Multi values syntax for account attributes

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

We are setting the proxyaddresses in AD. The JSON has been updated to allow multiple values. However, when setting static values I’m not sure of the syntax to use.

If I have the static value set to: SMTP:[email protected],smtp:[email protected]
It only stores the first value.

If I have the static value set to: {SMTP:[email protected],smtp:[email protected]} to generates multipe values, but retains the curly braces. I have tried quotation marks, which keeps only one value with the full string, ignoring the comma delimited value setting.

        {
            "name": "proxyAddresses",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "smtp:[email protected],SMTP:[email protected]"
                }
            },
            "attributes": {
                "cloudDelimiter": ","
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },

Above is the current configuration which stores only one value.

2

This line should be like:

“multi”: true

3

changing it to multi provisions the account with a single string attribute with both values and the comma as one attribute.

The multi value looks to be deprecated based on other attributes showing “isMultiValued” as being present.

If I use isMultiValued with the value in curly braces, it separates it. The delimiter works, but the curly braces remain on the value.

4

Setting multi to true and specifying cloudDelimiter as , has always worked, maybe something has changed recently.

https://community.sailpoint.com/t5/IdentityNow-Articles/Best-Practices-Provisioning-Multi-Valued-Attributes/ta-p/153748

5

When you set it to multi, it converts back to isMultiValued. I tried it again using multi and running it through, and when I went back to set it to isMultiValued, it was already set. My assumption is that SailPoint is updating all with multi to the new value. Although it is also defaulting it to false.

I tried using a different delimiter with no success. The symptoms are the same where the delimiter is removed but only the first value is populated.

If I set the static value enclosed in curly braces, it populates both values as independent values in AD however the curly braces remain. The opening curly brace on the first value, the closing brace on the second value and the delimiter not showing on either value.

My assumption at this point is that we need a specific syntax when setting the static value on the account creation, or this is a bug that needs to be fixed.

6

Hi Fred,

Is the attribute set to multivalued in the application schema, not just in the provisioning policy?

Also, aren’t both values the same? “[email protected]

Unless you then add a curly brace to the beginning of one and a curly brace to the end of another, thereby making them different values?

7

This is for proxyAddresses. Two different values as one has an upper case smtp and the other is lower case. proxyAddresses is multi valued in AD.

I double checked the AD connector schema and validated that proxyAddresses is present and multi-valued.

8

Try this syntax,


"value": "\"smtp:[email protected]\",\"SMTP:[email protected]\""

Blockquote

9

Same issue as before, no progress.

10

It does appear that this behavior is an issue with the values being the same, even though the case is different on the “SMTP” vs “smtp”.

The provisioning plan does correctly contain both values:

Screenshot 2023-09-07 at 4.31.15 PM

But the result is as you said, only one get’s added. There appears to be a check if you try to do the same using Active Directory Users and Computers, you get this prompt to confirm you want to add the same value twice.

Screenshot 2023-09-07 at 4.35.48 PM

This makes sense to me since, as I understand it, the upper case is just signifying the main email address. What is the requirement to add it again?

When using different values in the provisioning plan, either of these syntaxes worked:

`"value": "\"smtp:[email protected]\",\"SMTP:[email protected]\""`

Or

"value": "smtp:[email protected],SMTP:[email protected]

Both were successful:

Screenshot 2023-09-07 at 5.01.51 PM

So it seems that somewhere either the IQ service eliminates case insensitive duplicates for this attribute or a windows policy is not allowing the same case-insensitive value. the iqservice logs have no error of any kind. I’m not aware of any setting in the iqservice to change this.

If you do have a requirement for the email to be added in both “SMTP” and “smtp” form, you could possibly do this using an after create script, assuming there are no restrictions to do this using powershell.

note: I did find this bullet point below in the AD documentation. It doesn’t mention the proxyAddresses attribute but I thought it was relevant to mention it here.

  • For the Active Directory source, the mailNickname, homeMBD, and msExchHideFromAddressLists attributes are case insensitive when processed by the IQService.
3 Likes
11

Hello @ruben_elizondo ,

Im trying to send to a AD - proxyaddresses attribute as multivalued, based on your post, we tried:

{
“name”: “proxyAddresses”,
“transform”: {
“type”: “static”,
“attributes”: {
“o365”: {
“attributes”: {
“values”: [
{
“attributes”: {
“name”: “emailLicenseType”
},
“type”: “identityAttribute”
},
“null”
]
},
“type”: “firstValid”
},
“value”: “#if($o365!="null" && $o365!=" ")"sip:$mail","SMTP:$mail","smtp:[email protected]"#{else}#end
}
},
“attributes”: {},
“isRequired”: false,
“type”: “string”,
“isMultiValued”: true
}

We tried as well:

{

        "name": "proxyAddresses",

        "transform": {

            "type": "static",

            "attributes": {

                "o365": {

                    "attributes": {

                        "values": [

                            {

                                "attributes": {

                                    "name": "emailLicenseType"

                                },

                                "type": "identityAttribute"

                            },

                            "null"

                        ]

                    },

                    "type": "firstValid"

                },

                "value": "\"sip:$mail\",\"SMTP:$mail\",\"smtp:[email protected]\""

            }

        },

        "attributes": {},

        "isRequired": false,

        "type": "string",

        "isMultiValued": true

    }

The provisioning is executed as expected but its not working, any idea of what’s the error?

thanks in advance.
Bea.

12

This is an example of my code that is working:

{
            "name": "proxyAddresses",
            "transform": {
                "type": "static",
                "attributes": {
                    "value": "smtp:[email protected],SMTP:[email protected]"
                }
            },
            "attributes": {
                "cloudDelimiter": ","
            },
            "isRequired": false,
            "type": "string",
            "isMultiValued": true
        },
13 
"attributes": {
   "cloudDelimiter": ","
},

Your code is missing this configuration.

1 Like
14

Thank you so much Fred!!! Now is working!

2 Likes
15

Thank you so much Sharvari!!! Now is working!

2 Likes
16

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.