We are using NERM and I am testing out creating multiple users with the same name. This should evaluate to separate identity cubes in ISC as we only correlate on the unique id (correlation attribute). But it is instead correlating on name natively and all (3) accounts are correlated to a single identity…
Is this error persistent when changing the Account Name to id?
If you do a reset on the accounts for the NERM connector, does that help to be able to set the account name, then do another non-optimized aggregation…
You need to appreciate that Correlation from an Authoritative Source has different implications than correlation from a Target Source. An Auth Source has an Identity Profile associated with it to create Identities for un-correlated accounts.
Those Identities (and associated IdentityNow Accounts) take the Name attribute from the Attribute Value marked as Name in the Auth Source and that becomes the default Correlation Rule. This means that the Name Attribute in the Source has a greater requirement for Uniqueness than Target Sources.
If you modify the Name attribute in the Source that will then not match the existing Identity Profile correlation, hence why you can’t just update it.
If this is a Sandbox environment, I recommend creating a new Source Connector having taken this into consideration.
The NERM connector is automatically generated via NERM when enabling sync to ISC. I can’t really therefore recreate the connector, as it will just end up with the same schema again, I’m assuming.
Hi @Swegmann I’m pretty sure you can create a new one, it will pick the default settings from the template. You should then be able to update the account schema before creating the Identity Profile.
If it does (I haven’t experienced that, but NERM does move forward pretty quick; maybe something to do with being marked as an Auth Source) then you should be able to either update the schema before processing the identity profile or delete the identity profile. Potentially, you might just be able to update the schema whenever (I think your connector might have got into a corrupted state) I’m just trying to get you to a clean state, coz your use case should be supported.
It seems the connector had been corrupted by there being 2 Account Attributes with the same name. This caused the internal error to trigger whenever changes were made to the schema.
Together with SailPoint support and checking logs in backgrond we found that specific error and were able to enable a feature flag on the connector that lets you have duplicate account attributes in the schema, this then enabled me to remove the redundant attribute as well as change the account name attribute to my “Correlation Attribute” and now the Identites are correlating correctly
It would’ve probably worked to remove source and identity profile and re-create everything as well but we didn’t rather want to have to re-do all the mappings etc. Feature flag was the easiest and fastest solution.
