IdnRuleUtil for accountExistsByNativeIdentity does not work

Identity Security Cloud (ISC) ISC Discussion and Questions
,
8

@MIndra -

You’re super close—the issue is usually what you pass as nativeIdentity and how you identify the source. A few gotchas and a drop-in fix:

Why accountExistsByNativeIdentity is returning false

  1. nativeIdentity must be the account’s link nativeIdentity for that specific source, not an identity attribute like userId or username. For AD, for example, it’s often DN or objectGUID—not sAMAccountName. (IdnRuleUtil)

  2. The applicationName must be the exact Source name (the same string shown as the source name in ISC). Don’t invent or trim the "[source]" suffix; use the canonical name. If in doubt, read it from the user’s Link (see code below).

  3. The account must already exist in the catalog (aggregated) and be correlated. Otherwise it won’t be found.

Minimal code change (reliably fetch the correct nativeIdentity)

Instead of using userId, pull the native identity from the user’s Link for that source, then call the util:

List fetchReport(String attribute, String value, String logPrefix) {
    List resultList = new ArrayList();
    if (StringUtils.isNotEmpty(value)) {
        List identities = idn.findIdentitiesBySearchableIdentityAttribute(attribute, "Equals", value, attribute);

        if (identities != null && !identities.isEmpty()) {
            log.debug(ruleName + ": Found " + identities.size() + " " + logPrefix);

            for (Identity reportee : identities) {
                // Find the Link for the intended source and get its nativeIdentity
                String nativeId = null;
                String canonicalAppName = null;

                for (Link link : reportee.getLinks()) {
                    if (link != null && link.getApplicationName() != null 
                        && link.getApplicationName().equals(appName)) {
                        canonicalAppName = link.getApplicationName(); // exact source name
                        nativeId = link.getNativeIdentity();          // correct nativeIdentity
                        break;
                    }
                }

                if (StringUtils.isNotBlank(canonicalAppName) && StringUtils.isNotBlank(nativeId)) {
                    if (idn.accountExistsByNativeIdentity(canonicalAppName, nativeId)) {
                        Map reporteeMap = new HashMap();
                        reporteeMap.put("displayName", nativeId);
                        resultList.add(reporteeMap);
                    }
                } else {
                    log.debug(ruleName + ": No matching link/nativeIdentity on source " + appName 
                              + " for identity " + reportee.getName());
                }
            }
        }
    } else {
        log.debug(ruleName + ": " + logPrefix + " is missing or empty.");
    }
    return resultList;
}

Quick checklist

  • Verify the exact source name you’re passing (grab it from link.getApplicationName() to be safe).

  • Ensure the account exists & is aggregated on that source.

  • Don’t pass identity attributes like userId as nativeIdentityuse the Link’s getNativeIdentity(). (how-to-use-idnruleutil)

Cheers!!!

1 Like