Centrify Identity ServiceQuestion:
When a web app with a custom script needs to reference an attribute from an AD user, it uses the LoginUser object
For example, to read a user's employeeID
attribute, a script may contain the following line:
var userID = LoginUser.Get('employeeID');
It has been noticed that for newly added or modified users in Active Directory, the target attribute may take up to twelve hours before it is detected in the cloud.
Some attributes appear to be immediately updated when modified (such as the userPrincipalName)
, while other attributes take much longer.
Why does this happen and is there a way to ensure desired attribute changes are immediately detected?Answer:
The Centrify Cloud Connector is optimised to constantly monitor a default set of attributes for immediate syncing into the Cloud - when attributes inside this "watch list" are created or modified, the change is immediately picked up and pushed into the cloud.
Attributes outside of this default set are monitored on a more periodic basis and changes are pushed approximately every twelve hours.
There are two methods to enable the cloud to immediately see any new or updated attribute changes:(A) To do an immediate sync of all AD attributes for a specific user:
(B) To configure the Cloud Connector to constantly monitor additional attributes outside of the default list:
- Log into the Cloud Manager > Users
- Search out the newly added/modified users
- Right-click on their name and select "Reload"
- Log into the Cloud Connector host machine(s) and open regedit.exe
- Navigate to the following key:
- In this folder, right-click and add a new "Multi-String Value" name:
- Edit the newly added string and enter the desired attribute(s) to be monitored.
- If adding more than one attribute, make sure to place each attribute name on a new line in the Value Data box.
- Save the changes
- Restart the Connector service(s)
Once the services are started back up, the additional attributes will be monitored and updated along with the default set.Note:
- To see the default list of monitored attributes, view the userMonitorAttributeFromCloud key.
- This key is dynamically configured from the Cloud side, manually modifying the userMonitorAttributeFromCloud key will have no effect as any manual changes will be periodically overwritten.