EntraID connector - Standard Service Before Provisioning Rule not working

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi All,

I have used Services Standard IdentityNow BeforeProvisioning Rule in EntraID connector type source to reset random password for users who LCS is changed to terminated. For this I’ve used below JSON snippet.

This connector type EntraID is not executing this provisioning rule. I’ve similar setup in AzureAD connector where its working as expected in Dev environment, Now tried replicate in Test environment with this EntraID connector type its not working as expected.

Whether I’m missing anything or this EntraID type connector won’t support this function? Can anyone guide us further?

image
image812×158 11.9 KB

image
image1015×111 14.3 KB

 {
        "op": "add",
        "path": "/connectorAttributes/cloudServicesIDNSetup",
        "value": {
            "eventConfigurations": [
                {
                    "eventActions": [
                        {
                            "Action": "ScramblePassword",
                            "Attribute": "password",
                            "Value": null
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "terminated",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Disable"
                }
            ]
        }
    }

Regards,
Vasanth

2

@vasanthrajsp29 Did you added the EntraID source in provisioning tab for LCS change? If no please add there and try this.

HTP.

3

Hi @Shantha, Thanks for response
Yes, I’ve added in Identity Profile under provisioning tab to disable Source EntraID when LCS change to terminated.

4

Can you remove the Identity trigger from the event config and check the behavior.

5

Hi @Shantha,

Yes tried, No luck.

6

Hi @vasanthrajsp29,

Assuming you are yet exploring solutions, maybe it would be easier to troubleshoot if you share the /connectorAttributes path of the affected source.

1 Like
9

Your configuration aligns to what is documented as far as I can tell. Do you happen to have “password” attribute added to your update account profile/update provisioning policy? Give that a try if you see fit.

1 Like
10

Hi @TheOneAMSheriff ,

Thanks for checking, I’ve added the password attribute in Create account Profile but no luck. I’ve raised support case to investigate on this issue.

Regards,
Vasanth

1 Like
11

Why not write a transform in the UPDATE profile for the password attribute so that when the LCS = terminated, the attribute is updated. Something like this:

{
  "name": "Update Account",
  "description": null,
  "usageType": "UPDATE",
  "fields": [
    {
      "name": "ScramblePassword",
      "transform": {
        "type": "static",
        "attributes": {
          "value": "#if($LCS = 'Terminated' )$newPassword#{else}#end",
          "newPassword": {
            "type": "randomNumeric",
            "attributes": {
              "length": 32
            }
          },
          "LCS": {
            "type": "reference",
            "attributes": {
              "id": "LCS"
            },
            "ignoreErrors": false
          }
        }
      },
      "attributes": {},
      "isRequired": false,
      "type": "string",
      "isMultiValued": false
    }
  ]
}

No need for a rule then

3 Likes
12

Hi @phil_awlings,

Thanks, its good option to eliminate rule, I’ve one query does this transform will incorporate password policy.

Regards,
Vasanth

13

Hi,
You can set the password to whatever your policy requirements are by amending the transform accordingly. The above was just an example

1 Like
14

Hi @phil_awlings,

Thanks for the workaround, I raised vendor case to trouble shoot why provisioning rule is not working for entra ID saas connector.

Regards,
Vasanth

15

Hi @phil_awlings,

This workaround is not working in SaaS connector even it’s working in on-prem Azure AD connector.

Have anyone tried disable or Modify provisioning policy transform in SaaS connector?

-Vasanth

16

I don’t think that Before Provisioning Rules can be used with SaaS connectors. You would need a VA based connector.

SaaS connectors in general support connectivity customizers (There have been some reports that some delivered SaaS connectors do not seem to fire the customizers like custom SaaS connectors based on log files)

Connectivity Customizers | SailPoint Developer Community

17

Hi @agutschow,

In that case I used a work around by writing a transform in disable provisioning policy even that is not getting impact in SaaS connector.

I’ve a doubt in this case before provisioning rule is not getting impact that’s fine but disable provisioning policy is not working which is quite strange behaviour from connector level.

  • Vasanth