Issue Assigning IT Roles for AD Application Behind Cloud Gateway (memberOf Attribute Not Found)

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

Version 8.4p3

Share all details about your problem, including any error messages you may have received.

Hello,

I’m running into an issue while defining IT Roles that automatically assign entitlements. One of the applications involved is an Active Directory instance that is proxied through a Cloud Gateway.

After creating the role, IdentityIQ starts logging the following error repeatedly (around five times per minute):

Unable to process events: For role 'TestIT' profile, unable to find attribute memberOf in 'account' schema for application Active Directory

The strange part is that the application schema does include an AttributeDefinition for memberOf, and access requests for this application work without any problems.

For other AD applications that are not using the Cloud Gateway, I can define IT Roles without any issues. This seems to affect only the Cloud Gateway-proxied AD application.

I’m trying to understand:

  • Is this a known limitation or issue when using the Cloud Gateway with Active Directory applications?

  • Is there any additional configuration required on the Synchronization Task or elsewhere to make role-based entitlement assignment work in this scenario?

  • Has anyone successfully configured IT Roles for entitlements on applications that go through the Cloud Gateway?

Any insights or experiences would be greatly appreciated.

Thanks!

2

Has the ‘memberOf’ is marked as entitlement ? If not, try update that and run synchronization task.

3

Please run the synchronization task and select the objects you want to synchronize with the cloud gateway.

4

Hi @bruno-co Sounds like your gateway is proxying AD as standard LDAP. You should be able to remove memberOf from Account aggregation and the connector would pick up group assignments from group aggregation.

5

I do not recall the full history, but we had similar issues after upgrade. We had to include the attribute in schema in CGW application. I repeat, schema in CGW application.

I guess in your case it would be:




6

Yes, it is marked as an entitlement. This is the AttributeDefinition:

<Schema displayAttribute="sAMAccountName" identityAttribute="distinguishedName" nativeObjectType="User" objectType="account">
    ...
    <AttributeDefinition entitlement="true" managed="true" multi="true" name="memberOf" schemaObjectType="group" type="string">
        <Description>Group Membership</Description>
    </AttributeDefinition>
    ...
</Schema>
7

In the Synchronization Task, I have selected the Cloud Gateway application and the Active Directory application, as well as the rules needed for Account Correlation, Creation, Target Mapping, etc.

Which object do you suggest to be able to define an IT Role for an Entitlement of this Active Directory application?

8

Hi @j_place! What do you mean by removing the memberOf from the Account Aggregation?

Is it removing it in the application schema?

9

Adding the memberOf attribute to the Cloud Gateway schema stopped the error logs from being generated.

I defined it like this:

<Schema nativeObjectType="account" objectType="account">
  <AttributeDefinition name="memberOf" type="string">
    <Description>Group Membership</Description>
  </AttributeDefinition>
</Schema>

Does this attribute require any additional properties, or is defining it as a simple string enough?

10

You need to synchronize the managedattributes/entitlements also. Then only it will work.

11

I’m not seeing any option to synchronize managed attributes or entitlements in the IdentityIQ Cloud Gateway Synchronization Task configuration.

Is entitlement synchronization handled through a different task type, or is there a hidden or less obvious setting that enables entitlement synchronization within the Cloud Gateway task?