Set and Provision onPremisesExtensionAttributes to Entra ID

Which IIQ version are you inquiring about?

Version 8.X

Share all details related to your problem, including any error messages you may have received.

Hello!

We are trying to set and provision one of the onPremisesExtensionAttributes (extensionAttribute1) in Entra ID. onPremisesExtensionAttributes is in the schema and is marked as multi-valued. It is marked as multi-valued in the provisioning policy as well.

We have a FieldValue rule in the provisioning policy that reads the onPremisesExtensionAttributes from the account link and then sets extensionAttribute1 to a string value. It is our understanding that the onPremisesExtensionAttributes attribute is of type map and therefore, the rule should return a map. However, extensionAttribute1 is being provisioned with null as value. The logs show that extensionAttribute1 is being set in the provisioning plan but when provisioning, the connector provisions extensionAttribute1=null. We’ve tried returning the map as a arrayList but the result was the same.

Is it possible to return a map in a provisioning policy for a multi-valued attribute? Or is it even possible to modify the onPremisesExtensionAttributes attribute through IIQ?

All help or information regarding this is appreciated!

I don’t think extensionAttribute1 mapping comes by default . Can you try to try setting this from multi valued to normal singled valued string .

Tried setting onPremisesExtensionAttributes to single valued string but same result as before.

Here’s the very short code that returns the map

import java.util.Map;
import java.util.HashMap;

Map extensionAttribute = link.getAttribute("onPremisesExtensionAttributes");
extensionAttribute.put("extensionAttribute1","PrivilegedAccount");

return extensionAttribute;

Hi,

In a fieldvalue rule you dont return a map, you must return the single value.

But I dont understand what you want to do. Where you want write this attribute?

Hello!

Sorry, I realize that my first description of the problem might have been unspecific. I’ll try explaining it again:

In Entra ID there’s an attribute on User objects called “onPremisesExtensionAttributes”. This attribute contains 15 attributes that are called “extensionAttribute1”, “extensionAttribute2” … and so on. These attributes are aggregated into IIQ under the single, multi-valued attribute “onPremisesExtensionAttributes”, see attached image on a application account.

When a access request is made in IIQ for a privileged role in Entra ID, I want to provision a new account to Entra ID and set extensionAttribute1=“PrivilegedAccount” on the newly created Entra ID account. I’ve created a “Create” provisioning policy for accounts in the Entra ID connector in which the “onPremisesExtensionAttributes” attribute is defined and the rule is defined under value settings. The reason for modifying this attribute is to have a flag that indicates that the account is a privileged account. However, this attribute is not being set and there are no error messages. The logs show that the provisioning plan contains the correct value for extensionAttribute1, see image.

To answer your first statement, I figured that the fieldValue rule could return values in a list or map as long as the attribute was marked as multi-valued in the schema and provisioning policy. For example, in the account creation provisioning policy for AD, we return a list for the “proxyAddresses” attribute. This is working

Skärmbild 2024-07-03 1100041809×257 17.4 KB

Ok, I understand.

Can you try to send the data in Json format instend a map, somenthing like this:
<entry key=“onPremisesExtensionAttributes” value=“{“extensionAttribute1”: “string”, “extensionAttribute2”: “string”,…“extensionAttribute15”: “string”
}”/>

This solved the problem! Thank you very much!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.