC events first one is DRY run which is manual sync initiated by Administrator and second one is LIVE RUN which is automatic sync by system based on frequency.
This is how we can check if syncs are running or not and try to identify what may be the issue. Below key words also help us to search for Sync specific logs in connector.log files.
grep -i "ScheduleService" connector.log
grep -i "Directory sync" connector.log
Also look for any 503 , 402 and 403 status response in connector logs from service end.
We should always check above points while trouble shooting directory sync issues in Workspace One.