I have a use case where there are two authoritative sources: one containing student accounts and the other containing staff accounts. When a student is onboarded, an identity is created, which in turn generates an Active Directory account. Now, if the same individual is later onboarded as staff, the new account should be correlated with the existing AD account. Specifically, I’m wondering if both the student and staff accounts to have the same username to get correlated to single AD account if it’s possible in IDN. I attempted this in my sandbox environment, but it didn’t work as expected
Make sure you have an identity correlation rule configured in IDN that checks the username or another unique identifier to link the two accounts to the same identity.
Example Rule Logic:
Check if the username in both authoritative sources matches the sAMAccountName in the AD account.
Use a combination of attributes (e.g., email, employeeID,) if usernames are not unique.
Account Correlation Rules: Verify the account correlation rules for AD to ensure it maps the student and staff accounts to the same AD account.
Example: Match based on sAMAccountName or another unique attribute.
Example Scenario
Student Source:
Username: john.doe
Staff Source:
Username: john.doe
Active Directory:
sAMAccountName: john.doe
Correlation Logic: Match username from both sources to sAMAccountName in AD
Another AD account created for student identity for example - John.doe (student) identity has 2 AD accounts (one for student AD and another one for staff AD)
I think @sanekkanti referring the same to correlate one account with 2 identities. What is the unique attribute (for any of identity) in both the auth sources and in AD? use that for correlation.
Other way around is:
If AD account is getting created for any of one auth source, get the unique attribute in AD like sAMAccount or email. Use this attribute to map it to any of identity attribute for other auth source in Identity mappings. Use this attribute for one of correlation logic.
@pannir We run into this use case all the time in Higher Education. So, we built a community SaaS connector called Identity Fusion that will handle these exact use cases plus more.
A big part of this connector is that it will become your authoritative source taking on both your student and staff sources. You will need to create a new Identity Profile (removing the others) as well pointing to the Identity Fusion connector.
When it discovers a potential match, between student and staff, it can do auto correlation or it will create a dynamic form which allows the reviewer to review and then merge the two accounts. This way your would have one single identity cube for both accounts.
As an FYI, there is an upcoming updated SaaS Identity Fusion connector with a lot more features coming very soon. Features like Fusion Reporting, individual attribute weighings and more. You can find this update in the GIT repository under development.
I think only way to achieve it is if both the feeds (Staff and Student) have something common which is also unique to that user.
Maybe ask HR or staff source owner to add student id in staff feed in some custom attribute.
Use that common and unique attribute as UID in both identity profiles.
Set the Staff identity profile with higher priority.
Result: User will have only 1 identity with AD account remaining correlated and as Staff IDP is with higher priority, account will be enabled and other attributes updated based on the Staff IDP mappings and status set in provisioning tab.