01 September 2016

Syncope User Synchronisation with a Database

In a previous post I explained how to setup a datasource for an embedded H2 database and how to use it with the Karaf DB JAAS plugin.

In this post, I'll explain to you how to setup Syncope to synchronize users from that database into syncope. Of course you can also use any other database with a matching JDBC driver.

Install Syncope

In this post I'll refer to the Syncope Installation which comes with the Talend 6.1.1 installer. If you need to setup Syncope manually, please take a look at some posts from Colm.

Setup DB Connection Module

According to some feedback from the Syncope community, it is recommended to use a Scripted SQL connectors instead of the database connector which is used in this blog post.

Syncope uses connid to connect to other backend systems like LDAP.
You need to download the DB connid bundle and follow the installation instructions.
  1. Open webapps/syncope/WEB-INF/classes/connid.properties and define your connid bundle location:
    Windows Style:
    connid.locations=file:/C:/Talend/6.1.1/apache-tomcat/webapps/syncope/WEB-INF/connid/
    Linux Style:
    connid.locations=file:/opt/Talend-6.1.1/apache-tomcat/webapps/syncope/WEB-INF/connid/
  2. Create the defined folder and copy your downloaded connid bundle (jar) into it
  3. Download and copy your required JDBC driver to your tomcat/lib folder
  4. Restart Syncope / Tomcat
  5. Login to Syncope Console: http://localhost:8080/syncope-console/
    Default-Username: admin
    Default-Password: password

Setup DB Connector

Next you need to setup a connection to your database, before you can define any synchronization pattern.
  1. Switch to Resources -> Connectors and click Create
  2. Enter your connection name and select your connid bundle:
  3. Configure your connection settings:

    Since Syncope expects SHA1 hashes to be Uppercase you must set this checkbox, or otherwise your users will not be able to authenticate against syncope with their synchronized password.

    Since Syncope 1.2 and newer it will also be possible to avoid user password synchronization, but instead to do a "pass-through authentication". This will be especially helpful if your passwords are not just hashed but also salted and encrypted.

  4. Perform a connection test by clicking on the top right world icon of the configuration tab

    If you are experiencing connection problems, take a look into the  tomcat/logs/core-connid.log file for detailed information.

  5. Select all checkboxes on the capabilities tab:
  6. Save your connection

Define DB Resource

Now you can setup a new resource to define the attribute matching from syncope internal DB and external DB.
  1. Click on Resources -> Resources -> Create
  2.  Switch to user mapping tab
  3. Click Save

Add Synchronization Task

To import users from your database you need to setup a synchronization task.
  1. Click on Task ->  Synchronization Tasks -> Create
  2. Click Save
  3. Execute your new synchronization task
If your run was successful you will see alice as a new user under Users.

Create a new User

To test user propagation, you must create a new user and add this user to the H2-users Resource.
  1. Click Users -> List -> Create
  2. Select Resource
  3. Save
You will now find Bob in your H2 database.

I was not able to do a role synchronization with my DB backend, due to missing support in the UI / connid handler.

9 comments:

  1. WRT

    > In Syncope 2.x and newer it will also be possible to avoid user password synchronization, but instead to do a "pass-through authentication"

    Pass-through authentication is available in Syncope 1.2 as well.

    ReplyDelete
  2. WRT

    > I was not able to do a role synchronization with my DB backend, due to missing support in the UI / connid handler.

    The reason why you could not do that is because you are using the DBTable connector, that does not support it at all. You should be using the Scripted SQL connector, instead: https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+a+Scripted+SQL+resource

    ReplyDelete
    Replies
    1. Hi Francesco,
      thank you very much for your feedback!
      I added a note at the beginning of my article, to rather use a Scripted SQL resource, instead of the DB Connector.

      Delete