Correlation Queries for Active Directory

Hi, we encounter issues with correlation and would like to seek advice on this matter.

We use the sAMAccountName as the correlation attribute for the active directory. For new user, we will be using Attribute Generator cloud rule to generate the sAMAccountName, however for existing user, the authoritative source is passing us the sAMAccountName and we are expecting IDN to correlate the previously uncorrelated account in AD with this existing user.

We are using role-based provisioning and in our role configuration, one of the conditions lifecycle state != offboarding.

The following is our observation when we aggregate from the authoritative source for existing users.

  1. Active/normal user → Created new sAMAccountName via rule and provision a new account
  2. User to be deprovisioned (disabled) → no account provisioned due to role config (lcs != offboarding)

After aggregate from active directory (not authoritative source),

  1. #1 above no change
  2. #2 above correlate to the sAMAccountName passed by authoritative source but not disabling it

If it is a to be offboarded user (eg: status inactive), it will not disable it although the expected output is disabling the user and enter the actions for disable operation. - not expected

If it is for normal user (eg: status active), it will just provision a new AD account with a new sAMAccountName. - not expected

We would like to seek input on how should we correlate the identity to the uncorrelated AD account in these scenarios. Thank you.

Hi Jo,
I am not sure if we are understanding your issue correctly but i guess you are facing issue to Disable the AD account while the user is getting offboarded ?

Can you please add your AD source in the Identity Profile → Provisioning → Inactive state → Disable the source and try to make your lifecycle state as Inactive and see if it gets Disabled.

Also, when IDN does the aggregation it is an un-optimized one which means that the Correalation Logic is not evaluated. If you want to Evaluate the Correlation Logic every time the AD aggregation runs then try to use Workflow. Schedule it and hit the api for un-optimized aggregation but please be mindful that running unoptimized aggregation everytime is not recommend as it will have lot of load on System.

Hi Rakesh,

Thank you for the input. It is more like I am trying to disable an uncorrelated AD account and I am expecting newly aggregated identity from authoritative source to correlate to this uncorrelated account via the attribute sAMAccountName.

However, the issue here is, when I aggregate this user, it will be in an offboarding lifecycle state. Then, when I aggregate the AD (disable optimization), it will correlate the identity but no longer enter the disable operation again. So the result will be identity correlated, lifecycle state offboarding but the AD account is not disabled. (usual case it will get disabled as it is configured in the LCS as mentioned)

Hi Jo,
So the way IdentityNow works is that the user should already have the AD account under his accounts and when the Lifecycle state changes from Active to Inactive, IdentityNow will trigger a disable which eventually Disable the AD account.

You case is totally different wherein you are aggregating the account in IdentityNow when the user’s life cycle state has already transitioned in Inactive state. This wont trigger a Disable operation.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.