User field synchronization can be configured in the dashboard for a database under "Settings" → "User Auth & Sync Settings".

Example configuration

<UserSyncConfig batchSize="1" syncIntervalInSeconds="86400">

    <!-- List of various sync sources available, e.g. LdapSyncSource -->
    <LdapSyncSource name="primedocs AD" queryKey="OneOffixxIdentifier" isOptional="false">
        <QueryKeyRegex group="0" match="0">([a-z0-9])*</QueryKeyRegex>
        [...]

        <!-- Any sync source has claims -->
        <Claims>	
            <Claim type="http://schema.oneoffixx.com/ws/2011/01/identity/claims/uid" property="uid" />
            <Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenName" property="givenName" />
            <Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sn" property="sn" /> 
        </Claims>

  </LdapSyncSource>
</UserSyncConfig>

Attributes

batchSize The UserSyncJob synchronizes users in batches. This attribute can be used to adjust the number of users in a batch. The value must be between 1 and 100. – Default: 10
syncIntervalInSeconds Sets the interval in seconds for synchronization. The value must be greater than 60. Default: 86400 (= 1 day)
syncTimeoutInSeconds When synchronization is started, a time stamp is stored with the user. If an error occurs during synchronization or the action is aborted, the user remains in this state. This attribute can be used to set a "timeout" in seconds so that the user is again captured by the synchronization process. The value must be between 10 and 3600. Default: 60
skipLockedFields In the default case, all fields are synchronized – depending on the configuration. If locked user fields should be excluded from synchronization, this value can be set to true. Default: false

SyncSources

The following sources are currently available for synchronization:

All SyncSources have the following attributes and elements in common:

name
queryKey Field name to be used as a parameter for the query. Available are:
- OneOffixxIdentifier
- User.SID
- User.Title
isOptional
QueryKeyRegex (optional) If only part of the value of the QueryKey is to be used, it can be specified here.
Claims see next section

NOTE when using "User.Title"
The User.Title is the name of the user in the OneOffixx database. The source of the name can be determined via the properties of the "Active Directory Connector" or the "Office 365 Connector". An adjustment is possible at any time and is applied during user synchronization.

Claims

<Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage" property="wWWHomePage" />

type describes the claim path. It must have a valid URI format, but does not have to exist – as long as it is only used in OneOffixx. If it is not used only in OneOffixx, it is beneficial to follow Microsoft's claims.
property is the counterpart to the property defined in the SyncSource. The values of the two must be identical.

In addition to direct assignments, claims can also store certain rules:

useValueIfEmpty If set to true: if the property in the SyncSource is empty, the default value inside the Claim element is taken. If there is no value, the field remains empty.

<Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/function" property="description" useValueIfEmpty="true">Fallback-Value</Claim>

If you define a claim for the user synchronization and map it to a field at the end, the corresponding value is applied. However, if you want to avoid, for example, that empty properties are applied from the SyncSource, you can also "ignore" the claim via the following property:

HINWEIS
The LdapSyncSource maps only "existing" attributes by itself, other sources handle this differently.

ignoreClaimIfEmpty If set to true, empty fields in the SyncSource will be ignored. Otherwise, depending on the SyncSources, empty fields are also synchronized to the user and user-defined values are overwritten.

<Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/function" ignoreClaimIfEmpty="true" property="description" useValueIfEmpty="true" />

Claims also support regex so that, for example, parts of values can be accessed.

<!-- Wert für Property 'uid' ist 'bernhard.diener@oneoffixx.com' -->
<Claim type="http://schema.oneoffixx.com/ws/2011/01/identity/claims/uid" property="uid">
    <Regex match="0" group="2">([a-z\\.]*)@([a-z\\.]*)</Regex> <!-- liefert 'oneoffixx.com' -->
</Claim>

match Index of the match, mostly 0
group Index of the group
- Attention! The group number can be increased by 1, because in group 0 may be the fullmatch.
value Valid regex expression

Multilingualism

By default, user synchronization only synchronizes fields in the default document language. If you want to set certain field contents also in other languages, for example, this is possible by setting the lcid attribute:

<Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/function" property="description" />
<Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/function" lcid="1036" property="descriptionFR" />
<Claim type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/function" lcid="1040" property="descriptionIT" />

In this example, the claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/function is filled in the default document language via the description property. In the example, the same claim is assigned to the respective property from the source for the document language Italian and French (LCID 1040 and 1036). The rules of the normal claims also apply to these "translated" claims.

Offboarding

Users who are not present in the configured “SyncSources” can be automatically removed from the database through an additional configuration.

The system checks the last successful synchronization time for each user and sets the user's status to either “PendingDeletion” or “FlaggedForDeletion” if the corresponding grace periods have been exceeded.

<?xml version="1.0" encoding="utf-8" ?>
    <UserSyncConfig>
        ...
        <AutomaticUserDeletion mode="disabled|enabled|enabledWithoutAutomaticDeletion">
            <StatusChangesAfterUnavailabilityDuration>
                <SetToPendingDeletion days="30" />
                <SetToFlaggedForDeletion days="60" />
            </StatusChangesAfterUnavailabilityDuration>
        </AutomaticUserDeletion>
    </UserSyncConfig>

Mode

Automatic user offboarding is enabled through the appropriate configuration and can be controlled via the “mode” setting.

“disabled”: This is the default value. In this mode, automatic user cleanup is deactivated.
“enabledWithoutAutomaticDeletion”: In this mode, users are already moved to the corresponding status, but no deletion is performed. This mode is useful for testing the system without the risk of actually deleting users.
“enabled”: In this mode, users are moved to the corresponding status, and in the final step, the user is removed from the database.

State System

After a successful user synchronization, the synchronization timestamp is stored on the user record.
However, if a user is deleted from Active Directory, for example, this timestamp will no longer be updated.

The “SetToPendingDeletion” setting defines the number of days after the last successful synchronization after which the user should be moved to the “PendingDeletion” status.

Similarly, the “SetToFlaggedForDeletion” setting specifies the number of days after which the user should be marked with the “FlaggedForDeletion” status.

Default values if not configured:

30 days for “SetToPendingDeletion”
60 days for “SetToFlaggedForDeletion”

Example:

A user in the database was last successfully synchronized on January 1.
On January 2, the user was removed from Active Directory.

With the “SetToPendingDeletion” setting configured to five days, the user would be moved to the “PendingDeletion” status starting on January 6 — five days after the last successful synchronization.

With the “SetToFlaggedForDeletion” setting configured to ten days, the user would be moved to the “FlaggedForDeletion” status starting on January 11.

Depending on the selected mode, all users with the “FlaggedForDeletion” status would then be automatically deleted.

However, if the user (e.g., due to an accidental deletion) is found again in Active Directory on January 4, the process would start over from the beginning.

Deleted users, along with their permissions, private text modules, profiles, etc., are permanently removed and cannot be restored.

It is recommended to initially use longer time periods and to test with the “enabledWithoutAutomaticDeletion” setting.

Exclusions:

If technical users have been set up that are not present in Active Directory, these users must be excluded from synchronization. This can be done via the admin dashboard.