We have an application in SailPoint ISC (Novell eDirectory), which is directly connected to the target system, and accounts and groups are aggregated properly. The problem is with the correlation. I have added a couple of correlations
Identity Attribute Application Attribute
------------------ ---------------------
1) User Principal Name mail
2) User Principal Name cn
The application attributes “mail” and “cn” have the same values, and the Identity Profile attribute “User Principal Name” has the same email value. But I see only 5 accounts got correlated out of 1.5k accounts. Manually verified a few accounts and the emails are matching.
I have even modified the correlation config to ignore the case and run unoptimized aggregation multiple times, but no luck. I even reset the source and re-aggregated, but still the result is the same.
Has anyone come across this kind of issue, and do you have any suggestions on how to resolve it?
Note: I haven’t used the Identity Profile attribute “Work Email”, because we have email masking applied.
If you navigate to one of your accounts that should have been correlated and aggregate just that account, does it process the correlation then? I would expect it to, but then I would also expect the unoptimized aggregation to do the same.
That’s usually my first troubleshooting step with correlation - aggregate a single account that I think should get correlated. Then if it still does not, I will use Postman to pull down the identity and account attributes. Sometimes there are spaces that the UI hides, especially if you have static transforms with VTL.
If that doesn’t get you anywhere then I would start to suspect the connector itself. I haven’t worked with eDirectory but I have seen instances where a specific connector does not behave as expected. It takes a support case at that point to get anywhere.
I have tried with single account aggregation, and compared account and identity attribute values, both are identical, but still no luck in the correlation.
I’m going to assume you don’t want to share actual data, so it’s hard for us to diagnose, but maybe concentrate on why the 5 actually correlate, see what’s special about them, rather than the 1.5K that don’t. It could help you diagnose
Finally, fixed the problem by adding trim to the identity attribute. However, I am still wondering how that worked, though there is no space in the existing value, suspecting the value coming from AD (userPrincipalName) might have special characters.