Syncing the accountExpires attribute can be tricky, where if not done correctly and attribute sync is enabled, you might run into endless sync events triggering.
How do you generally approach this with date format considerations for identity and account attributes, best practices discovered over time and cautions/prerequisites that you keep a tab on?
Hi @sushant1,
We had challenges with accountexpires attribute sync as described here
The fix was to add the timezone attribute in the AD source with value as epoch. This converted the AD time format to epoch and we also transformed the Identity attribute to epoch format and that worked.
The below field was added to the source JSON
"timeZone": "epoch"
Just to confirm, this is under source’s /connectorAttributes?
It’s under the source’s /connectorAttributes
Hi @sushant1, I am not sure why SailPoint hasn’t expanded on the AD integration documentation to make it clear what issues you may encounter with the default configuration.
As Jesvin wrote, set {sourceId}/connectorAttributes/timeZone to epoch so that ISC syncs the time as epoch number (e.g. 133560149780000000) instead of (05/11/2019 12:00:00 AM IST)
SailPoint’s KB article: - [IdentityNow] accountExpires attribute is continuously syncing to Active Directory - Customer Support
One thing that I’ve noticed while investigating this problem and which can be confusing was that the values shown in the event’s search UI were not the actual values that were sent to AD (same “time” value, but in UI the format was different).
Thanks @adamian, this context is super useful.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.