• Download a trial
  • Sales
  • Support
  • Login
logo
  • Home
  • Products
  • Solutions
  • Partners
  • About Us
  • Consulting
  • Resources
Request a Quote
  • Workforce Identity
  • Customer Identity
  • Comparison
  • Subscriptions

All Features

Overview of all features in Workforce Identity

User Onboarding and Offboarding

Automate joiner, mover, leaver processes

Access Request

Access requests with multi-step approvals

User Access Reviews

Save time with user access reviews

Self-Service Portal

Self-service portal for all end user activities

Segregation of Duties

Detect and remediate SoD violations

Password Management

Enforce password policies and enable synchronization

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Authentication and MFA

Improve security with adaptive authentication and MFA

3rd Party IdP Integration

Integrate with your existing identity provider

Integration API

Use the REST API to add identity into your applications

Connector Library

Integrate on-premise and SaaS applications

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Workforce Identity Concepts

All Features

Overview of all features in Customer IAM

Authentication and MFA

Improve security with adaptive authentication and MFA 

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Password Management

Enforce password policies and enable synchronization

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Customer Identity Concepts

Community vs Enterprise

Summary of the differences between the Community and Enterprise editions

Subscription Benefits

Overview of the benefits provided by an OpenIAM subscription

  • Integrations
  • Verticals
  • Workforce Use Cases
  • CIAM Use Cases
  • Compliance
  • Data Breach Mitigation

Active Directory

Azure (O365)

SAP

SAP SuccessFactors

Workday

AWS

Linux Server

LDAP

Microsoft SQL Server

Google Cloud

Windows Server

Oracle EBS

ServiceNow

SAP Fiori

Oracle Fusion

Entra ID

Salesforce

Keycloak

Custom Applications

Education

Manage identity for students, staff and alumni

Financial Services

Address the compliance and security challenges of the financial sector

User Access Requests

Empower end users and improve compliance with user access requests

Strong Authentication

Improve security with adaptive authentication and MFA

Single Sign-On (SSO)

Improve customer experience with SSO

NIS2

Achieve compliance with the EU directive for cybersecurity frameworks.

DORA

Comply with the Digital Operational Resilience Act for the EU.

HIPAA

For healthcare organizations seeking HIPAA compliance.

PCI DSS

Compliance with the Payment Card Industry Data Security Standard

SOC 2

Solutions for organizations subject to SOC 2 audits

GDPR

Take advantage of OpenIAM to comply with the General Data Protection Regulation

Social Engineering Attacks

  • Partners

Current Partners

Our Current Partners

  • About Us

About OpenIAM

Learn about OpenIAM

Press Releases

References to OpenIAM press releases

OpenIAM in the Media

References to OpenIAM in the media

Careers

Learn about open positions at OpenIAM.

  • Consulting

Proof of Value

Customized engagement to confirm defined proof of value objectives

Jump Start

Customized engagement to rapidly deliver a solution into production

Solution Implementation

Engagement with the objective to deliver a complete IAM solution based on customer requirements

  • Resources

Videos

Collection of videos describing how OpenIAM can be used to solve common use cases

Community Portal

Collaborative community portal to learn more about OpenIAM

CE Documentation

Documentation for the Community Edition

Blog

Musings on identity penned by the OpenIAM team

Webinar Calendar

Upcoming webinars and training sessions

Workforce Identity Concepts

Customer Identity Concepts

What Is Reconciliation in Identity Governance?

Understanding Reconciliation

Reconciliation is a two-way comparison process between OpenIAM and connected systems such as Active Directory, Entra ID, or business applications.

Its purpose is to verify that identity and access data are consistent in both systems — confirming that what exists in OpenIAM accurately matches what exists in each target system.

When discrepancies are found, OpenIAM applies policy-driven actions that determine how to correct or handle the mismatch:

  • Update OpenIAM from the target system (accept external changes).
  • Update the target system from OpenIAM (enforce central policy).
  • Reject or flag the difference for manual review.
  • Ignore specific changes when they’re acceptable exceptions.
  • Report discrepancies for later analysis or audit.

Reconciliation ensures both systems are accurate and compliant, automatically aligning data based on governance rules.

Reconciliation vs. Synchronization

While the two processes are related, they serve distinct purposes in identity governance.

Feature  Reconciliation  Synchronization 
Direction 

Two-way (OpenIAM ↔ Target system)

  One-way (e.g., AD → OpenIAM) 
Purpose 

Validate and correct discrepancies between systems.

 Pull or update data from an external source into OpenIAM. 
Speed  Comprehensive but slower (full comparison).  Faster (single-direction updates). 
Action Options  Update OpenIAM, update target, reject, ignore, or report.  Update OpenIAM only. 
Use Cases  Continuous validation, compliance, and audit assurance.  Daily imports, attribute refresh, bulk data loads. 
Orphan Detection 

Detects and remediates orphaned accounts with policy logic.

 Detects orphans during imports but does not correct them automatically. 

In short: Synchronization keeps OpenIAM up-to-date, while Reconciliation keeps OpenIAM and external systems in agreement.

Both can detect orphaned accounts — but reconciliation decides what to do about them.

Why Reconciliation Matters

Even in automated environments, data drift happens.

Accounts may be created directly in target systems, attributes may change out of band, or access removals may be missed during employee exits.

These inconsistencies lead to:

  • Orphaned accounts – accounts left behind after terminations.
  • Unauthorized entitlements – access added manually, outside policy.
  • Inconsistent data – mismatched records between OpenIAM and external systems.
  • Audit failures – inability to prove compliance or data integrity.

