Hi Together,
We having a cloud rule where we need to check if an Identity has an account on a specific source.
For that, we are trying to use the IdnRuleUtil.accountExistsByNativeIdentity like here:
List fetchReport(String attribute, String value, String logPrefix) {
List resultList = new ArrayList();
if (StringUtils.isNotEmpty(value)) {
List identities = idn.findIdentitiesBySearchableIdentityAttribute(attribute, "Equals", value, attribute);
if (identities instanceof List && identities != null && !identities.isEmpty()) {
log.debug(ruleName + ": Found " + identities.size() + " " + logPrefix);
for (Identity reportee : identities) {
Map reporteeMap = new HashMap();
String userId = (String) reportee.getAttributes().get("userId");
if (idn.accountExistsByNativeIdentity(appName, userId)) {
reporteeMap.put("displayName", userId);
resultList.add(reporteeMap);
}
}
}
} else {
log.debug(ruleName + ": " + logPrefix + " is missing or empty.");
}
return resultList;
}
appName = [SOURCE_NAME] [source].
The userId does match the nativeIdentity of the account, in somewhere in the forum here I got the information that the appName needs to be a combination from Source_Name + [source].
I also tried the application name without the “[source] in the end, same result, it is not finding the account.
Does anyone has experience with using this method?
The above function works as expected if the respective Identity attribute is marked as Searchable attribute.
Kindly check whether thats the case, if it is not? Then, mark the attribute as searchable.
If its searchable, can you check whether identity attribute technical name is correct?
Also, can you please provide the example of appName value which you have provided in your code? It should be in the format of “appName [source]“. If you original application name (without it getting changed ever) is “Active Directory“, then, you should have appName = “Active Directory [source]“. If name of source has changed many times, then, find the initial source name through ISC Search functionality.
I have observed most of the time appName is the issue for mentioned API of accountExistsByNativeIdentity
You’re super close—the issue is usually what you pass as nativeIdentity and how you identify the source. A few gotchas and a drop-in fix:
Why accountExistsByNativeIdentity is returning false
nativeIdentity must be the account’s link nativeIdentity for that specific source, not an identity attribute like userId or username. For AD, for example, it’s often DN or objectGUID—not sAMAccountName. (IdnRuleUtil)
The applicationName must be the exact Source name (the same string shown as the source name in ISC). Don’t invent or trim the "[source]" suffix; use the canonical name. If in doubt, read it from the user’s Link (see code below).
The account must already exist in the catalog (aggregated) and be correlated. Otherwise it won’t be found.
Minimal code change (reliably fetch the correct nativeIdentity)
Instead of using userId, pull the native identity from the user’s Link for that source, then call the util:
List fetchReport(String attribute, String value, String logPrefix) {
List resultList = new ArrayList();
if (StringUtils.isNotEmpty(value)) {
List identities = idn.findIdentitiesBySearchableIdentityAttribute(attribute, "Equals", value, attribute);
if (identities != null && !identities.isEmpty()) {
log.debug(ruleName + ": Found " + identities.size() + " " + logPrefix);
for (Identity reportee : identities) {
// Find the Link for the intended source and get its nativeIdentity
String nativeId = null;
String canonicalAppName = null;
for (Link link : reportee.getLinks()) {
if (link != null && link.getApplicationName() != null
&& link.getApplicationName().equals(appName)) {
canonicalAppName = link.getApplicationName(); // exact source name
nativeId = link.getNativeIdentity(); // correct nativeIdentity
break;
}
}
if (StringUtils.isNotBlank(canonicalAppName) && StringUtils.isNotBlank(nativeId)) {
if (idn.accountExistsByNativeIdentity(canonicalAppName, nativeId)) {
Map reporteeMap = new HashMap();
reporteeMap.put("displayName", nativeId);
resultList.add(reporteeMap);
}
} else {
log.debug(ruleName + ": No matching link/nativeIdentity on source " + appName
+ " for identity " + reportee.getName());
}
}
}
} else {
log.debug(ruleName + ": " + logPrefix + " is missing or empty.");
}
return resultList;
}
Quick checklist
Verify the exact source name you’re passing (grab it from link.getApplicationName() to be safe).
Ensure the account exists & is aggregated on that source.
Don’t pass identity attributes like userId as nativeIdentity—use the Link’s getNativeIdentity(). (how-to-use-idnruleutil)
Okay, thanks Rohit. Is there an official explanation from SailPoint why the name change is not populated across the system? That is very strange and unstable behavior ..
I know but that is the issue because i have faced it in the past. Some of my customers have changed the NAMES of sources 10 - 15 times. As of now that is how it behaves.
Let me know once you find the original name of the source and your code works with that name.
Also, changing the names of sources is not good practice. If required, change the description of applications but not sourceNames.
Hi Rohit,
You were right, SailPoint confirmed that the original ApplicationName through creation of the source is used internally for referencing and identifier.
I raised a idea ticket to not use the name as identifier and also to not expect “ [source]” extension to the name when you want to use the IDNRuleUtil for methods where we need the application name.