Issue with Unique UPN Generation Rule Not Validating Against AD

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi Team,

We have developed a rule to generate a unique UPN value for AD. However, we mistakenly set the rule type as AttributeGenerator. Now, we are using this rule within IdentityNow via a Transform (type: rule) to generate a unique UPN by validating it against AD.

Current Behavior:

  • The rule successfully generates the required UPN value.
  • However, it does not validate whether the UPN already exists in AD.
  • Even if the same UPN exists in AD, it does not increment and simply returns the same value.

Expected Behavior:

  • If the generated UPN already exists in AD, the rule should increment the extension (e.g., firstname.lastname@abc.comfirstname.lastname1@abc.com, firstname.lastname2@abc.com, etc.).

Below is the current rule implementation:

Rule:

xml

CopyEdit

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule name="UPNGenerator" type="AttributeGenerator">
    <Description>Generate a unique Email.</Description>
    <Source><![CDATA[
        import sailpoint.tools.GeneralException;
        import sailpoint.object.*;
        import java.util.*;
        import sailpoint.api.*;
        import sailpoint.rule.*;
        import org.apache.commons.lang.StringUtils;
        import java.text.Normalizer;

        log.debug("Starting UPN generation process");

        int maxIteration = 1000;
        int upnCount = 0;
        List SEARCH_IN_SOURCE_IDS = new ArrayList(Arrays.asList(new String[] {"????"}));
        log.debug("Search IDs initialized: " + SEARCH_IN_SOURCE_IDS);

        String SEARCH_OP = "Equals";
        String PROMOTED_ATTR_UPN = "userPrincipalName";
        int extension = 0;

        public int getDuplicateUpnCount(String upnValue) throws GeneralException {
            log.debug("Checking duplicate UPN count for: " + upnValue);
            List upnValueList = new ArrayList(Arrays.asList(new String[] {upnValue}));
            upnCount = idn.attrSearchCountAccounts(SEARCH_IN_SOURCE_IDS, PROMOTED_ATTR_UPN, SEARCH_OP, upnValueList);
            log.debug("Duplicate UPN count: " + upnCount);
            return upnCount;
        }

        public String generateUpn(String firstName, String lastName, int extension) {
            log.debug("Generating UPN...");
            firstName = StringUtils.trimToNull(firstName);
            lastName = StringUtils.trimToNull(lastName);

            String upn = (extension > 0) ? firstName + "." + lastName + extension + "@abc.com" 
                                         : firstName + "." + lastName + "@abc.com";

            upnCount = getDuplicateUpnCount(upn);
            if (upnCount == 0) {
                return upn;
            } else if (upnCount < maxIteration) {
                return generateUpn(firstName, lastName, extension + 1);
            } else {
                log.debug("Max iterations reached for UPN generation.");
                return null;
            }
        }

        return generateUpn(identity.getFirstname(), identity.getLastname(), extension);
    ]]></Source>
</Rule>

Questions for the Community:

Why is the rule not validating against AD properly?

Would appreciate any insights or guidance from the community.

Thanks in advance! :blush:

1 Like
2

@pallavi @KRM7 @adunker @sharvari you help with these issue

3

Hello @hkhandale

I just have one question .
Why Rule ? Is it a case where UPN follows set of patterns for uniqueness ?
If no , you can just use transform for the attribute . ( as i can see in the example you mentioned firstname.lastname@abc.com ) .
If there is are set of patterns , and is simple logic as shown. , No need of rule .

Thanks

4

Hi Sidharth

We attempted to pass a Generator Pattern or a static value for the UPN during AD provisioning, but it resulted in a null value after provisioning.

Therefore, we are now trying to generate it using a Rule.

1 Like
5

Harsh …

In this case , I believe there is something wrong within the policy . If this is not happening with a static value , there is a problem within the policy .
May I know if there were any errors while the resulted value was null ?

6

Not getting any error still getting null (–) value in output, we tried to pass via transform in account creation policy, still getting null.
we tried to use Generator $(firstname).$(lastname)$(uniqueCounter)@abc.com

and getting error as

Unable to generate a unique value for ‘Sanju Test’, action
UniqueAccountldValidator[nativeldentity=CN=Test, Sanju ,OU=abc
Accounts, DC=dev, DC=corp, app=Active Directory] is not retry-able due to InterruptedException: Timeout waiting for response to message 0 from client xyz after 30 seconds.

1 Like
7

Declare the variable upnCount inside the getDuplicateUpnCount function again or use different variable and try it. Seems like due to the global definition of this variable, it is not returning the value from getDuplicateUpnCount function. You can also request the expert service to get the logs and check the debug statements to check where it is failing.

8
  • Were you able to see the plan attributes in Account Activity as expected ?
  • Is this the problem only with Creation ? All other operations with with AD are working fine ?
  • Check if any errors on ccg logs on VA
  • Increase timeouts and try
  • I suggest you to test without Cloud Rule , as Cloud Rule changes takes time .

If everything mentioned above seems fine , reach out to Expert Services . This is unusual , create should work when given static atleast .

Thanks

9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.