E-road HR as an Identity Source

Overview

This section describes how to configure the E-road HR system as an identity source in the IDaaS platform. This enables the real-time synchronization of organization and user data, which is uniformly maintained in the E-road HR system, to the IDaaS platform, ensuring real-time data synchronization and consistency across various application systems within the enterprise.

Prerequisites

• Have administrator privileges for the E-road HR Open Platform.
• Have administrator privileges for the IDaaS Enterprise Center platform.

Configuration Process

Steps

Obtain Parameters from the E-road HR System

1. Create a custom enterprise application on the E-road HR Open Platform. For detailed steps, please refer to the platform's relevant documentation.
2. Obtain parameters such as the custom application's ID and application secret.
3. Grant users access permissions to the newly created application.

Configure E-road HR as an Identity Source in IDaaS

1. Log in to the IDaaS Enterprise Center platform. In the top navigation bar, select "Users > Identity Source Management", click "Add Identity Source", and choose the "E-road HR" identity source.

   

2. Set a custom name for the identity source. Fill in parameters such as the Application ID, Secret, and Server Address as prompted on the interface. Click "OK" to save after configuration.

3. Navigate to the details page of the newly added identity source. You can view and update the "Basic Configuration" of the E-road HR identity source, including connection parameters and synchronization mechanisms.

   

4. Switch to the "Advanced Configuration" tab. It is recommended to keep the default settings or fill them in according to actual needs.

   

   Parameter	Description
   Select Root Organization	Select an organizational node in IDaaS to serve as the root node for synchronized E-road HR organizations.
   Organization Matching Strategy	By default, associates the organization code in IDaaS with the institution code in E-road HR.
   Create Organization	Default is Yes.
   Update Organization	Default is Yes.
   Delete Organization	Default is to retain the organization (i.e., if an organization is deleted in E-road HR, it is retained in IDaaS). Also supports disabling or deleting the organization.
   User Matching Strategy	By default, associates the user's mobile phone number and username in IDaaS with the user's mobile phone number and username in E-road HR.
   Create User	Default is Yes.
   Update User	Default is Yes.
   Delete User	Default is to disable the user (i.e., if a user is deleted in E-road HR, the user is disabled in IDaaS). Also supports retaining or deleting the user.
   Security Threshold Adjustment	Set the maximum threshold percentage for changes such as user deletion, organization deletion, or organizational hierarchy changes in the upstream identity source. Threshold = (Difference between data already reclaimed by the platform and data reclaimed this time / Data already reclaimed) * 100%. When the upstream identity source application disables/deletes data exceeding the set threshold, the platform will not perform the disable/delete operation upon receiving the command.

5. After configuration, switch to the "Object Model" tab, select "Mapping Definition", and configure the following mapping definitions.

   The object model supports mapping attributes from users and organizations in the E-road HR identity source to corresponding attributes in IDaaS users and organizations. Once set up, this enables the reclamation of user and organization attributes from E-road HR to IDaaS user and organization attributes.

   

   • Execution Method: Sets under which circumstances the attribute needs to be mapped.
     • No Mapping: This attribute will not be synchronized to IDaaS.
     • Create: Synchronizes this attribute only during creation.
     • Update: Synchronizes this attribute only during updates.
     • Create and Update: Synchronizes this attribute during both creation and updates.
   • Conversion Method: Sets the method for attribute mapping.
     • Automatic Conversion: Synchronizes the value as-is from the identity source.
     • Script Conversion: Use this method to convert values from the identity source if they do not meet the required format. Please refer to Script Mapping Method.

6. Configuration Scenarios for Yilu HR Data Retrieval:

When Yilu HR has a large volume of existing data, data retrieval may time out. It needs to be performed in batches. Please configure according to the following scenarios based on the actual project situation.

Scenario 1: Retrieving Existing Data: When the system has existing data and the number of users exceeds ten thousand, you need to perform retrieval according to the existing data retrieval scenario first. After completing the existing data retrieval, configure it as the incremental data retrieval scenario.

1. Configure the Application ID, Application Secret, and Server Address parameters.
2. Set the Full Query Configuration to: false
3. Set the Query Start Time (configure based on the Yilu HR go-live date)
4. Set the End Time. Based on the data retrieval progress and the query interval, it can be set between 2 months and 1 year.
5. Set the Timeout to: 500
6. Set whether to synchronize departed users based on business needs. true for retrieval, false for no retrieval.
7. Save the import configuration.
8. Click "Execute Synchronization".
9. After synchronization is complete, modify the Query Start Time to the previous End Time, and modify the End Time again to a period between 2 months and 1 year.
10. Repeat the above steps until all existing data retrieval is complete.

Scenario 2: Incremental Data Retrieval: When the system has no existing data and the number of users exceeds ten thousand, you need to configure the incremental retrieval scenario.

1. Configure the Application ID, Application Secret, and Server Address parameters.
2. Set the Full Query Configuration to: false
3. Leave the Query Start Time blank.
4. Leave the Query End Time blank.
5. Set the Interval Time to: 1
6. Set the Timeout to: 10. If a timeout occurs during retrieval, appropriately increase the timeout value.
7. Set whether to synchronize departed users based on business needs. true for retrieval, false for no retrieval.

Scenario 3: Specified Department Data Retrieval: To retrieve only users under specified departments, configure the specified department data retrieval scenario.

1. Configure the Application ID, Application Secret, and Server Address parameters.
2. Set the Full Query Configuration to: false
3. Set the Department ID. After setting, users under the department and its sub-departments will be retrieved.
4. Set the Interval Time to: 1
5. Set the Timeout to: 10. If a timeout occurs during retrieval, appropriately increase the timeout value.
6. Set whether to synchronize departed users based on business needs. true for retrieval, false for no retrieval.
7. In the Basic Configuration, set the Synchronization Mechanism to Scheduled Synchronization.

Scenario 4: Full Data Retrieval: When the system has fewer than 10,000 users, it is recommended to configure full retrieval. You can also configure it according to Scenario 1.

1. Configure the Application ID, Application Secret, and Server Address parameters.
2. Set the Full Query Configuration to: true
3. Set the Timeout, adjusting it based on the data volume.
4. Set whether to synchronize departed users based on business needs. true for retrieval, false for no retrieval.
5. In the Basic Configuration, set the Synchronization Mechanism to Scheduled Synchronization.

If a retrieval event is interrupted, it indicates the timeout setting is too short and needs to be increased.

6. After configuration is complete, click "Execute Synchronization" to immediately perform the synchronization operation.

If the Synchronization Mechanism in the Basic Configuration is set to Scheduled Synchronization, manual execution of the synchronization task is not required here.

7. After execution is complete, switch to the "Synchronization Events" page to view all synchronization tasks for this identity source. Click "Details" under the "Operation" column of a synchronization task to view the import results, or go to the "Users > Users and Organizations" page to view the imported data.