How to uncorrelate an auth source account (so a new identity is created)

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Earlier in the year I documented some operating procedures for my client related to correlation use cases; these captured how to use the UI and APIs to manually correlate, uncorrelate, etc.

One use case was how to uncorrelate an authoritative account, so that it becomes the basis for its own (new) identity. For example, we’ve seen a new authoritative source account correlate to an existing identity which already has its own authoritative source account. The new account actually represents a new identity, but because of matching correlation data it gets automatically correlated to the existing identity.

I had to experiment a bit but found that making the following PATCH request to /v3/accounts/:id did in fact achieve this:

[
{
“op”: “replace”,
“path”: “/identityId”,
“value”: null
},
{
“op”: “replace”,
“path”: “/manuallyCorrelated”,
“value”: “true”
}
]

This worked when I documented it. Recently, we needed to use it, and it looks like the API has been updated to no longer allow a “null” identityId. How can we now achieve this result without changing data in the authoritative source?

Thank you!

1 Like
2

Hi @AlexFKing,

Made some tests and it seems that the API does not support a null value or even changing the op to remove.

Maybe a workaround it’s to create an identity that doesn’t belong to any real user and correlated all this accounts to the identity?

3

Hi @AlexFKing,

Your use-case is to simply remove account linking?
If yes, why not use below snippet to do so.

[
  {
    "op": "remove",
    "path": "/identityId"
  }
]

If some specific part of use-case I am not understanding, then let me know.

Thanks

4

Hi @ashutosh08

When my original method failed, I reviewed the API specifications and saw they had an example like you mentioned. However, as @fmunerato mentions above, that fails for me with the following error:

Correlation of account [accountId] with Non Human Identity is not supported

So at the very least, there is an issue with that vendor-documented API call, unless I am missing something.

Thank you both for your responses!

5

Hi @AlexFKing

Is this a manual workaround you are following for some incidents like this or you have a lot of users like this to get created as a new identity ?

Thanks
Krish

6

@MVKR7T – It is a manual workaround we need, this occurs very rarely as we have a lot of consideration around our correlation logic. For example, we have a process that flags new identities which are “possible duplicates” for the operational team to review and decide whether or not to merge to an existing identity. Just in the case that that doesn’t work, and a new account is automatically and erroneously merged, we need a way to tell the system that that new account should form the basis of a new identity.

7

Looks like the docs need to be updated here: update-account | SailPoint Developer Community

I have created a ticket to update the API specs to reflect the current functionality.

2 Likes
8

Hi @christina_gagnon , excuse me, what would be the correct way to uncorrelate an account through the API? Currently, I am using the following request:

{
    "op": "remove",
    "path": "/identityId"
}

But it is returning the following error:

Correlation of account [accountId] with Non Human Identity is not supported.

1 Like
9

@JJalvarado, yes I will be removing that schema example from the API specs.

Since it appears that this API’s functionality has recently changed, I am checking with the engineering team to verify the correct way to uncorrelate an account.

1 Like
10

@christina_gagnon, thank you for your support with this. I appreciate it!

I am checking in to see if there are any updates regarding the correct way to uncorrelated an account, given the recent changes to the API’s functionality.

11

@christina_gagnon & @JJalvarado Thank you for following up about this! Looking forward to the eventual solution.

12

Hi @AlexFKing

I tried again today with the same request, and it worked without any issues. I’m not sure what changed, but the request is now successfully uncorrelating the account.

I hope this information helps you might face a similar issue.

13

I have been communicating with engineering about this functionality.

There was an issue that temporarily broke the de-correlation process using PATCH v3/accounts/:id with this request body:

[
  {
    "op": "remove",
    "path": "/identityId"
  }
]

That issue has been resolved, and this is the correct process to de-correlate an account moving forward.

I confirmed that this request body no longer works:

[
    {
        "op": "replace",
        "path": "/identityId",
        "value": null
    },
    {
        "op": "replace",
        "path": "/manuallyCorrelated",
        "value": true
    }
]
6 Likes
14

Awesome, I tested this and can confirm it’s working as expected now! Thank you so much for so quickly fixing this.

2 Likes
15

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.