Native Identity should not be null or empty

l_pulignano · March 6, 2025, 9:29am

Hi,

I’m facing a problem with AD account provisioning, both in automatic and manual mode. When it tries the account creation I recieve this error: Native Identity should not be null or empty.

The process starts with the accounts aggregation from HCM authoritative source, it creates the correspondents accounts and identities and then it should starts the AD account provisioning thanks to the association of a role with some entitlements from AD but it goes in error.

I tried to manually request entitlements from AD source in order to trigger the provisiong phase but it gives me back the same error.

Can you help me with this problem? Thanks in advance

Chaithu9110 · March 6, 2025, 10:30am

identity Mapping Configuration:

Ensure that the identity mapping from your authoritative source (HCM) to SailPoint IdentityNow is correctly set up.
Verify that the mapping rules are correctly associating the relevant identity attributes from HCM to SailPoint and then from SailPoint to AD

Arshad · March 6, 2025, 11:31am

Can you let me know if you’ve configured the distinguishedName field on your Create Account page of Active Directory source correctly?

Can you help me with what value you’re passing in it?

suresh4iam · March 6, 2025, 9:48pm

Can you check whether multiple AD accounts are correlated from same source to an identity? If so, resolve it by correlate only one account and try the provisioning. It could resolve the issue. I know you are saying it gets failed during account creation, but it is worth to verify it.

l_pulignano · March 7, 2025, 8:36am

It gets the value from an Identity Attribute that returns the value of this transform:

{
        "name": "Transform OU Concatenation",
        "type": "concat",
        "attributes": {
            "values": [
                "CN=",
                {
                    "attributes": {
                        "sourceName": "HR Oracle HCM Cloud (Source)",
                        "attributeName": "Person_Last_Name"
                    },
                    "type": "accountAttribute"
                },
                " ",
                {
                    "attributes": {
                        "sourceName": "HR Oracle HCM Cloud (Source)",
                        "attributeName": "Person_First_Name"
                    },
                    "type": "accountAttribute"
                },
                ",OU=",
                {
                    "type": "static",
                    "attributes": {
                        "value": "$identity.getStringAttribute('locationIdAlias')"
                    }
                },
                ",OU=",
                {
                    "type": "static",
                    "attributes": {
                        "value": "$identity.getStringAttribute('countryIso2char')"
                    }
                },
                ",OU=",
                {
                    "type": "static",
                    "attributes": {
                        "value": "$identity.getStringAttribute('ouIdentityType')"
                    }
                },
                ",OU=Users,OU=",
                {
                    "type": "static",
                    "attributes": {
                        "value": "$identity.getStringAttribute('legalEmployerAlias')"
                    }
                },
                ",OU=Customer Objects,OU=TestOU,DC=CAAUTOBANK,DC=GCA"
            ]
        }
    }

l_pulignano · March 7, 2025, 8:40am

The correlation is done between the sAMAccountname on AD side and the Sailpoint username on Identity side, so the account should be unique

schattopadhy · March 10, 2025, 4:53am

@l_pulignano try to use the transform at identity level and use that attribute(adou) in the create account some thing like this
CN=$(firstname).$(lastname)$(uniqueCounter),$adou

gvscdeep1 · March 10, 2025, 6:29am

With the logic you mentioned, you can directly configure the create profile with “Create Unique Account ID” generator for distinguishedName with the below format considering that your “Person_Last_Name” and “Person_First_Name” are linked lastname and firstname identity attribtues.

CN=$(firstname) $(lastname)$(uniqueCounter),OU=$(locationIdAlias),OU=$(countryIso2char),OU=$(ouIdentityType),OU=Users,OU=$(legalEmployerAlias),U=Customer Objects,OU=TestOU,DC=CAAUTOBANK,DC=GCA

system · May 9, 2025, 6:29am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD Multiple accounts - Attribute Sync ISC Discussion and Questions	2	1121	July 19, 2023
AD account creation from INow ISC Discussion and Questions	6	1727	July 19, 2023
Update NativeIdentity within AccountRequest of ProvisioningPlan ISC Discussion and Questions	5	2526	July 19, 2023
Native Identity null for webservice connector ISC Discussion and Questions identity-security-cloud , provisioning	20	591	October 15, 2024
Error with AD account ISC Discussion and Questions	12	7143	July 19, 2023

Native Identity should not be null or empty

Related topics