Deep Dive: Two-Way Identity Synchronization with WebADM and Cloud IAM Providers
Vertiefung: Zwei-Wege-Identitätssynchronisierung mit WebADM und Cloud-IAM-Anbietern
In our previous blog, Next-Gen IAM Management for Mixed Cloud Enterprise AD – The RCDevs Approach, we introduced the concept of two-way directory synchronization as a core capability of WebADM’s unified IAM platform. In this follow-up post, we take a closer look at how WebADM enables bi-directional sync between on-premises directories like Active Directory and cloud-based identity providers such as Microsoft Entra ID, Okta, Google Workspace, Duo, and others.
This deep dive explains how WebADM transforms identity and MFA management across hybrid environments—allowing organizations to maintain consistency, improve security, and streamline operations across multiple directory systems.
Native Integration with Leading Identity Providers
WebADM offers native integration with a wide range of cloud-based and on-premise identity platforms, including:
- Microsoft Entra ID (Azure Active Directory)
- Microsoft Active Directory (AD)
- Duo Security
- Google Arbeitsbereich
- Okta
- Ping-Identität
- OneLogin
Whether your organization uses a single provider or operates in a federated, multi-cloud environment, WebADM ensures simple synchronization and control.
Two-Way Identity Synchronization
Unlike many IAM solutions that offer only one-way user imports, WebADM supports full two-way directory sync. This capability enables updates made within WebADM (such as user metadata, MFA assignments, or group memberships) to be written back to upstream identity providers, when supported.
Key Features:
- Real-time or scheduled sync to ensure up-to-date identity data
- LDAP(S) and native API support (Google Directory API, MS Graph API, Okta API, etc.)
- Attribute mapping and transformation for schema compatibility
- Delta sync support to optimize performance
- Unified directory view via directory link abstraction
User and Group Synchronization
WebADM allows for syncing users and groups across directories in both directions:
- Import users and groups from cloud IAMs into WebADM’s LDAP directory (RCDevs Directory or OpenLDAP)
- Mirror changes made in WebADM back to the original cloud directory, where permitted
- Maintain consistent identity states across platforms
- Enable backup and recovery of cloud IAM users via local LDAP snapshots
This bidirectional sync ensures business continuity in the event of a cloud service failure and simplifies user lifecycle management.
Cross-directory Identity Federation
WebADM supports identity federation across multiple directory sources, allowing administrators to copy or provision users from one source to another—for example, migrating a user from Microsoft AD to Google Workspace or vice versa.
With this cross-provisioning capability, you can:
- Propagate accounts across directories
- Preserve group memberships and MFA configurations
- Migrate users easily between platforms
MFA Token Portability
One of the most powerful aspects of WebADM’s architecture is that MFA tokens are decoupled from the underlying identity source. This makes token portability across directories straightforward.
Benefits:
- Tokens such as TOTP, Push, U2F, or WebAuthn remain tied to the user object in WebADM, regardless of the source directory.
- During migrations (e.g., from Active Directory to Entra ID), the same token continues to function without requiring user re-enrollment.
- Reduced friction for end-users during IAM system transitions.
Real-World Use Cases
Consider an organization migrating users from on-premise Active Directory to Microsoft Entra ID:
- A user is enrolled with a WebADM-issued TOTP token while still in AD.
- The user is migrated to Entra ID.
- WebADM updates its internal records to reflect the new directory source.
- The user continues to authenticate using the same token without any action needed on their part.
This eliminates downtime, avoids user frustration, and helps maintain a consistent and secure authentication experience.
Authentication During Identity Provider Consolidation
An organization is consolidating multiple identity providers (IdPs) into a single, centralized Microsoft Entra ID tenant:
- A user originally authenticates via a legacy SAML-based IdP integrated with WebADM.The organization transitions to Microsoft Entra ID as the sole identity provider.
- WebADM is reconfigured to point to Entra ID for user authentication and directory queries.The user’s
- WebADM-issued U2F/FIDO2 hardware token remains linked to their identity.After the switch, the user continues authenticating with their token—no re-enrollment or user action required.
This approach ensures a frictionless transition, preserves strong authentication, and avoids helpdesk overload during large-scale identity transformations.
Maintaining Mobile MFA Access During Healthcare Workforce Migration
A large healthcare provider transitions clinical and administrative staff from a legacy LDAP directory to Microsoft Entra ID:
- Staff previously authenticated to critical systems using WebADM’s mobile push-based MFA app (such as OpenOTP Token).
- During the transition, user identities are migrated to Entra ID, and WebADM updates its user directory connection accordingly.
- Because the mobile token is securely tied to the user’s identity, no re-enrollment is needed.
- Staff continue logging into electronic health record (EHR) systems and other sensitive platforms using the same mobile push token, without interruption.
This ensures continuity of care, avoids authentication downtime during busy hospital hours, and upholds compliance with healthcare security standards like HIPAA.
Advanced Sync Engine Capabilities
WebADM’s synchronization engine includes:
- Custom sync providers, enabling integration with SQL databases or bespoke cloud services
- Delta sync support to avoid full data re-imports
- Event-driven triggers (e.g., user creation, deletion, or group assignment)
- Unified policy enforcement across logically grouped directories
With WebADM’s two-way directory synchronization, organizations gain full control over identity and authentication across cloud and on-prem environments, without compromising usability or security. This feature not only simplifies complex IAM operations but also empowers IT teams to manage users, groups, and MFA with unmatched flexibility, resilience, and confidence in any infrastructure scenario.