Identity Sync

Identity Sync is an authentication option for environments using an LDAP domain. With Identity Sync configured, users can authenticate to the Control Panel Application (CPA) using their LDAP username and password, badge, or PIN.

The Identity Sync service requires an LDAP connection and a Service Client, a designated device within your network running the service. This keeps identity queries behind your firewall. It is important to note that users' passwords are not stored or synced with your instance.

Identity Sync uses a "lazy load" function to help reduce the time it takes to sync users within groups. All users sync to the instance first, then groups, but not all group associations sync initially.

The "lazy-load" of group associations means that if the group has an assignment, such as printer deployment, Portal Security, or something explicitly assigned, then group associations sync with users. If the group does NOT have an assignment, the users and group object sync over, but the users are NOT associated with the group.

Once you create a group assignment, such as a printer deployment, the next time the Identity Sync service checks in (done in 5-minute intervals), the service applies the group association to the users.

Prerequisites

Enable Identity Sync

  1. In the Admin Console tree structure, navigate to the Service Client object the Identity Sync service will run on.

  2. Select the Service Client's Identity Sync tab.
  3. Check the box for Enable LDAP Identity Sync.

    Identity Sync tab with an arrow pointing to the selected Enable LDAP Identity Sync option.

  4. Select Save Additional fields display after the page has refreshed.
  5. The LDAP Attribute to be used for Identity Linking defaults to sAMAccountName which is recommended. If this is not the linking attribute you wish to use, adjust the entry in the text field.
  6. Select Save

After saving, the Identity Sync service begins adding users to the Tools then Identities or Tools then Identity Management tab. The tab name differs depending on the bundle purchased.

If users aren't showing shortly after enabling the service:

  1. Confirm the PrinterLogicServiceIdentitySync.exe service is running on the Service Client.
  2. Navigate back to the Service Client's Identity Sync tab and select the Force Full Sync button.

    Identity tab showing the LDAP linking attribute field, and an arrow pointing to the Force Full Sync button below, and displaying a message about the LDAP Connection Status below the button.

Delete Users / Groups

Sometimes, it becomes necessary to delete provisioned users or groups. The self-service delete function enables IT Admins to remove all provisioned users and groups. For legal reasons, Vasion Support cannot remove these for customers, which leaves this action at the discretion of the IT Admin. The steps below walk admins through the deletion confirmation process.

  1. In the Admin Console, navigate to Tools then Settings then General.
  2. In the Identity Provider Settings section select the LDAP option.
  3. In the LDAP Sync section, select the Delete Provisioned LDAP Data button.

    LDAP Sync section showing a note about the button, and an arrow pointing to the Delete Provisioned LDAP Data button.

  4. In the Delete LDAP Provisioning Data pop-up, type DELETE.
  5. Select the Delete button which becomes visible after entering the text.

    Delete LDAP Provisioning Data pop-up showing a message about the actions, the field to type DELETE, and an arrow pointing to the Delete button in the lower right.

    This action will delete all LDAP users and groups from the database for all configured AD domains and will require you to provision them again. The RBAC, Portal Security, and Printer Deployment rules associated with these users and groups will continue to function unless they are manually deleted by the admin. This action cannot be undone. Are you sure you want to continue?

Allow a few minutes for large LDAP environments to be cleared.