SAP Success Factor attributes do not sync to Active Directory via SailPoint IIQ

Hello Sailors,

I hope everyone is doing well. !

I’m currently using SailPoint version 8.2p1, we have already integrated SAP Success Factor with SailPoint as an authoritative source.

But most of the SAP success factor attributes do not sync in target Active Directory, there is a mismatch between SAP and AD.

Please provide me any solution or suggestion or steps, how to sync SAP attributes with AD attributes.? Thanks in advance!

Thanks,
Madhav

@MADHAVREDDY Is SAP your Authorative source, if so please add the Target mapping for the identity attributes with corresponding AD application attributes and if any attribute needs additional logic implementation have a rule mapping instead of direct attribute mapping under the attributes of Identity Mappings under Global settings

Once this mapping is present, refreshing identity with Synchronize attributes will sync the data for mapped target application attributes.

1 Like

For example for normal (String) attributes:

And in the refresh task:

Some attributes need a conversion, for instance if you want to set the manager in Active Directory, the value must be the DN of the manager, not the name.

You mentioned most of the attributes do not sync, so there are some which does sync?
Which attributes do not sync?

– Remold

1 Like

Hi @Remold :

Thanks for quick response!

Below screenshot refers the SAP success factor Account Profile for one of the user.

image

In that account profile ManagerID attribute value will be showing as different, the one which displayed in identity attributes value employee id.

I have verified “451” in both success factor and SailPoint didn’t find anything about that.
Could you please provide your inputs on the ManagerID attribute value, is there any SailPoint will generate index of the manager attribute value.

for your suggestions or inputs on the same will be highly appreciated!

Thanks,
Madhav

If your question is about manager then

  1. Find out manager correlation in your SuccessFactors, you can find under correlation tab.
  2. Do you have manager displayed in identity as a hipherlink
  3. Did you add Target mapping to AD for manager attribute
  4. In AD, for manager we sync DN

The value of the manager attribute for Active Directory should contain the distinguished name of the manager instead of the name string.

In the Target Mapping should be a rule, where the rule gets the DN of the manager.
So if you also create an identity attribute mapping for the distinguishedName of DN, it is simple to get it via a rule:

image

And the content of this AD Manager transformation rule would look like:

  import sailpoint.tools.Util;
	Identity manager = null;
	if(value != null) {
		manager = context.getObjectByName(Identity.class, value);
	} else {
		manager = identity.getManager();
	}
	if(manager != null){
		return manager.getAttribute("distinguishedName");
	}
	return null;

– Remold

2 Likes

Yes, Manger attribute value as displayed hyperlink in identity attributes

Hi @Remold :

Above screenshot DN attribute configuration is correct?

Thanks,
Madhav

Looks ok if everyone has 1 AD account. If anyone has more AD accounts then again a global rule must be created to select the DN from the ‘primary’ AD account of the identity.

— Remold

1 Like

I have configured the same as per your inputs.

Still manager attribute will be not populated. any step i missed in that configuration process?

I ran the below tasks also.

Account aggregation for AD.
Refresh Identity
Perform Maintenance

but there is no luck?

Do you see any error in the logs?

And if you add additional log.error- lines in the transformation rule (for instance at the start of the rule and to display the found DN)?

– Remold

There is no errors in logs

Also when you add error-log lines for debugging ?

– Remold

1 Like

When you run refresh task with Synchronize attributes option enabled, you see Provisioning Requests in your Refresh Task Result.

You should add logs in your Transformation Rule to see what is happening. If there is no provisioning request in Refresh Task Result it means that there is nothing to provision because manager in Identity and manager in Link object is same, so it is filtered.

1 Like

Hi @Remold @MVKR7T

2023-10-25 10:17:57,475 ERROR QuartzScheduler_Worker-5 sailpoint.connector.ADLDAPConnector:5148 - 58093286 Exception occurred in handling Object Request
sailpoint.tools.GeneralException: Error(s) reported back from the IQService - Failed to update attributes for identity CN=Abdul Hajee,OU=Cyber Security,OU=Technology,. A constraint violation occurred.

at sailpoint.connector.ADLDAPConnector.processResponse(ADLDAPConnector.java:5500) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.handleObjectRequest(ADLDAPConnector.java:6023) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.provision(ADLDAPConnector.java:5139) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ConnectorProxy.provision(ConnectorProxy.java:1085) [connector-bundle-identityiq.jar:8.2p1]
at sailpoint.integration.ConnectorExecutor.provision(ConnectorExecutor.java:160) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.provision(PlanEvaluator.java:1617) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:958) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:843) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.provisioning.PlanEvaluator.execute(PlanEvaluator.java:737) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Provisioner.execute(Provisioner.java:1730) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Identitizer.finishRefresh(Identitizer.java:2887) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Identitizer.refresh(Identitizer.java:2472) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor$RefreshWorker.refreshAndProcess(IdentityRefreshExecutor.java:1585) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor$RefreshWorkerPool.queue(IdentityRefreshExecutor.java:1903) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor.refresh(IdentityRefreshExecutor.java:1106) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.IdentityRefreshExecutor.execute(IdentityRefreshExecutor.java:849) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

