NullPointerException was thrown by SailPoint API getAccountByNativeIdentity()

Identity Security Cloud (ISC) ISC Community Knowledge Base
,
1

Problem

There was an NullPointerException which was thrown by Identity Attribute Cloud Rule written in Core Java due to which the Identities were getting errored out.

Diagnosis

There was a Identity Attribute Generator Cloud Rule Written which was having the below Code logic.

if ( identity.getAttribute( "dn" ) != null ) {
  //Get the DN of the User from the Identity Profile attribute named as "dn"
DN = identity.getAttribute( "dn" );
 
//The application name must be in the format of "appName [source]"

//Get the Account Attribute details for source named as :: Corporate AD Service Accounts using DN as search attribute
Account acct = idn.getAccountByNativeIdentity( "Corporate AD Service Accounts [source]", DN );
//Get the Account Attribute details in Ket Value pair inside a Map
Map acctAttrs = acct.getAttributes();
//Extract the details of Password Last Reset from the Accounts Attribute Map
String pwdLastSet = acctAttrs.get( "pwdLastSet" );
//Convert the Password Last Set attribute value from String to Long
long pwdLastSetInLong = Long.parseLong( pwdLastSet );
}

In the above code, we were fetching the Account details for source named as “Corporate AD Service Accounts” from SailPoint ISC and then, from the Account object, we were fetching the details of “pwdLastSet” field.

But, the code was not fetching the data even though the “Corporate AD Service Accounts” was Enabled for the user in SailPoint ISC, also, the “dn” identity attribute of the user was populated with proper DN details. Even the account attribute name for “pwdLastSet” field was correct but still the code was giving the null pointer exception due to which the identities were getting in errored status.

After multiple RCA sessions, we found that name of active directory source named as “Corporate AD Service Accounts” was changed multiple times by the stakeholders. In over 6 months period, the name was changed 6 times.

As per the SailPoint ISC, when the source is created for the first time, the technical name gets assigned to the user on ISC and it remains the same. Eventually, if you change the name of any source on UI, the technical name will remain the same with display name will keep on changing.

For example, if you have created a source with name “Test1”, then, in ISC, the technical name will be equals to “Test1” and display name will also be “Test1”. Lets after couple of days, you change the name of source to “Test2”, then, technical name will remain “Test1” but the display name will change to “Test2”, that’s the SOP which SailPoint ISC will follow.

In the SailPoint ISC API named as “idn.getAccountByNativeIdentity( “Corporate AD Service Accounts [source]”, DN )”, we pass the application name and native account attribute name in respective application i.e. Account ID. Now, on UI, the application name comes as “Corporate AD Service Accounts” but still it was throwing null pointer exception.

Solution

When we found that the application name was changed over a period of time, then, we tried to find the exact “technical name” of the source using SEARCH engine of SailPoint ISC.

Open the Search Engine of SailPoint ISC, then, search with application name/source name which you have provided currently in SailPoint ISC using double quotes. For example “Corporate AD Service Accounts”, then, go to Events Tab and see the first event that it has created for the application. Refer the below example for your reference.

image
image1778Ă—56 3.75 KB

We saw the source name with which the source was created initially and then, we updated our code as below.

if ( identity.getAttribute( "dn" ) != null ) {
  //Get the DN of the User from the Identity Profile attribute named as "dn"
DN = identity.getAttribute( "dn" );
 
//The application name must be in the format of "appName [source]"

//Get the Account Attribute details for source named as :: CorporateAD Service Accounts using DN as search attribute
Account acct = idn.getAccountByNativeIdentity( "CorporateAD Service Accounts [source]", DN );
//Get the Account Attribute details in Ket Value pair inside a Map
Map acctAttrs = acct.getAttributes();
//Extract the details of Password Last Reset from the Accounts Attribute Map
String pwdLastSet = acctAttrs.get( "pwdLastSet" );
//Convert the Password Last Set attribute value from String to Long
long pwdLastSetInLong = Long.parseLong( pwdLastSet );
}

Hence, you need to make sure while using the API named as : Account acct = idn.getAccountByNativeIdentity( “CorporateAD Service Accounts [source]”, DN );

You are giving the actual technical name of the source only and not blindly believing on the source name which you are seeing on the UI. Its always a best practice to not change the source names in SailPoint ISC tenant.

3 Likes
2

Hi @rohit_wekhande,

Thanks for this article. Would you happen to know which attribute in the source is carrying the technical/initial name of the source. As I tested I found the old/initial name of the source stored in attribute: accountCorrelationConfig.name.

Example: -

"accountCorrelationConfig": {
            "type": "ACCOUNT_CORRELATION_CONFIG",
            "id": "1234567890",
            "name": "<initialSourceName> [source] Account Correlation"
        }