Configuring selective DSSO synchronization
Use this procedure to specify the DSSO settings to synchronize with the queries. Scenarios include:
- Synchronize all users
- Selective synchronization (based on specific queries)
- Configure the queries and the synchronization process. See to Synchronizing users and roles.
- Nominate a valid LDAP for each request.
- Open the Tools dashboard and click System Settings.
- Under Authentication Provider, select either Lawson Single Sign-On or Lawson Single Sign-On 901 SP5+.
- Select Advanced PKI Settings or Advanced SSO Settings, depending on the authentication you selected.
-
Specify values for the Selective DSSO Synchronization field.
Note: Click Add More or Remove to add or remove values. You can also delete the text or clear the Advanced PKI Settings or Advanced SSO Settings field to remove the values.
For example, tiltering out users based on three requests:
- Users must belong to GroupA, for example,
<![CDATA[({Group}=GroupA)]]>
- Users must belong to GroupB, for example,
<![CDATA[({Group}=GroupB)]]>
- Users must belong to GroupD and must be changed or created on or before 02/28/2020,
for example,
<![CDATA[(&({Group}=GroupD)(|({whenChanged}>=20200215000000.0Z)({whenCreated}>=20200215.000000.0Z)))]]>
The first two items are using the DSSO {Group} syntax to filter out DSSO groups. Note that this not an LDAP specific syntax, but it checks for {Group} variable to have a separate filtering. The concept is the same when you specify the users group on the sysconfig page. The last bullet shows the use of Active Directory syntax that the DSSO passes on to the LDAP provider used in connection with the DSSO group filter.
Note: When no Selective DSSO Synchronization is saved, the default synchronization is all users. - Users must belong to GroupA, for example,
- Click Save Changes.
- Stop and restart the server for the changes to take effect.