Below is an example of the contents of a batch file to run our directory sync application:
The following command can be used to initiate the Directory Sync process:
DirectorySync -ln={Application Key Identifier} -lp={Application Key} -add=domain.com -adf="(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=cn=2fa_users,ou=groups,ou=myou,dc=domain,dc=com))" -restendpoint={Authentication Server Rest Endpoint} -syncapi=REST -syncsource=AD
(the above is all one line)
Per the Active Directory Sync guide, the restendpoint parameter should be similar to this:
https://mfa.mydomain.com/AuthServer/REST/OATH/OathServer.aspx
To configure the command for your specific setup, you will need to provide the relevant information in different parameters. For instance, you should replace "{Application Key Identifier}" with the actual identifier for your API key, and "{Application Key}" with the corresponding API key itself. It is important to note that the Application Key you use must have the necessary Directory Sync permission. If you would like to learn more about Application (API) Keys, you can find additional information here.
The {Authentication Server Rest Endpoint} is the REST endpoint of the authentication server. The endpoint URL is specified in the following format:
https://{Authentication Server Rest Endpoint}/api/mfa/v1
Prior to release 23.1 the REST endpoint is:
https://{Authentication Server Rest Endpoint}/AuthServer/REST/OATH/OathServer.aspx
For example, if you were targeting SurePassID cloud the endpoint would use:
https://mfa.surepassid.com/AuthServer/REST/OATH/OathServer.aspx
The highlighted portion, indicated as "adf", provides an illustration of how to locate a specific user within the "2fa_users" group in the "myou" organizational unit (OU) within the Active Directory (AD) domain "domain.com". This example demonstrates the process of searching for the user in the directory synchronization application.
To ensure regular synchronization, it is recommended to configure a scheduled task that runs a batch file containing the DirectorySync command. Alternatively, you can choose to run the process continuously, as explained in our documentation. In our latest release, we have introduced a convenient option to store all the necessary information in a configuration file, making it easier to execute the program seamlessly.
This command offers a convenient method for synchronizing user data from Active Directory (AD) to the MFA server. By customizing the parameters to match your specific setup, you can seamlessly integrate the two systems. It is important to note that during synchronization, passwords are not transferred, and the sync only goes from AD to SurePassID.
You can also create your own application to perform AD -> SurePassID user synchronizations using the SurePassID REST API.
SurePassID Directory Sync Live is an upcoming product scheduled for release in Early 2025. This innovative tool will enable you to establish SurePassID policies for real-time Active Directory user actions, including adding, updating, disabling, and deleting users. If you are interested in being among the first customers to experience this exciting new feature, please reach out to our technical support team to be added to the early customer list.