Hello Sailors,
I hope everyone is doing well. !
I’m currently using SailPoint version 8.2p1, we have already integrated SAP Success Factor with SailPoint as an authoritative source.
But most of the SAP success factor attributes do not sync in target Active Directory, there is a mismatch between SAP and AD.
Please provide me any solution or suggestion or steps, how to sync SAP attributes with AD attributes.? Thanks in advance!
Thanks,
Madhav
@MADHAVREDDY Is SAP your Authorative source, if so please add the Target mapping for the identity attributes with corresponding AD application attributes and if any attribute needs additional logic implementation have a rule mapping instead of direct attribute mapping under the attributes of Identity Mappings under Global settings
Once this mapping is present, refreshing identity with Synchronize attributes will sync the data for mapped target application attributes.
For example for normal (String) attributes:
And in the refresh task:
Some attributes need a conversion, for instance if you want to set the manager in Active Directory, the value must be the DN of the manager, not the name.
You mentioned most of the attributes do not sync, so there are some which does sync?
Which attributes do not sync?
– Remold
Hi @Remold :
Thanks for quick response!
Below screenshot refers the SAP success factor Account Profile for one of the user.
In that account profile ManagerID attribute value will be showing as different, the one which displayed in identity attributes value employee id.
I have verified “451” in both success factor and SailPoint didn’t find anything about that.
Could you please provide your inputs on the ManagerID attribute value, is there any SailPoint will generate index of the manager attribute value.
for your suggestions or inputs on the same will be highly appreciated!
Thanks,
Madhav
If your question is about manager then
The value of the manager attribute for Active Directory should contain the distinguished name of the manager instead of the name string.
In the Target Mapping should be a rule, where the rule gets the DN of the manager.
So if you also create an identity attribute mapping for the distinguishedName of DN, it is simple to get it via a rule:
And the content of this AD Manager transformation rule would look like:
import sailpoint.tools.Util;
Identity manager = null;
if(value != null) {
manager = context.getObjectByName(Identity.class, value);
} else {
manager = identity.getManager();
}
if(manager != null){
return manager.getAttribute("distinguishedName");
}
return null;
– Remold
Yes, Manger attribute value as displayed hyperlink in identity attributes
Looks ok if everyone has 1 AD account. If anyone has more AD accounts then again a global rule must be created to select the DN from the ‘primary’ AD account of the identity.
— Remold
I have configured the same as per your inputs.
Still manager attribute will be not populated. any step i missed in that configuration process?
I ran the below tasks also.
Account aggregation for AD.
Refresh Identity
Perform Maintenance
but there is no luck?
Do you see any error in the logs?
And if you add additional log.error- lines in the transformation rule (for instance at the start of the rule and to display the found DN)?
– Remold
There is no errors in logs
Also when you add error-log lines for debugging ?
– Remold
When you run refresh task with Synchronize attributes option enabled, you see Provisioning Requests in your Refresh Task Result.
You should add logs in your Transformation Rule to see what is happening. If there is no provisioning request in Refresh Task Result it means that there is nothing to provision because manager in Identity and manager in Link object is same, so it is filtered.
2023-10-25 10:17:57,475 ERROR QuartzScheduler_Worker-5 sailpoint.connector.ADLDAPConnector:5148 - 58093286 Exception occurred in handling Object Request
sailpoint.tools.GeneralException: Error(s) reported back from the IQService - Failed to update attributes for identity CN=Abdul Hajee,OU=Cyber Security,OU=Technology,. A constraint violation occurred.
