Using split transform in Active Directory create profile

I am calculating the UPN for a active directory account provisioning using a attribute generator rule and want to use the first part of the calculated UPN for the cn and the samAccountName. I am trying a transform as below:

{
	"name": "distinguishedName",
	"transform": {
		"type": "static",
		"attributes": {
			"cn": {
				"attributes": {
					"delimiter": "\\@",
					"index": 0
				},
				"type": "split",
				"input": {
					"attributes": {
						"value": "$userPrincipalName"
					},
					"type": "static"
				}
			},
			"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
		}
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}

Which does not seem to work, any suggestions.

Hi Jothin,

When you say it “doesn’t work”, what specifically isn’t working? What is your expected result, and what is the actual result. This will help us narrow down the issue.

Hi Colin,
The create fails with the error:

trackingId: 9af8b02c9556481b9fd034594665e7fd java.lang.RuntimeException: sailpoint.tools.GeneralException: Error rendering template: CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxx,DC=local

I was expecting a proper dn to be returned with the first part of the userPrincipalName, it works if I just say cn=$userPrincipalName but we dont want the full upn in the dn.

Hello @jothinvallathol,

I have two suggestions that you can try. Looking at your transform, the input to the split is outside of the attributes object it needs to be in. See below.

{
	"name": "distinguishedName",
	"transform": {
		"type": "static",
		"attributes": {
			"cn": {
				"attributes": {
					"delimiter": "\\@",
					"index": 0,
                    "input": {
                        "attributes": {
                            "value": "$userPrincipalName"
                        },
                        "type": "static"
                    }
				},
				"type": "split"
			},
			"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
		}
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}

What I am not sure about is where the $userPrincipalName is coming from. If it is an another identityAttribute you can use it as an identityAttribute input. See example below:

{
	"name": "distinguishedName",
	"transform": {
		"type": "static",
		"attributes": {
			"cn": {
				"attributes": {
					"delimiter": "\\@",
					"index": 0,
                    "input": {
                        "attributes": {
                            "name": "userPrincipalName"
                        },
                        "type": "identityAttribute"
                    }
				},
				"type": "split"
			},
			"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
		}
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}

Thanks for that Tyler, I am now getting a null pointer exception.
I am trying to use a previously generated userPrincipalName in the create profile using a attribute generator rule with the $userPrincipalName value. It works if used standalone as a static value. But the transform to take the first part is now giving me a null pointer exception. Even when I use a hard static value it is giving me a null pointer exception.

{
				"name": "distinguishedName",
				"transform": {
					"type": "static",
					"attributes": {
						"cn": {
							"attributes": {
								"delimiter": "\\@",
								"index": 0,
								"input": {
									"attributes": {
										"value": "[email protected]"
									},
									"type": "static"
								}
							},
							"type": "split"
						},
						"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxx,DC=local"
					}
				},
				"attributes": {},
				"isRequired": false,
				"type": "string",
				"isMultiValued": false
			}

The error is:

trackingId: 1d05b63b35504ee38f7dc92ee4258a26 java.lang.RuntimeException: sailpoint.tools.GeneralException: java.lang.NullPointerException

I haven’t tested this myself, but could the delimiter be the culprit? I don’t think you need to escape the @ symbol. Have you tried "delimiter": "@", ?

1 Like

Sorry, was off for a few days.

I have tried just using the @ sign too.

I am reverting back to a rule, but using a rule how can I pass a previous attribute from the Create Profile in the template to the rule. I have tried the $userPrincipalName, but it takes it as a literal value. I want to be able to reuse the first part of the UPN that has been generated for the sAMAccountName and the CN.

Hi @jothinvallathol,
Could you check if the below transform works for you?

{
   "name":"distinguishedName",
   "transform":{
      "type":"static",
      "attributes":{
         "cn":{
            "attributes":{
               "input":{
                  "attributes":{
                     "value":"$userPrincipalName"
                  },
                  "type":"static"
               },
               "regex":"(?=@).*",
               "replacement":""
            },
            "type":"replace"
         },
         "value":"CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
      }
   },
   "attributes":{},
   "isRequired":false,
   "type":"string",
   "isMultiValued":false
}
3 Likes

That worked !!! thank you