Version Warning

The content below is for Apache Syncope <= 1.2 - for later versions the Reference Guide is available.

Introduction

The propagation is the mechanism to extend provisioning operations on external resources.

The propagation layer implements remote creation, maintenance, activation and deactivation of user and role objects and their attributes.

A propagation towards a specific external resource occurs if and only if the external resource's connector instance capabilities permit.

Propagation will be tried on an external resource for each provisioning operation involving users or roles assigned to that resource.

Syncope makes distinction between ONE_PHASE and TWO_PHASES propagation modes.

Basically, ONE_PHASE means that propagation is an atomic operation: Syncope calls the external resource and expects an immediate result.

Conversely, TWO_PHASES means that Syncope calls the external resource and returns immediately. Later, when the propagation has completed, the external resource will notify the actual propagation result to Syncope.

Configuration

Connectors

Connector instances can be configured to support ONE_PHASE and/or TWO_PHASES, for create, update and delete operations.

External resources

External resources can be configured to use either ONE_PHASE or TWO_PHASES, not both.

Propagation tasks

When propagation tasks are created, their propagation mode will be set according to the mode of the external resource.

Operation

When tasks are executed in ONE_PHASE mode, the execution status will be set to SUCCESS or FAILURE, based on the actual propagation result.

When tasks are executed in TWO_PHASES mode instead, the status is first set to SUBMITTED or UNSUBMITTED, based on the communication result with external resource. When status is SUBMITTED, external resource is allowed to report the propagation status through a REST call to Syncope core: at this point the status will be SUCCESS/FAILURE.

Operational side-effects of configuration inconsistencies

  • If a TWO_PHASES operation is performed on a resource/connector that does not support TWO_PHASES, propagation WILL take place, only the propagation task will remain in SUBMITTED status.

  • If a resource is configured to use TWO_PHASES propagation, but the connector instance only supports ONE_PHASE (or the other way around), no propagation will take place. Instead, a log line like the following will appear in the persistence log:

    15:18:53.603 INFO o.a.s.c.p.p.ConnectorFacadeProxy - \
    Create was attempted, although the connector only has these capabilities: \
    ONE_PHASE_CREATE, ONE_PHASE_UPDATE, ONE_PHASE_DELETE, SEARCH, RESOLVE, SYNC. No action.

Questions? Just send an e-mail to user@syncope.apache.org