Source Accounts not correlating

Hey Team,

We have a source in both sandbox and production that is seen as 99% correlated when you try the “test” functionality (see picture), but when looking at the actual accounts just a fraction of that is actually correlated.

image958×439 18.7 KB

According to the pic, only 4 accounts should be uncorrelated. Currently, out of the 2800 accounts in total, only about 200 accounts are correlated.

Yes, we have tried unoptimized aggregation.

Hi @Swegmann FWIK, the test correlation functionality is just a tool to assist with correlation config and shouldn’t be relied on as “correct”. Can you not identify directly why the accounts are not getting correlated?

Hello Jeremy,

Well I am correlating on employeeNumber, which is identitcal to the values populated on the source accounts. I can’t find the issue therefore..

Hi Sebastian - So Employee Number (Identity) employeeNumber (Account)?

Just a thought, have you checked for leading/trailing spaces?

Is your employee number all numbers or are there any letters in it? If there are letters in it, is the case different between the Identity and the Account? If so it could be a case sensitivity issue so you might need to use a transform to ensure the case is always the same.

Correct!

Yes, and the values are identical. The strange part is that some accounts are actually correlating whilst other are not.

Hello Eric,

The employeeNumber is all digits (123456), and i have not found and discrepancies.

If the values are identical then this is a defect and should be taken up with SP.

Although, I suppose it would be possible to have duplicate Employee Numbers in ISC which would mean correlation failing. Has that been checked?

Duplicate Identity Cubes ? This is not the case. When confirming an uncorrelated account with the represented identity cube there is just the single identity with the same employeeNumber. Indeed this seems like a backend issue.

Not duplicate Identity Cubes, just different Identities with the same Employee Number. How did you confirm that there was not more than one Identity with the uncorrelated employeeNumber? Did you do a search, eg identificationNumber=‘123456’

Try an unoptimized aggregation of the source.

Hi @Swegmann

Regarding uncorrelated accounts … can you check under Identity management > accounts > uncorrelated accounts to see if there’s more than one uncorrelated accounts for that user?

Hi @Swegmann

If only 200 of 2800 accounts are correlated post-aggregation, check if the correlation logic (e.g., UID to identity attribute mapping) is correctly defined and matches expected values.
Also confirm there are no case sensitivity mismatches or formatting issues (e.g., domain prefixes or extra spaces).

Thanks
Manvitha

Thanks for all the answers,

The solution was real simple. I reset the source entirely and did an un-optimized aggregation directly after. Now the accounts are correlated.

In other words, just doing an un-optimized aggregation did not work, I had to reset the source first.

This is a very common issue we see from multiple customers and its 100% of the times something to do the logic or configuration or uncorrelated accounts.
Now, ISC wont find a match only in following conditions, make sure we check them all:

1. You have defined the logic to be case sensitive, hence data does not yield a match, you can change this using API when you make a call to correlation configuration. → API → mostly all versions have it just an example put-correlation-config | SailPoint Developer Community
2. Your correlation logic was not tied properly to the source again due to multiple reasons, try to add a new entry to the logic and ISC will ensure source & logic are binded if it wasnt in the first place. → you can remove the new added logic post saving immediately too.
3. ISC found too many results for your match, now if you have any uncorrelated accounts onboarded into ISC which do not match the correlation logic on their respective source to get linked to an identity. They stay around as uncorrelated account but in ISC’s internal working its an IDENTITY (native identity as we call it). Now, for the current source when you define the logic and run the aggs, ISC will find multiple results matching your logic and hence system confused & no yield. → stop aggregating uncorrelated accounts from other sources.
4. Multi valued attributes cannot be used for correlation logic or even you initially made it a multi valued and than changed it. As if its multi valued its an ARRAY and logic wont match ARRAY to STRING. → So, expectation is if you are wanting to use a previously termed multi valued attribute in ISC for correlation logic, please do a source reset.
5. Last - DELTA FLAG, if your DELTA flag is enabled and than you try to RUN an UNOPT aggregation, than ISC wont process your account considering unchanged and hence if not processed no correlation attempted. → for this single account aggs usually work

So, lots of players lots of variables in the correlation configuration, which we think is a simple task but isnt in the backdrop.

Let me know if any doubts.

Thank You

I have just experienced a correlation issue with a new Web Service source being built in a Sandbox tenant.

The issue was similar to that of the Original Post - i.e. low number of accounts correlating - in my case, just one account.

The issue was caused by the “accountCorrelationConfig” as seen via Postman or VS Code) in the source being ‘null’. When I changed the Account Correlation configuration in the UI, the “accountCorrelationConfig” was set with a “type”, “id” and “name”. I then performed an Account Aggregation (I did this with both optimised and unoptimised aggregations) and witnessed “accountCorrelationConfig” getting reset to ‘null’.

The solution was similar to that described above with the addition of the need to re-save the Account Correlation configuration in the UI: Reset the source (clear the accounts), Save Account Correlation config in the UI, perform an Unoptimised Account Aggregation.

I hope this helps someone in a simialr position in the future.