8.4P1
I’ve configured a condition for account correlation in the Azure AD connector. During account aggregation, we enabled the corresponding checkbox(Only create links if they can be correlated to an existing identity). but, the system is still aggregating accounts that do not meet this condition and seem completely irrelevant.
could you please anyone help me on this ?
Thanks,
Ranjith M.
Hi @Ranjith25
The order of Account Correlation Execution:
If any of the rule or attribute based correlation fails:
Then IdentityIQ will attempt the default correlation, which typically uses the application account’s display name to the identity’s name.
The checkbox:
create links if they can be correlated to an existing identity -
It make sure not to create a new account if the correlation fails.
Hi @Ranjith25,
how do you have configured the correlation?
Hi @enistri_devo and @Akhila_2001
We are not using a correlation rule, instead, we have configured account correlation in the UI by mapping the basic Identity attribute with the account attribute. However, during aggregation, accounts that do not meet this correlation condition are still being aggregated.
Thanks,
Ranjith M.
Hi @Ranjith25 I think the default correlation is taking place, if the correlation is not happening with the UI mapping then IdentityIQ will attempt the default correlation : as i mentioned in the earlier post, it checks for the account display name to the identity name
if same then correlation happens, else it wont create identity based on the option you checked in the aggregation.
Can you confirm the account display name and identity name are same for the account that did not match the UI mapping condition?
Hi @Akhila_2001
Thanks for the clarification. I have checked, and for the accounts that did not match the UI mapping condition, the account display name and identity name are the same. Since this is the default/basic correlation we’ve configured, I’m a bit unsure why the correlation didn’t happen as expected.
Could you please help me understand what might be causing this issue and how to fix it
Thanks,
Ranjith M.
Hi @Ranjith25
For your clarification the default correlation will be attempted by SailPoint, we wont configure it.
This is the last option the SailPoint attempt for the account correlation using the account display name to the identity display name.
The Attribute based Correlation fails only if the identity attribute and the account attribute you specified did not match.
For better understanding please refer the attachments in the provided link:
@Akhila_2001
Thanks for highlighting the how the correlation works internally and the order of components include. Small doubt, for the default correlation i believe it uses the accounts native identity instead of display name.
Regards
Ankush
if those accounts are already correlated and present in the iiq, it’s expected. for your use case you have to run the aggregation with below options in order to re-correlate those accounts.
Only create links if they can be correlated to an existing identity
Detect deleted accounts
Disable optimization of unchanged accounts
Regards
Ankush
In this configuration, “Only create links if they can be correlated to an existing identity”. Account aggregation will still run, but it will only create or update links for existing identities, it will not create new identity cubes.
Please check your correlation rule and the default correlation logic (which is based on the name).
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.