Identity gets splitted into 2 identities

Which IIQ version are you inquiring about?

8.4p1

Hello Everyone,

I have this weird scenario that is happening, and I don’t know if this is expected or not.

I have the authoritative source is SuccessFactors, So when the HR creates a new employee SAP Creates a dummy account using the Person ID External.

In the Application configuration i have the following:
Identity Attribute: PersonID
Display Attribute: Username

In the first sync both are numbers for example:
PersonID: 1021
Username: 00007124

So after Sailpoint create the AD account and exchange and everything, Sailpoint have to go back and update the username from the authoritative source and be same as the AD which could be Ahmed.waleed for example but the personid is the same.

When i run the sync again, this SF Account gets uncorrelated and creates a new identity with this account again and the Active Directory Account becomes in a seperate identity. Even if I ran the AD sync it says as “CorrelateManual”.

Should it be like this, My understanding that the identity Attribute is the attribute is where it checks if the account is deleted or not, not the display attribute.

What happens is that, I need to go manually and assign the created AD account to the new identity.

Hi @AhmedWaleed ,

Here is the process it is following if I understood your use case properly.

When you run the SF account aggregation, the account will be aggregated and the identity created with 00007124 (if you check the name attribute of the identity from debug, you will see name=“00007124,” which is important for correlation).

After an AD account has been created, you are updating the username in the SF application. And I believe you are not updating the identity attribute name. I think you are updating only the username attribute in the SF account, which is authoritative. That is the reason the correlation is not working out here. So for that, you have to update the native identity (name) of the identity ( the value will be changed. name=“Ahmed.waleed”). So, in the next AD account aggregation correlation works with the updated name value (it is important which attribute you are using for correlation in the AD application). Make sure you are using a username only for correlation.

So once correlation works and is correlated, then it won’t create an account separately. The identity attribute will work as the picking up of unique value, and the display attribute will work for creating with the name.

If you need more information related to the display attribute, the identity attribute and how correlation works, I have prepared a nice document, you can go through it. You will get more clarity.

1 Like

Hello @bhanuprakashkuruva,

So i just need to do identity.setDisplayName to the new value?

I think setNativeIdentity​(java.lang.String s) of ProvisioningPlan or setName(java.lang.String name) of Identity. But I did not test it. Maybe, you can give a try once.

2 Likes