Connect source system
With your target systems identified, the next step is to connect the first source system (HRIS in the case here) to midPoint and evaluate the quality and structure of the data it contains. Use the findings to refine your deployment plan based on real, actionable data.
Considerations before you connect the source system
In theory, you should give the data in your source HR system absolute authority and use it to fix any inconsistencies in other target systems, such as an Active Directory or other resources.
Reality is not so straightforward, though.
-
Firstly, there are almost certainly errors in the HR data. They are managed manually with no automatic validation. Having nothing to compare the data with makes it impossible to assess their quality.
-
Secondly, target systems like Active Directory are managed by different people and also manually. There may be outdated information, such as old names of people who changed their names (typically through marriage). More serious issues like orphaned accounts of former employees are usual as well. These issues are fairly easy to fix through the synchronization with the HR resource, though.
-
Thirdly, not all Active Directory accounts need to exist in the HR system. Your AD admins may have created some service accounts. These are not employees and therefore are not in the HR system. That means an HR-based synchronization without proper planning would delete these potentially business-critical accounts.
|
However complex these concerns may sound to you now, they are fairly easy to tackle in midPoint and you will learn to address them properly one by one. |
Overall, when integrating an IGA solution on top of existing account data, you need to be vigilant:
-
You cannot change usernames carelessly. Many systems in your organization may use them as the primary ID of accounts.
-
You must not delete any accounts unless you are absolutely sure it is the desired action.
-
You have to keep passwords as they are. Otherwise, you would lock people out of the systems across your organization.
Playground data used in this guide
For this guide, we use HRIS and LDAP systems provided as Docker images originally for the MID-301 First steps training.
The training is freely accessible and you may use it to obtain the same playground environment as we use here. Once you enroll, complete the module called Technical prerequisites to set up the environment, and return back here.
You may also go through the MID-301 training instead of following this guide should you find it more comfortable, as the content is nearly identical.
In this guide, we use the HRIS as an authoritative source system and Active Directory (simulated by LDAP) as a target system.
You can follow this guide with your own systems. The concepts in this guide are universal; only implementation details such as attribute names and resource configuration will need adjustment for your environment.
Next steps
This has been the last piece of the theory. Now, let us get into action and connect the first system to midPoint: