Using IIQ SCIM filter to return Users part of an Authoritative Source Account

ebakerski · April 27, 2023, 5:35pm

I’m attempting to obtain a list of Users tied to an Authoritative Source/Account in IIQ. I have seen that there is an “accounts” element returned as part of the Users SCIM response as shown below. I am trying to find a way to use the “filter” to return the User when accounts.value=‘accountid’.

I’m able to successfully filter where jobTitle = “Operations Manager”

filter=urn:ietf:params:scim:schemas:sailpoint:1.0:User:jobTitle%20eq%20%22Operations%20Manager%22).

But, am having difficulty trying to filter through a “Set” of accounts within the User.

filter=urn:ietf:params:scim:schemas:sailpoint:1.0:User:accounts:value%20eq%20%22a0000fa80ce18ff8180ce2abb783ad7%22

returns
“scimType”: “invalidValue”,
“detail”: “Invalid urnietf:params:scim:schemas:sailpoint:1.0:User:accounts:value”,
“status”: “400”

I’ve also tried accounts.value and same result. Has anyone tried to use a filter that needs to access a list of items?

User JSON Response

{
  "urn:ietf:params:scim:schemas:sailpoint:1.0:User": {
    "lifecycleState": "Active",
 ......
     "location": "Singapore",
    "accounts": [
      {
        "displayName": "1c",
        "value": "0a0000fa80ce18ff8180ce24d17c0104",
        "$ref": "http://seri.company3330-poc.demohub.sailpointtechnologies.com:8080/identityiq/scim/v2/Accounts/0a0000fa80ce18ff8180ce24d17c0104"
      },
      {
        "displayName": "Aaron.Nichols",
        "value": "0a0000fa80ce18ff8180ce2525200291",
        "$ref": "http://seri.company3330-poc.demohub.sailpointtechnologies.com:8080/identityiq/scim/v2/Accounts/0a0000fa80ce18ff8180ce2525200291"
      },
      {
        "displayName": "Aaron.Nichols",
        "value": "0a0000fa80ce18ff8180ce2682180f99",
        "$ref": "http://seri.company3330-poc.demohub.sailpointtechnologies.com:8080/identityiq/scim/v2/Accounts/0a0000fa80ce18ff8180ce2682180f99"
      },
      {
        "displayName": "Aaron.Nichols",
        "value": "0a0000fa80ce18ff8180ce2abb783ad7",
        "$ref": "http://seri.company3330-poc.demohub.sailpointtechnologies.com:8080/identityiq/scim/v2/Accounts/0a0000fa80ce18ff8180ce2abb783ad7"
      }
    ],

brian_weigel · April 28, 2023, 3:15pm

I’d take a slightly different approach since you know the account ID, and that would be to pull the account info from the Accounts API, which has a reference to the owning identity:

http://localhost:8080/iiq/scim/v2/Accounts/0a0a436a87c81e488187c8555472761e

{
  "lastRefresh": "2023-04-28T15:02:11.368Z",
  "displayName": "harnefield",
  "active": true,
  "manuallyCorrelated": false,
  "nativeIdentity": "cn=harnefield,ou=People,dc=icc,dc=local",
  "application": {
    "displayName": "LDAP (OpenDJ)",
    "value": "0a0a436a87c81a138187c83a36100014",
    "$ref": "http://localhost:8080/iiq/scim/v2/Applications/0a0a436a87c81a138187c83a36100014"
  },
  "identity": {
    "displayName": "Arnefield, Hart",
    "userName": "002588",
    "value": "0a0a436a87c81e488187c85230280994",
    "$ref": "http://localhost:8080/iiq/scim/v2/Users/0a0a436a87c81e488187c85230280994"
  },
  "meta": {
    "created": "2023-04-28T14:47:28.114Z",
    "location": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a436a87c81e488187c8555472761e",
    "lastModified": "2023-04-28T15:02:11.368Z",
    "version": "W/\"1682694131368\"",
    "resourceType": "Account"
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:sailpoint:1.0:Account",
    "urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:LDAP (OpenDJ):account"
  ],
  "hasEntitlements": true,
  "urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:LDAP (OpenDJ):account": {
    "st": "MI",
    "mail": "[email protected]",
    "manager": "cn=cmarusik,ou=People,dc=icc,dc=local",
    "displayName": "Arnefield, Hart",
    "givenName": "Hart",
    "objectClass": [
      "top",
      "inetOrgPerson",
      "organizationalPerson",
      "person"
    ],
    "description": "Arnefield, Hart",
    "groups": [
      "cn=Users,ou=groups,dc=icc,dc=local"
    ],
    "dn": "cn=harnefield,ou=People,dc=icc,dc=local",
    "cn": "harnefield",
    "facsimileTelephoneNumber": [],
    "title": "Marketing Executive",
    "l": "Ti├¬n Phã░ß╗øc",
    "carLicense": [],
    "employeeNumber": "002588",
    "o": "Your Company",
    "uid": "002588",
    "employeeType": "employee",
    "businessCategory": "Your Company",
    "sn": "Arnefield"
  },
  "id": "0a0a436a87c81e488187c8555472761e",
  "locked": false
}

Note that this API also supports SCIM filters, so you can create filters on the Accounts API to filter by identity name, app name, etc.

ebakerski · April 28, 2023, 4:59pm

Thank you Brian! I also like how the schema information is included as well. I’ll give it a shot.

Topic		Replies	Views
Problem with returning attributes from SCIM API call IdentityIQ (IIQ)	2	1039	July 8, 2022
SCIM API and connector support for filtering by users having a Role in IIQ IdentityIQ (IIQ)	0	744	July 5, 2022
How to filter by Schema name / id in the GET Schemas SCIM API IIQ Discussion and Questions	3	1726	July 19, 2023
SCIM v2 - Cannot filter Accounts based on if "active" equals true/false IIQ Discussion and Questions apis , identityiq	4	271	November 22, 2023
Missing Identity Attributes on call to scim /users endpoint IIQ Discussion and Questions scim-connector	4	470	July 19, 2023

Using IIQ SCIM filter to return Users part of an Authoritative Source Account

Related Topics