Reconciliation identifies and corrects these discrepancies, ensuring your identity governance system always reflects reality.

How Reconciliation Works

1. Connect to Target Systems

OpenIAM retrieves identity and entitlement data from connected systems (e.g., AD, Entra ID, databases, SaaS apps).

2. Compare Data

OpenIAM compares user and access attributes between its internal identity store and each target system.

3. Identify Discrepancies

Differences such as missing accounts, mismatched attributes, or unauthorized entitlements are flagged.

4. Apply Policy-Based Actions

Based on configuration, OpenIAM updates the target system, updates its own records, rejects the change, or creates an audit report.

5. Log and Report

Every detected and resolved difference is logged for compliance evidence and audit tracking.

Reconciliation transforms data validation into continuous governance assurance.

Types of Reconciliation

Type  Description  Common Use 
Full Reconciliation  Compares all records in both systems.  Periodic audits, policy validation. 
Incremental Reconciliation  Processes only data changed since the last run.  Frequent operational updates. 
Event-Driven Reconciliation  Runs automatically after lifecycle events (e.g., termination).  Real-time enforcement. 
Scheduled Reconciliation  Occurs at defined intervals (daily, weekly).  Routine governance assurance. 
Ad Hoc / Manual Reconciliation  Triggered on demand by admins or auditors.  Spot checks and investigations. 

Reconciliation in the Identity Lifecycle

Reconciliation closes the loop in the Joiner–Mover–Leaver (JML) lifecycle by validating that each change actually occurred as intended.

Lifecycle Stage  Reconciliation Purpose 
Joiner  Confirm new accounts were provisioned correctly in all target systems. 
Mover  Verify role or department changes were reflected everywhere. 
Leaver 

Identify lingering or orphaned accounts that should have been removed.

It acts as the governance safety net that ensures lifecycle automation stays accurate over time.

Continuous Governance and Risk Mitigation

Reconciliation supports ongoing compliance and risk reduction by enabling OpenIAM to:

  • Detect orphaned or unauthorized accounts across systems.
  • Auto-remediate issues based on policy or workflow.
  • Alert and report exceptions for certification or audit follow-up.
  • Integrate with SoD and access certification to strengthen overall governance.

 Continuous reconciliation keeps your environment clean, compliant, and audit-ready. 

Using Reconciliation to Enforce Policy Compliance

Reconciliation can also serve as an active enforcement mechanism for governance policies.

Organizations often designate OpenIAM as the authoritative source for identity data and use reconciliation to ensure that no direct or unauthorized changes occur in downstream systems.

For example, if an administrator makes a manual change in Active Directory or Entra ID — such as adding a user to a restricted group — OpenIAM’s reconciliation process can detect that deviation and apply policy logic to respond appropriately:

  • Revert the change in the target system to match OpenIAM.
  • Reject and flag the change for investigation.
  • Allow but report it for later audit review.

By enforcing “no direct changes” policies, reconciliation ensures that all updates flow through controlled identity management workflows — maintaining governance discipline and data integrity across the enterprise.

OpenIAM’s Approach to Reconciliation

Capability  Description 
Two-Way Policy Control  Rules define whether OpenIAM updates itself, the target system, or flags discrepancies for review. 
Automated Orphan Detection  Identifies and remediates accounts without active source identities. 
Synchronization Integration  Works in tandem with OpenIAM’s faster one-way synchronization for routine data updates. 
Connector Framework  Interfaces with AD, Entra ID, cloud apps, and databases. 
ITSM Integration  Creates ServiceNow or Freshservice tickets when manual action is required. 
Reconciliation Dashboards 

Provide visibility into exceptions, policy violations, and resolution progress.
Audit Trail  Records every discrepancy and outcome for governance evidence. 

With OpenIAM, reconciliation is not a periodic cleanup — it’s a continuous, policy-driven compliance mechanism built into identity operations.

Example: Detecting and Resolving Orphan Accounts

A terminated employee’s HR record is removed, but their AD and Salesforce accounts remain active.

During reconciliation:

  1. OpenIAM detects both accounts exist without an active identity.
  2. Policy rules mark them as orphans.
  3. OpenIAM automatically disables those accounts and updates logs.
  4. If automation isn’t possible, a ServiceNow ticket is generated.
  5. The resolution is captured for audit and future certification.

Reconciliation not only detects orphaned accounts — it ensures they’re resolved consistently and documented.

Benefits of Automated Reconciliation

  • Data Consistency – Keep OpenIAM and connected systems aligned.
  • Security Assurance – Detect and eliminate unauthorized or manual changes.
  • Policy Enforcement – Prevent direct modifications in target systems.
  • Compliance Confidence – Maintain full audit evidence.
  • Operational Efficiency – Automate detection and correction.
  • Continuous Monitoring – Move beyond scheduled audits.
  • Lifecycle Accuracy – Validate provisioning, deprovisioning, and policy enforcement.

← Back to Identity Lifecycle Management

Related Concepts

  • Joiner–Mover–Leaver Lifecycle
  • Access Certification
  • Segregation of Duties (SoD)
  • Birthright Access
  • Identity Governance (IGA)
  • Workforce Identity Governance

Let’s Connect

Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.

For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.

Download a Trial Contact Sales
footer-top-logo
openIAM-white-logo

All modules of our IAM platform share a common infrastructure allowing customers to see one unified identity solution versus a collection of disparate products.

  • linkedin-icon
  • facebook-icon
  • twitter-icon
  • youtube-icon

sales@openiam.com

(858)935-7561

Copyright © 2025 OpenIAM. All rights reserved.
  • Privacy Policy