In this blog, we will walk through the steps to get your People Information synced on a daily basis with AWS Lambda and CloudWatch.
I will be assuming that you already utilise Workspace ONE Access and you have already an Active Directory associated with Workspace ONE Access and it syncs frequently.
Prerequisites:
1. Login in your Workspace ONE Access tenant as an Administrator over https://<your_Workspace_ONE_Access_tenant_URL>/SAAS/auth/login
2. Switch to Administration console
3. Navigate to Identity & Access Management tab.
4. Open your directory information.
5. Go to Sync settings.
6. Confirm the sync frequency and check whether scheduled syncs are successful.
7. Make yourself familiar with API calls in Workspace ONE Access.
8. Create a Service Client Token to be able to run API calls (Create Remote App Access Client)
9. Get your directory ID opening Inspect Element in Chrome, Choose Network, XHR and Navigate to Identity & Access Management tab. One of the lines loaded contains your directory id.
Step 1: Configure PeopleSearch
This initial configuration shows how to enable People Search and get to a once per week sync.
1. Click on the drop-down arrow on the Catalog tab button.
2. Choose Settings.
3. Navigate to People Search.
4. Check Enable and click Next.
5. Select your directory.
(Note: if you have multiple directories added, you will be able to configure People Search only for one of them!)
6. Check all the attributes that you want People Search to sync and display in the People Tab in the end user catalog portal. Click Next.
7. Map the VMware Workspace ONE Access attribute names to the Active Directory attribute names. Click Next.
8. Specify the users that you want to sync. Click on Save & Sync.
9. Verify that People Tab appears in End User Portal.
Step 2: Import pictures into your Active Directory
1. Log in to a domain controller
2. Run PowerShell as an Administrator and enter following commands:
$photo = [byte[]](Get-Content path of pic -Encoding byte)
Set-ADUser username -Replace @{thumbnailPhoto=$photo}
Example:
$photo = [byte[]](Get-Content C:\Users\Public\Pictures\"Sample Pictures"\cuser1_picture.jpg -Encoding byte)
Set-ADUser cuser1 -Replace @{thumbnailPhoto=$photo}
Step 3: Run a manual sync
There is no tab where you can check the sync schedule or status of PeopleSearch sync. This can be done only over an API call executed in Postman.
1. Run following API call:
Headers :
Content-Type : application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.schedule+json
Accept : application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.schedule+json
Authorisation : HZN eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdG
You will get Response 200 OK with following body:
"syncSchedule": {
"frequency": "weekly",
"dayOfWeek": "sunday",
"hours": 21,
"minutes": 55,
"seconds": 0
},
"photoAttribute": "thumbnailPhoto",
"_links": {
"self": {
"href": "/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/<directory_Config_Id>/syncprofile/photosyncprofile"
},
"hw-photo-sync": {
"href": "/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/<directory_Config_Id>/syncprofile/photosyncprofile/sync"
}
}
}
Currently, you cannot set any other value for frequency, but "weekly". If you want to get pictures or any other PeopleSearch information synced sooner than Sunday evening, you can run the following API:
POST : https://<your_Workspace_ONE_Access_tenant_URL>/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/<directory_Config_Id>/syncprofile/photosyncprofile/synchttps://sva-madhuri.hs.trcint.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/5af06e79-7567-4632-abd2-e99336c408bc/syncprofile/photosyncprofile
Headers :
Content-Type : application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.schedule+json
Accept : application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.schedule+json
Authorisation : HZN eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdG
Request Body : {"ignoreSafeguards" : true}
Response : 200 Ok
Step 4: Schedule a daily sync with AWS Lambda and CloudWatch
In modern, dynamic companies, weekly sync is not satisfying for your users. People change their pictures and want this to be reflected as soon as possible. You also want to find your colleagues' phone number immediately, if you need it and not wait for a week. The best option is to automate the manual sync with a simple and efficient Python script and in order for its execution to not depend on your availability, you can schedule it to run daily. A very good and simple tool is AWS Lambda.
1. Write your Python script.
import requests
user = "<your_service_client_token_id>"
shared_secret = "<the_shared_secret_of_your_service_client_token>"
def get_access_token():
header = {'Content-Type': "application/x-www-form-urlencoded"}
data = {'grant_type': 'client_credentials'}
request = requests.post('https://<your_Workspace_ONE_Access_tenant_URL>/SAAS/auth/oauthtoken', headers=header, params=data, auth=(user, shared_secret))
token = request.json()['access_token']
return token
def manual_sync():
token = get_access_token()
header = {}
header['Authorization'] = "HZN %s" % token
header['Content-Type'] = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.sync+json"
header['Accept'] = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.sync+json"
body = {'ignoreSafeguards':True}
body = json.dumps(body)
url = "https://<your_Workspace_ONE_Access_tenant_URL>/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/<directory_Config_Id>/syncprofile/photosyncprofile/sync"
response = requests.request('POST', url, headers=header, data=body)
print(response)
print(response.text)
manual_sync()
2. Log into your AWS Console and navigate to Lambda.
3. Click on Create Function.
4. Choose Author from scratch, give your function an applicable name and choose Python 3.7 as Runtime. Click again on Create function to proceed.
5. In the next screen, choose Edit code inline and you can write your code in the same way you would do it in your preferred IDE. Please note that your main function has to be modified in order to work properly in Lambda.
(Note: You need to add "event" and "context" as parameters of your function. The function does not have to be called. Iy has to be specified in the handler field.)
def manual_sync(event, context):
token = get_access_token()
header = {}
header['Authorization'] = "HZN %s" % token
header['Content-Type'] = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.sync+json"
header['Accept'] = "application/vnd.vmware.horizon.manager.connector.management.directory.sync.profile.photosync.sync+json"
header['cache-control'] = "no-cache"
body = {'ignoreSafeguards':True}
body = json.dumps(body)
url = "https://<your_Workspace_ONE_Access_tenant_URL>/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/<directory_Config_Id>/syncprofile/photosyncprofile/sync"
response = requests.request('POST', u, headers=header, data=body)
print(response)
print(response.text)
6. Click on Add trigger and choose CloudWatch Events/EventBridge.
7. From the list with rules, opt for Create a new rule.
8. Give your rule an applicable name, description and add a cron expression to set the time when you want your function to be executed.
(Note: Cron expressions are by default in UTC. This cannot be changed. The example is for a rule that is triggered every day at 10:00am UTC.
9. Click on Add.
10. Test your function and save it.
Enjoy your up-to-date information every day.