We have multiple forest / domains that need to be integrated into Saviynt and we are trying to determine if using the ADSI connector is the right approach or if we should use separate AD connectors. Below are a few of my initial questions.
Solved! Go to Solution.
Please refer to the following documentation which may help you in finding answers to your questions:
Thank you for your reply. I have reviewed the available documentation from the Saviynt Docs site. While the articles you provided touch on some of my questions, I don't believe they provide explicit answers. I was directed by our TAM to post these questions in the Forum.
We met with our TAM today and were able to get a few questions answered. Below are the follow-up questions from reviewing the documentation and meeting with the TAM.
Please find the answers to the questions above provided below:
Question:-Does the ADSI connector require that all Forests / Domains have two-way trusts?
The trusts between domains in a forest are transitive and two-way. You must create trust between domains of different forests if you want to allow users from one domain to access resources in another domain in a different forest.
Forest-level trust is configured when objects belong to different forests.
Question:- The solution requires an IIS server with Saviynt's ADSI agent running on it. Is this one IIS server running in the primary domain that reaches out to all other Forests / Domains?
When IIS is installed on a member server of a primary domain, the trust evaluation performance is better than installing it on a member server of the child domain. Saviynt recommends you to install IIS on a member server of a primary domain for the following reasons:
1. Transitive trusts for all child domains in a forest are evaluated from the primary or root domain of a forest.
2. The forest level trust of all forests in a cross-forest integration is evaluated from the primary or root domain of a forest.
3. If a child domain is down due to a maintenance activity, you cannot connect to other domains to perform your operations
Question:- How does the Saviynt ADSI connector using REST authenticate to the IIS Server?
The Saviynt ADSI connector using REST authenticates to the IIS server using a service account. This service account must be configured with the necessary permissions to run commands through the ADSI agent on the IIS server.
These permissions are required for the service account to be able to run commands through the ADSI agent on the IIS server. Once the service account is configured, the Saviynt ADSI connector will use it to authenticate to the IIS server and perform the necessary operations on Active Directory.
Question:- In the Connector, how do I deal with multiple accounts that are joined to the same user for something like a termination where there is a termination OU in each forest and I have to move that AD object to the termed OU in each forest
You can use moveObjectToOU: Specify the Active Directory container where you want to move the user object.
For Ref: https://docs.saviyntcloud.com/bundle/ADSI-v23x/page/Content/Configuring-the-Integration-for-Provisio...
Question:- If we have a Forest with a Parent Domain and one Child Domain, can we use the AD Connector to manage both or would we use the ADSI connector to manage both?
AD Connector is to be used with Single Domain whereas ADSI connector is to be used for multiple domains and/or forests.