at sailpoint.connector.ADLDAPConnector.processResponse(ADLDAPConnector.java:5500) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.handleObjectRequest(ADLDAPConnector.java:6023) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.provision(ADLDAPConnector.java:5139) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ConnectorProxy.provision(ConnectorProxy.java:1085) [connector-bundle-identityiq.jar:8.2p1]
at sailpoint.integration.ConnectorExecutor.provision(ConnectorExecutor.java:160) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.provision(PlanEvaluator.java:1617) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:958) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:843) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:737) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Provisioner.execute(Provisioner.java:1730) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Identitizer.finishRefresh(Identitizer.java:2887) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Identitizer.refresh(Identitizer.java:2472) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor$RefreshWorker.refreshAndProcess(IdentityRefreshExecutor.java:1585) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor$RefreshWorkerPool.queue(IdentityRefreshExecutor.java:1903) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor.refresh(IdentityRefreshExecutor.java:1106) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor.execute(IdentityRefreshExecutor.java:849) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]
2023-10-25 10:37:33,463 ERROR QuartzScheduler_Worker-5 TaskRule :: Mapping_PhoneNumber:166 - BUSINESSPHONE is null or Empty for ‘9056’!!!
2023-10-25 10:37:33,541 ERROR QuartzScheduler_Worker-5 TaskRule :: Mapping_PhoneNumber:166 - BUSINESSPHONE is null or Empty for ‘9049’!!!
2023-10-25 10:37:33,588 ERROR QuartzScheduler_Worker-5 TaskRule :: Mapping_PhoneNumber:166 - BUSINESSPHONE is null or Empty for '9
sailpoint.connector.ConnectorException: java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://R******:389 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563 ]
at sailpoint.connector.activedirectory.ConnectionManager.createContextForDN(ConnectionManager.java:373) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.createContextForDN(ADLDAPConnector.java:12069) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.createContextForDN(ADLDAPConnector.java:12027) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ForestUtil.createDomainObjectSidMapFromDomainCtxMap(ForestUtil.java:1687) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ForestUtil.populateGroupMembershipOnlyDomains(ForestUtil.java:1225) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.populateGroupMembershipOnlyDomains(ADLDAPConnector.java:12272) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector$DirSyncIterator.init(ADLDAPConnector.java:7983) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector$DirSyncIterator.init(ADLDAPConnector.java:7843) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.initializeDirSyncForDelta(ADLDAPConnector.java:2954) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.iterateObjectsSingleForest(ADLDAPConnector.java:1438) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.iterateObjectsMultiForest(ADLDAPConnector.java:1597) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.iterateObjects(ADLDAPConnector.java:2838) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ConnectorProxy.iterateInternal(ConnectorProxy.java:663) [connector-bundle-identityiq.jar:8.2p1]
at sailpoint.connector.ConnectorProxy.iterateObjects(ConnectorProxy.java:631) [connector-bundle-identityiq.jar:8.2p1]
at sailpoint.api.Aggregator.aggregateGroups(Aggregator.java:5417) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Aggregator.aggregateApplication(Aggregator.java:2659) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Aggregator.phaseAggregate(Aggregator.java:2571) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Aggregator.execute(Aggregator.java:2139) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.ResourceIdentityScan.doUnpartitioned(ResourceIdentityScan.java:245) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.ResourceIdentityScan.execute(ResourceIdentityScan.java:225) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]
Caused by: java.lang.Exception: java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://Ry*****:389 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563 ]
at sailpoint.connector.activedirectory.ConnectionManager.createContextUsingServers(ConnectionManager.java:454) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ConnectionManager.createContextDefaultBind(ConnectionManager.java:403) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ConnectionManager.createContextForDN(ConnectionManager.java:336) ~[connector-bundle-directories.jar:8.2p1]
... 24 more
Caused by: java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://R****:389 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563 ]
The error indicates:
775 — account locked out
Returned when a valid username is supplied, but the account is locked out. Note that this error will be returned regardless of whether or not the password is invalid.
– Remold
Hi @Remold :
Now manger attribute will be populated properly in AD.
Same like we need to populate “Company and Office” attributes to AD.
Company and Office attributes will be not available in AD, in this case how to proceed further?
Please take a look at Active Directory LDAP Field Mappings.
There are fields for Company and Office in AD.
– Remold
In the AD Application schema in IdentityIQ: ‘Office’ is mapped to physicalDeliveryOfficeName.
And for Company you need to add a new attribute to the account schema:
So for the Target Mapping you can map:
physicalDeliveryOfficeNameCompany– Remold
