SailPoint IIQ Form Issue

Which IIQ version are you inquiring about?

8.3p5

Please share any images or screenshots, if relevant.

SailPoint IIQ Form Issue

Please share any other relevant files that may be required (for example, logs).

NA

Share all details about your problem, including any error messages you may have received.

We see an issue with dynamic form field, where we have script for type and value setting.

the password is getting generated before the field is selected.

We have patched recently from 8.3p2 to 8.3p5.
We are facing issue with oracle database - Direct connector.

We can see the password is committed, but link in lidentity is not updated with new password, we have password policy to restrict use of last 24 password

Hi @sanketsaurabh_EH

Could you please share the hidden field script and the value setting script that you are currently using?

It would really help to understand what exactly you are trying to achieve. I’d like to replicate the same scenario in my environment to troubleshoot this more accurately.

If possible, please share:

The form XML (especially the hidden field configuration)

Scripts used (both hidden logic and value assignment)

This will help in identifying the issue quickly.

Thanks!

After I have made changes to “value script” to only generate value when

mode is not null and it is Auto Generated,

I was able to eliminate the issue with password getting generated instantly after form load, but now issue is , in identity xml, for link , password history is not updated.

I can see the provisioning result

<ProvisioningPlan nativeIdentity="193676" targetIntegration="abc Database" trackingId="a09dc3827b482655f4">
  <AccountRequest application="abc Database" nativeIdentity="S_Saurabh" op="Modify" targetIntegration="abc Database">
    <Attributes>
      <Map>
        <entry key="provisioningTransactionId" value="0a2936b19ea/>
      </Map>
    </Attributes>
    <AttributeRequest name="PASSWORD" op="Set" value="2:ACP:Fb9eMI4FA8="/>
    <ProvisioningResult status="committed"/>
  </AccountRequest>
  <ProvisioningResult status="committed"/>
</ProvisioningPlan>
// type script

     import sailpoint.tools.Util;

              String mode= $(change_mode);
              if(Util.isNotNullOrEmpty(mode) &amp;&amp; mode.equalsIgnoreCase("Auto Generated") )
              {
              return false;
              }
              else
              return true;

//value script

‘’’import java.util.*;
import sailpoint.object.*;
import sailpoint.api.*;
import java.lang.Object;
import sailpoint.object.BaseAttributeDefinition;
import sailpoint.tools.Util;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import sailpoint.object.Custom;

//*****added today start

String mode = $(change_mode);String existing = (String) field.getValue();

//  Do not regenerate
if (Util.isNotNullOrEmpty(existing)) {return existing;}

  //  Only generate when explicitly requested
  if (Util.isNullOrEmpty(mode) || !mode.equalsIgnoreCase("Auto Generated")) {
  return null;
  }

// ****added today end

  String appName = $(applicationName);
  String idName = $(identityName);
  boolean checkAppName = $(checkApplicationName);
  Custom customObj = context.getObjectByName(Custom.class,"PassWordManagement_Custom");
  HashMap passMap = customObj.get("NotAllowedSpecialCharacters"); 
  String password1="";
  if (Util.isNotNullOrEmpty(appName))
  {
  if (checkAppName)
  
  {
  Application appObj = context.getObjectByName(Application.class,appName);
  List passwordPolicies = appObj.getPasswordPolicies();
  if(passwordPolicies != null &amp;&amp; !(passwordPolicies.isEmpty()))
  {
  PasswordPolicyHolder passwordPolicyHolder = passwordPolicies.get(0);

  PasswordPolicy policy = passwordPolicyHolder.getPolicy();
  password1 = new PasswordGenerator(context).generatePassword(policy);
  System.out.println("Password before the mr==true condition =" + password1);
  String finalPattern = "\["+passMap.get(appName)+"\]";
  Pattern regex = Pattern.compile(finalPattern);
  Matcher matcher = null;
  matcher = regex.matcher(password1);
  boolean mr = matcher.find();
  if(mr == true)
  {
  do
  {    
  password1 =  new PasswordGenerator(context).generatePassword(policy);
  System.out.println("Password during the mr==true condition =" + password1);
  matcher = regex.matcher(password1);
  }while(matcher.find());
  }
  }
  }
  }
  System.out.println("Password after the mr==true condition =" + password1);
  return password1; 

‘’’

@sanketsaurabh_EH

Is the driving field configured with Refresh on Change?

Does the password field depend on another field?

Does the Value Script validate that the dependent field contains a value before generating the password?

Can you share the Type Script and Value Script?

Without a dependency or null check, the script may execute when the form first loads.

Hello @sanketsaurabh_EH

From the provisioning plan you shared, I can see the password attribute is going as:

<AttributeRequest name=“PASSWORD” op=“Set” …/>

Please try changing the provisioning policy field name / attribute request name to lowercase:

password

IIQ password history logic generally checks for the account request attribute named exactly ‘password’. Since your plan contains ‘PASSWORD’, IIQ may provision the password successfully, but it may not recognize it for Link password history update.

Expected plan should look like:

Also verify:

  1. Application has PASSWORD feature enabled.
  2. Password policy is attached to the application.
  3. Password history length is configured greater than 0.
  4. No provisioning rule is removing or renaming the password attribute.
  5. Check Identity XML after provisioning completes.

So the first correction I would suggest is: rename the provisioning policy field from ‘PASSWORD’ to ‘password’.

Do you have any SailPoint documentation or code reference indicating that IdentityIQ password history processing specifically requires the AccountRequest/AttributeRequest name to be password (lowercase)?

@sanketsaurabh_EH Please confirm if your issue is resolved. If so, please let us know how did you fix it to help fellow sailors having the similar issue.

Is it fixed ? Could you please share the solution?