When creating an Active Directory (AD) Provisioning Plan, ensure that you only map values to existing attributes in AD and do not add non-existent attributes. If you attempt to include an attribute that does not exist in AD (Eg. Country,State,etc does not exist in AD, always map existing attribute like c,st,etc), the mapping will fail for all attributes except Account ID and Account Name.
Key Points:
- UPN (User Principal Name) should be unique – Ensure that it does not conflict with existing users.
- Manager attribute must exist in AD – If the specified manager does not exist, the provisioning will fail. Always validate the Distinguished Name (DN) format of the Manager attribute in AD.
- If the Manager does not exist in AD, pass a blank value (
"") using a FirstValid Transform.
Recommended Transform:
Use the following transform to check whether the Manager exists in AD. If the Manager exists, fetch their Distinguished Name (DN) from AD. If not, set the value to "".
json
CopyEdit
{
"name": "GetManager-ActiveDirectory",
"type": "firstValid",
"attributes": {
"values": [
{
"type": "static",
"attributes": {
"value": "$identity.getManager().getLinksByAppIdOrName(\"123456789\",null)[0].getNativeIdentity()"
}
},
"null"
],
"ignoreErrors": true
}
}
Note: Replace 123456789 with your actual Active Directory (AD) ID.
By following this approach, you can prevent AD provisioning failures and ensure a smooth attribute mapping process.