We have a custom SaaS ISC Loopback connector that we are seeing an issue with account aggregations. The number of accounts returned by the SaaS connector and how many accounts are visible in SailPoint through the UI are off. Looking at the logs and test calls through Postman, the SaaS connector returns 560 unique accounts. However, in the UI and API, looking at the accounts list we see 559 accounts for the source.
I did a diff check between the two and found the identity that is missing the account. Interestingly, this identity has the entitlement assigned from the SaaS connector but no associated account listed. I checked the identity through the Search API and found the account there but I get a 404 error when using the Get Account API endpoint to retrieve the account details.
Weâre seeing this across our tenants for this SaaS source for identities that have the same display name but unique account IDs. Has anyone experienced this issue before?
They have the same display name identity attribute, but I have configured the display name of the accounts to be different. It uses the employee number of each identity as the account display name to ensure they are different.
What I am wondering is if SailPoint is getting confused as to which account should be correlated.
This page Assigning Source Accounts... - SailPoint Identity Services under the Preset and Default Configurations has a statement that talks about the default correlation logic. SailPoint will automatically tryp to correlate using the âAccount Nameâ attribute matches the âNameâ attribute of the identity.
But there is also a support article that says that accounts wonât correlate if there is more than one match:
Yeah we had that thought as well, but there doesnât appear to be any uncorrelated accounts. There could be some strange behavior behind the scenes with that default correlation logic.
Opened a ticket with SailPoint to hopefully dig deeper.
It turned out to be the âuuidâ hidden attribute on the accounts object. In the SaaS connector I had mapped this attribute to the identity âdisplayNameâ not really knowing what the âuuidâ attribute represents.
For some reason, ISC attempts to correlate to identities using this backend attribute which was causing the issue. I mapped this attribute to a unique identifier and it solved the aggregation issue! Wish this correlation logic was represented either in the documentation or in the correlation configuration connector settings.
