Error on Active Directory Attribute Sync, doubled value on the request

Caio_Nakayama · August 14, 2025, 10:36pm

Hey guys.

I am currently working on a before modify rule for Active Directory.
I have Department mapped on Attribute Sync:

When I update the Department for the identity, I get this error:

<AccountRequest application="Active Directory [source]" op="Modify" nativeIdentity="<dn>">
  <AttributeRequest op="Add" name="department">
    <Value>
      <List>
        <String>Nucleo Digital</String>
        <String>Farma</String>
      </List>
    </Value>
  </AttributeRequest>
  <AttributeRequest op="Add" name="AC_NewParent" value="<ou>" />
  <AttributeRequest op="Add" name="AC_NewName" value="<cn>" />

Where “Nucleo Digital“ is the original value, and “Farma“ the new one.

This is the Update Provisioning Policy:

{
    "name": "Update Account",
    "description": null,
    "usageType": "UPDATE",
    "fields": [
        {
            "name": "manager",
            "transform": {
                "type": "rule",
                "attributes": {
                    "name": "Get Manager LDAP DN"
                }
            },
            "attributes": {
                "cloudRequired": "true"
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "AC_NewParent",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "ou"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        },
        {
            "name": "AC_NewName",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "cn"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }
    ]
}

Have you guys ever seen an error like this?
Thanks in advance!

j_place · August 15, 2025, 7:54am

Ho @Caio_Nakayama Could you share the account schema for Department?

phil_awlings · August 15, 2025, 8:07am

Just as a heads up, EVERY time there is ANY change on the account, it will try to run the OU move. You might want to put a check in there so its only tries to move when there is a difference between where it is and where it should be

Caio_Nakayama · August 15, 2025, 12:02pm

Hey, Jeremy. We are using the default schema:

        {
            "name": "department",
            "transform": {
                "type": "identityAttribute",
                "attributes": {
                    "name": "department"
                }
            },
            "attributes": {},
            "isRequired": false,
            "type": "string",
            "isMultiValued": false
        }

Caio_Nakayama · August 15, 2025, 12:15pm

Hey, Phil.

Do you know if there is a way of doing this only using transforms and the provisioning policy? We can’t develop a cloud rule for that now

phil_awlings · August 15, 2025, 1:05pm

Hi,
Check out this thread that has my code in:
Substring Transform within Workflow - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

j_place · August 15, 2025, 1:08pm

Hi @Caio_Nakayama What is the actual error message and/or what is the outcome in AD? Also, have you had any failed attribute syncs which it may be attempting to retry?

WhiteBat · August 15, 2025, 3:27pm

Hello @Caio_Nakayama,

I’m not sure there’s an error in your initial post. What you shared is the Provisioning Plan

I believe the fact that the data is multivalued is because it’s multivalued on the identity level (thus it is so on the authoritative source(s) level). If that’s the case, you might need to recheck how you’re aggregating your data and your data quality.

I’m also aligned with @phil_awlings’s perspective about the new parent and new name, the solution he shared is interesting. But if you can deploy a Service Standard Before Provisioning Rule that will be better as it can be reused for any other source.

Good luck ,

j_place · August 15, 2025, 4:27pm

Hi @WhiteBat Sidebar: not sure you can have multi valued attributes on the identity?

Caio_Nakayama · August 15, 2025, 5:05pm

This is the result:

<ServiceResult>
<Errors>
<List>
<String>Failed to update attributes for identity <dn>. The specified directory service attribute or value already exists.
</String>
</List>
</Errors>
<Attributes>
<Map>
<entry key="requestProcessedOn" value="8/15/2025 4:34:00 PM" />
<entry key="returnRequest">
<value>
<AccountRequest application="Active Directory [source]" op="Modify" nativeIdentity="<dn>">
<AttributeRequest op="Add" name="department">
<Value>
<List>
<String>Nucleo Digital</String>
<String>Farma</String>
</List>
</Value>
<ProvisioningResult status="failed">
<Errors>
<Message type="Error" key="Failed to update attribute department Error - The specified directory service attribute or value already exists.&#xD;&#xA;" />
</Errors>
</ProvisioningResult>
</AttributeRequest>
<AttributeRequest op="Add" name="AC_NewParent" value="<ou>">
<ProvisioningResult status="committed" />
</AttributeRequest>
<AttributeRequest op="Add" name="AC_NewName" value="<cn>">
<ProvisioningResult status="committed" />
</AttributeRequest>
</AccountRequest>
</value>
</entry>
<entry key="atleastOneAttrReqFulfilled">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="distinguishedName" value="<dn>" />
<entry key="createdOnServer" value="" />
</Map>
</Attributes>
</ServiceResult>

The problem is, the department is not a multi-valued attribute:

I’m using this api to update the account on the auth source:

  {
    "op": "replace",
    "path": "/attributes/Departamento",
    "value": ""
  }

I don’t why it is trying to sync it as multi value.

WhiteBat · August 15, 2025, 5:32pm

Sounds odd right ?
I had some cases where the attribute has comma separated values on the identity level (type String not List) and when pushed to the target application, it was parsed as a List.

Had a big issue for a client that was pushing a Json object inside a String but SailPoint kept parsing it as an Object so instead of :

{“data”: “{1:2, 3:4}”}
it was :
{“data” : { 1:2 , 3:4} }

WhiteBat · August 15, 2025, 5:35pm

Seems clearer now @Caio_Nakayama ,

Can you now go to the search and write this query : sources:"Active Directory" and find the result of type Account Activity corresponding to that request then click on the source on the left side of the result: Active Directory and share with us the result (it should be the provisioning plan sent to your AD)

j_place · August 15, 2025, 5:47pm

Hi @Caio_Nakayama Try removing the update policy to isolate the issue. Get it to a point where it is just doing attribute sync

Caio_Nakayama · August 15, 2025, 6:13pm

I removed everything from the update policy and this is the result from the query that @WhiteBat passed:

Caio_Nakayama · August 15, 2025, 7:16pm

Is this supposed to happen?
I deleted the update policy and unmarked the attributes from attribute sync, but it still tries to update as multi valued:

Topic		Replies	Views
Provision Multi Valued attribute in OpenLDAP from Identity Attribute ISC Discussion and Questions identity-security-cloud	9	199	May 24, 2025
Multivalued Attribute Sync ISC Community Knowledge Base identity-security-cloud	4	3128	October 31, 2024
Multivalued attribute sync ISC Discussion and Questions identity-security-cloud	2	902	July 19, 2023
During attribute sync i am getting error and sync isnt happening of the attribute ISC Discussion and Questions identity-security-cloud	7	273	December 1, 2024
Update Provisioning Policy behavior ISC Discussion and Questions identity-security-cloud , provisioning , connectors	4	148	December 26, 2025

Error on Active Directory Attribute Sync, doubled value on the request

Related topics