How to Identify the Tenant or Environment in SailPoint Transforms

Several discussions on the SailPoint Developer Community have raised questions about how to identify the environment (tenant) within a transform:

I needed to conditionally set the Active Directory DN for production and development, but IdentityNow does not provide a built-in way to obtain environment-specific information directly.

The Solution

I was able to solve this by leveraging an attribute from an authoritative source (in my case, SuccessFactors) to distinguish between environments. Hereā€™s an example transform that checks if the environment is ā€œDevelopmentā€:

{
    "id": "0db1d640-eb8f-455d-b026-e1caa4e85e20",
    "name": "isDevEnvironment",
    "type": "static",
    "attributes": {
        "value": "#if($identity.getLinksByAppIdOrName(null, \"SuccessFactors [source]\")[0].getApplication().getStringAttributeValue(\"companyId\") == \"<My Dev Proxy Value>\")true#{else}false#end"
    },
    "internal": false
}

Explanation

  1. Source Selection:

    • The transform retrieves links to the SuccessFactors [source] application.
    • The first linkā€™s application object is accessed.
  2. Attribute Extraction:

    • The transform checks the companyId attribute value from the sourceā€™s JSON.
    • If the value matches the expected development environment identifier (<My Dev Proxy Value>), the transform returns true; otherwise, it returns false.

Important Considerations

  • Guaranteed Link Presence:

    • This approach works because SuccessFactors is the authoritative source for the identity profile using this transform, ensuring at least one link always exists.
  • Flexible Attributes:

    • Any value within the connectorAttributes object from the sourceā€™s JSON can be used instead of companyId.
    • You can even modify the source and add a unique identifier attribute for each environment if needed, eg. "<companyName>_ISC_Environment": "Dev".

Hope this helps others

2 Likes

Thanks for the info @marcchasse i too have same case but instead of this we have go with another approach, anyway thanks for the input it helps me and as well as others.

Just curious, but what scenarios do you have that you need to know whether you are running PROD or DEV environments?

In active Directory when we create or move accounts we need to set the distinguished name. That name looks like this:
CN=mySAM,OU=Clients,OU=Company Users,DC=companyName,DC=com

for our dev and production AD tenants the ā€œpathsā€ are diffrent so knowing the environment helps with picking the correct value to use.

in this scenario I could have alternatively added a custom property to the AD source and had the transform pull from that.

Ok. So using the same transform for both environments rather than two different transforms. I understand the logic.
However, in my opinion, you are adding ā€˜deadā€™ logic to both environments, needlessly complicating your code.

1 Like

This is awesome! Thanks for sharing this, @marcchasse :smile:

1 Like

I agree its adding dead code to both environments and increases complexity, but not needlessly.:slightly_smiling_face:

Itā€™s as a trade-off, and Iā€™m prioritizing easier deployments. By using the same transform across both environments, we eliminate the need to think about it again when pushing to production.

Since the transform logic is unlikely to change, the added complexity isnā€™t much of a concern compared to the effort required to remember that dev and prod have different versions and to ensure the dev transform is never moved to production.

3 Likes