2023-10-25 10:37:33,463 ERROR QuartzScheduler_Worker-5 TaskRule :: Mapping_PhoneNumber:166 - BUSINESSPHONE is null or Empty for ‘9056’!!!
2023-10-25 10:37:33,541 ERROR QuartzScheduler_Worker-5 TaskRule :: Mapping_PhoneNumber:166 - BUSINESSPHONE is null or Empty for ‘9049’!!!
2023-10-25 10:37:33,588 ERROR QuartzScheduler_Worker-5 TaskRule :: Mapping_PhoneNumber:166 - BUSINESSPHONE is null or Empty for '9

sailpoint.connector.ConnectorException: java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://R******:389 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563 ]

at sailpoint.connector.activedirectory.ConnectionManager.createContextForDN(ConnectionManager.java:373) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.createContextForDN(ADLDAPConnector.java:12069) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.createContextForDN(ADLDAPConnector.java:12027) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ForestUtil.createDomainObjectSidMapFromDomainCtxMap(ForestUtil.java:1687) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ForestUtil.populateGroupMembershipOnlyDomains(ForestUtil.java:1225) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.populateGroupMembershipOnlyDomains(ADLDAPConnector.java:12272) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector$DirSyncIterator.init(ADLDAPConnector.java:7983) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector$DirSyncIterator.init(ADLDAPConnector.java:7843) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.initializeDirSyncForDelta(ADLDAPConnector.java:2954) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.iterateObjectsSingleForest(ADLDAPConnector.java:1438) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.iterateObjectsMultiForest(ADLDAPConnector.java:1597) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ADLDAPConnector.iterateObjects(ADLDAPConnector.java:2838) [connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.ConnectorProxy.iterateInternal(ConnectorProxy.java:663) [connector-bundle-identityiq.jar:8.2p1]
at sailpoint.connector.ConnectorProxy.iterateObjects(ConnectorProxy.java:631) [connector-bundle-identityiq.jar:8.2p1]
at sailpoint.api.Aggregator.aggregateGroups(Aggregator.java:5417) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Aggregator.aggregateApplication(Aggregator.java:2659) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Aggregator.phaseAggregate(Aggregator.java:2571) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.Aggregator.execute(Aggregator.java:2139) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.ResourceIdentityScan.doUnpartitioned(ResourceIdentityScan.java:245) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.task.ResourceIdentityScan.execute(ResourceIdentityScan.java:225) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:909) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.api.TaskManager.runSync(TaskManager.java:724) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at sailpoint.scheduler.JobAdapter.execute(JobAdapter.java:128) [identityiq.jar:8.2 Build cfad9a66460-20210923-160543]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.3.2.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.3.2.jar:?]

Caused by: java.lang.Exception: java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://Ry*****:389 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563 ]

at sailpoint.connector.activedirectory.ConnectionManager.createContextUsingServers(ConnectionManager.java:454) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ConnectionManager.createContextDefaultBind(ConnectionManager.java:403) ~[connector-bundle-directories.jar:8.2p1]
at sailpoint.connector.activedirectory.ConnectionManager.createContextForDN(ConnectionManager.java:336) ~[connector-bundle-directories.jar:8.2p1]
... 24 more

Caused by: java.lang.Exception: [ERROR 1] Failed to connect to server:ldap://R****:389 - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 775, v4563 ]

The error indicates:
775 — account locked out

Returned when a valid username is supplied, but the account is locked out. Note that this error will be returned regardless of whether or not the password is invalid.

– Remold

1 Like

Hi @Remold :

Now manger attribute will be populated properly in AD.

Same like we need to populate “Company and Office” attributes to AD.

Company and Office attributes will be not available in AD, in this case how to proceed further?

Please take a look at Active Directory LDAP Field Mappings.

There are fields for Company and Office in AD.

– Remold

1 Like

In the AD Application schema in IdentityIQ: ‘Office’ is mapped to physicalDeliveryOfficeName.

And for Company you need to add a new attribute to the account schema:

So for the Target Mapping you can map:

  • Office to physicalDeliveryOfficeName
  • Company to Company

– Remold

1 Like

Hi @Remold @MVKR7T

After adding the below attributes in application schema as well in Identity mappings.

after ran the AD account aggregation getting the below error.

Thanks,
Madhav