The target source's nativeIdentity is missing during the create operation using the WSC

Hi Experts,

We have an application where the schema account ID is generated in the target system. And new account ID is uses assigning entitlement.
Here is my current situation:

HTTP Operation Status Description
1 Account aggregation Success -
2 Entitlement aggregation Success -
3 Create account and add entitlement Not successful The account was created in the target system but account does not have the entitlement.
IDN SaaS assigned the role already, and the new account’s nativeIdentity shows ‘???’. This will disappear once the target source aggregation is complete.
4 Add entitlement to existing account Success -
5 Remove entitlement from existing account Success -
6 Aggregate target system, then start modify operation and add entitlement Success nativeIdentity mapped after target source aggregation

I hope you can suggest any helpful ideas.

Hi Jaewon,

  1. Did you set up a Response Mapping in the ‘Create Account’ Operation? After the connector has initiated the creation of the account, ISC will need confirmation from the target that the account has been created successfully.
  2. Did you setup a ‘Get Object’ Operation?

If those 2 do not help, can you provide any logs?

Kind Regards,

3 Likes

Hi @jwshin,

As Kyle mentioned, the ‘???’ will appear if the account id is not properly mapped from the response of the create account. Are you sure the mapping for this is correct?

If you would like to create the account with the entitlement, as opposed to using a separate operation (Add Entitlement), ensure you have checked the “Create Account with Ent Request” in the additional settings. If you do not have this checked and are using two operations, the Add Entitlement will not work if the account ID is not mapped correctly in the response object of the create account.

If you are still unsure, please provide some information on the response body of the create account, response mapping, and account schema.

1 Like

Hi @kyle1

Q1: Did you set up a Response Mapping in the ‘Create Account’ Operation?
After the connector has initiated the creation of the account, ISC will need confirmation from the target that the account has been created successfully.

A1: I configured the $response.id$ response mapping, but it seems to have failed to successfully configure the nativeIdentity. If there is a recommended configuration, I would appreciate it if you could let me know.

After the create operation is executed, the response returns the following JSON body:

{
    "id": "yy-zz-gg-zz", //this is account id (schema)
    "meta": {
        "created": "2024-06-20T07:22:49Z",
        "lastModified": "2024-06-20T07:22:49Z",
        "location": "https://targetSystem.com/something/Users/xx-yy-zz-xx",
        "version": "zz-zz-zz-zz",
        "resourceType": "User"
    },
    "schemas": [
       //something
    ],
    "userName": "IdentityNow UID", // IdentityNow authoritative source id
    "name": {
        "familyName": "fname",
        "givenName": "gname"
    },
    "userType": "public",
    "active": true,
    "emails": [
        {
            "value": "[email protected]",
            "primary": true
        }
    ],
    "urn:xxx:User": {
        "emails": [
            {
                "value": "[email protected]",
                "primary": true
            }
        ],
        "userUuid": "xx-xx-xx-xx",
        "mailVerified": false,
        "userId": "xxxx",
        "status": "active"
    }
}

Q2: Did you set up a ‘Get Object’ Operation?

A2: Actually, I attempted to configure Get Object API like GET /Users/, but it was not successful. I am not sure if it is because the nativeIdentity attribute could not be found, but the get object operation did not function correctly after the create operation.

Regards,

Hi @bcariaga ,

Yes, as you mentioned, the create operation was successful, but the subsequent add entitlement only occurs within the SaaS and does not provision to the actual target system due to the nativeIdentity not being correctly mapped.

I did not check the “Create Account with Ent Request” option because the endpoints for creating accounts and assigning entitlement groups are different.

It seems that the nativeIdentity mapping is the primary issue. I would greatly appreciate any suggestions on how to resolve this correctly.

Regards,

Hi @jwshin,

That ‘Schema Attribute’ is the attribute you have defined in your Account Schema. Assuming within your account schema you have set the NativeIdentity as id and in your Response Information you have a $ in your Root Path -

Please try the following values:
Schema Attribute = id
Attribute Path = id

Kind Regards,

3 Likes

Hi @kyle1

Here’s additional info about configuration

account schema
ID : Account ID (target system generate)
USERNAME : Account Name and IDN uid
value : group entitlement
display : group description

Create Account Response Info

Create Account Response Mapping

search error log

Regards,

Please try remove the $ from the Root Path in the Response Information tab.

Also make the following change to the Response Mapping tab:
Schema Attribute = ID
Attribute Path = id

Let me know the results.

4 Likes

Hi @kyle1 ,

Thanks, it works. Based on your advice, I have realized the importance of accurately mapping the account attributes.

Regards,

2 Likes

Hi,

And what to do if after create operation, the API return empty response?

Hello Everyone !

I am facing a similar issue .
The scenario is same , but :
Unable to see native Identity after account creation , it is showing ???. Can be seen after aggretaion.
The roles are not shown after aggregation , can be seen before aggregation
The request is shown as completed .

Account Schema is set up as mentioned above . No get single object is performed

Hi @sidharth_tarlapally ,

I recommend setting the NativeIdentity correctly with response mapping.
IdentityNow SaaS does not know the exact ID when creating an account because the target system generates the ID itself.

create account > response mapping
please check schemaAttribute and attribute path.

Regards,

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.