Table of contents
The User Sync Tool can use the Admin Console as an identity connector. This can be used to manage users for a trustee directory when the parent directory uses Azure AD sync or Google Sync, or to manage Sign Enterprise Users.
The connector can be enabled by adding
A template config file can be obtained here.
To invoke the sync tool with the
adobe_console connector, do one of the following.
invocation_options: connector: adobe_console
Run the Sync Tool with the option
$ ./user-sync --connector adobe_console
All UMAPI sync setups require at least one UMAPI connector configuration. This primary connection config should be called
Like the UMAPI connector, the Admin Console Connector requires a UMAPI integration on the Adobe Developer Console.
Note: This guide covers OAuth Server-to-Server authentication. JWT-based authentication is deprecated. If you need to migrate your integration, please refer to this guide. It is geard to the UMAPI connector, but the procedure for migrating Admin Console connector config is very similar.
connector-adobe-console.yml defines the following top-level config keys.
server- Override default identity and UMAPI endpoints (generally not needed) and customize connection timeout and retry settings
integration- Define UMAPI credentials (either in-line plaintext or references to OS keyring objects)
identity_type_filter- Tells the connector to only include the identity type specified (
authentication_method- Governs authentication method. Supports
oauthfor Server-to-Server connections and
jwtfor deprecated JWT connections. Default for compatibility reasons is
server settings do not generally need to be customized.
retry settings can be customized if the Sync Tool is running on a high-latency network connection.
Note: The options
ims_endpoint_jwtare deprecated in favor of the options
auth_endpoint. These options serve the same purpose as their deprecated counterparts.
integration key defines credentials used to authenticate with the User Management API. The following information is required:
- Organization ID
- Client ID (API Key)
- Client Secret
These can be stored in plaintext inside the config file:
org_id: "Organization ID goes here"
client_id: "Client ID goes here"
client_secret: "Client Secret goes here"
Replace each “goes here” string (including the double quotes) with the item copied from the console.
client_secret are considered sensitive and should be secured accordingly. If you intend to keep these items in plaintext, it is your responsibility to restrict access to
connector-umapi.yml using any necessary practices (ACLs, file permissons, etc).
Any sensitive credential can be stored in a secure OS keychain (such as Windows Credential Manager). Each credential is identified by key name and account ID (which is the
org_id for UMAPI credentials). In
connector-umapi.yml, the key name is stored in the respective config option.
secure_client_id_key- Key name of
secure_client_secret_key- Key name of
We strongly recommend securing your credentials in this manner. See Security Recommendations for more information.