Goal

Running a full sync via the User Sync connector, which only updates the users who already exist (i.e. synced previously) in the User Sync directory. New/different users on the IdP should not be synced via the full sync operation.

Manual Single User Update or logging in via SAML SSO (using the User Sync connector for provisioning) should not be impacted and should still work.

Implementation

In this tutorial, we are using the Azure AD connector and its data, but the implementation should be similar with other types of connectors as well.

1. In the connector settings, under the Provisioning Settings tab, scroll down to the Attribute Mapping section, and click on Edit beside the Username attribute:
2. Change the template to Custom, and choose Groovy Code for the Source Type:

3. Use the following Groovy code 

   

   In this example, we are using the default username attribute mapping for Azure AD (i.e. userPrincipalName). If you have a different mapping for the username attribute in Azure AD, or are using a different IdP, please make sure to change userPrincipalName in the following code to the corresponding attribute mapping.

   if(saml?.isEmpty()) {
       if(existing == null || existing.isEmpty()) {
           return DROP_ALL    
       } else {
           return con.userPrincipalName
       }
   } else {
       return con.userPrincipalName
   }

   GROOVY
4. Click on Apply:
5. Finally, save the connector settings by clicking on the Save and Return button.

After completing the above steps, when you run a full sync, only the existing users in the User Sync directory would be synced/updated. You could still execute a Single User Update via the connector, and if you're using our SAML SSO with User Sync as a provisioning method, new users could still log in and get synced via the connector when they log on via SAML.