I’m working to setup IIQ 8.5p1 and I’m having an issue. I have an Active Directory app config setup and connecting. I have many entitlements in AD that are requestable in IIQ. However, when I submit a request for one any of the entitlements for my users, I’m getting a message about a provisioning form and it looks like it’s looking for additional information on the AD account.
I’m using the default provisioning policy and haven’t made any changes to it. The policy has the dn, samaccountname and password as required and all of those values are set in the user’s active directory account. I verified that these items are not marked ‘review required’. Connectivity to AD is working fine. The user has an account in the domain. The user has several other entitlements in the domain. But when I request an entitlement, it pops up that provisioning form. I don’t have any other rules or workflow or coding in place - this is all out of the box configuration.
What do I need to do to disable that? Is there some configuration I’m missing? Or is there something I can do to automatically provide the information that IIQ is looking for? It’s a very simple entitlement request so I don’t understand why it’s looking for more information.
Hi @karen_delucia
First, check account correlation. If the account is not properly correlated to the identity, IIQ treats the request as an account creation instead of a modify operation. In that case, it will always trigger the provisioning form to collect required attributes.
Next, check the provisioning policy. Even out-of-the-box, AD policies have multiple attributes marked as Review Required, which forces the provisioning form to appear even if the values already exist on the account.
Best approach: Create separate provisioning policies for Create and Modify
Create a new Modify policy and leave it completely empty - no fields at all. An empty Modify policy tells IIQ there is nothing to collect during entitlement requests on existing accounts, so the provisioning form will be completely suppressed.
Make sure all the mandatory attributes required to create an account in AD like dn,cn,givenName etc are populated.
When an AD entitlement is requested for the user, if the user does not have an account on AD first IIQ will create an account using provisioning policy and then assign the entitlements to the created account.
So if the fields marked as required or mandatory fields are not populated then the provisioning form will be displayed to get the user data to create account on AD