Problem
The Provisioning from SailPoint ISC to Active Directory using OOTB Active Directory Connector was partially failing with only few attributes getting populated
Diagnosis
During the Troubleshooting, we used Elimination technique to identify the attributes which we were sending from Create Account configurations during account creation request. We found that accountExpire attribute is the culprit. We were passing the accountExpires attribute MM/dd/yyyy format the way it was coming from Authz Source
Solution
Following was the approach we used.
- Created a new identity attribute in Identity Profile Named as “AD AccountExpire”
- Created a transform as below and mapped it to newly created identity attribute named as “AD AccountExpire”. The transform details are.
{
"name": "DateFormat - AccountExpires",
"type": "dateFormat",
"attributes": {
"input": {
"attributes": {
"input": {
"type": "dateFormat",
"attributes": {
"input": {
"type": "accountAttribute",
"attributes": {
"sourceName": "TestSource1",
"attributeName": "end_date"
}
},
"inputFormat": "MM/dd/yyyy",
"outputFormat": "MM/dd/yyyy"
}
},
"inputFormat": "MM/dd/yyyy",
"outputFormat": "ISO8601"
},
"type": "dateFormat"
},
"inputFormat": "yyyy-MM-dd'T'HH:mm",
"outputFormat": "EPOCH_TIME_WIN32"
},
"internal": false
}
- The above transform converts the incoming date from Authz source into EPOCH_TIME_WIN32 format which is accepted by accountExpires attribute in AD.
- Go to Admin → Connections → Source
- Open AD source.
- Go to Create Account section
- Change the mapping of accountExpire attribute to new identity attribute named as AD AccountExpire" and Save the configurations
- Go to attribute sync page and enable the attribute sync for accountExpire attribute.
- Validate all the configurations