Using split transform in Active Directory create profile

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I am calculating the UPN for a active directory account provisioning using a attribute generator rule and want to use the first part of the calculated UPN for the cn and the samAccountName. I am trying a transform as below:

{
	"name": "distinguishedName",
	"transform": {
		"type": "static",
		"attributes": {
			"cn": {
				"attributes": {
					"delimiter": "\\@",
					"index": 0
				},
				"type": "split",
				"input": {
					"attributes": {
						"value": "$userPrincipalName"
					},
					"type": "static"
				}
			},
			"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
		}
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}

Which does not seem to work, any suggestions.

2

Hi Jothin,

When you say it “doesn’t work”, what specifically isn’t working? What is your expected result, and what is the actual result. This will help us narrow down the issue.

3

Hi Colin,
The create fails with the error:

trackingId: 9af8b02c9556481b9fd034594665e7fd java.lang.RuntimeException: sailpoint.tools.GeneralException: Error rendering template: CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxx,DC=local

I was expecting a proper dn to be returned with the first part of the userPrincipalName, it works if I just say cn=$userPrincipalName but we dont want the full upn in the dn.

4

Hello @jothinvallathol,

I have two suggestions that you can try. Looking at your transform, the input to the split is outside of the attributes object it needs to be in. See below.

{
	"name": "distinguishedName",
	"transform": {
		"type": "static",
		"attributes": {
			"cn": {
				"attributes": {
					"delimiter": "\\@",
					"index": 0,
                    "input": {
                        "attributes": {
                            "value": "$userPrincipalName"
                        },
                        "type": "static"
                    }
				},
				"type": "split"
			},
			"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
		}
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}

What I am not sure about is where the $userPrincipalName is coming from. If it is an another identityAttribute you can use it as an identityAttribute input. See example below:

{
	"name": "distinguishedName",
	"transform": {
		"type": "static",
		"attributes": {
			"cn": {
				"attributes": {
					"delimiter": "\\@",
					"index": 0,
                    "input": {
                        "attributes": {
                            "name": "userPrincipalName"
                        },
                        "type": "identityAttribute"
                    }
				},
				"type": "split"
			},
			"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
		}
	},
	"attributes": {},
	"isRequired": false,
	"type": "string",
	"isMultiValued": false
}
6

Thanks for that Tyler, I am now getting a null pointer exception.
I am trying to use a previously generated userPrincipalName in the create profile using a attribute generator rule with the $userPrincipalName value. It works if used standalone as a static value. But the transform to take the first part is now giving me a null pointer exception. Even when I use a hard static value it is giving me a null pointer exception.

{
				"name": "distinguishedName",
				"transform": {
					"type": "static",
					"attributes": {
						"cn": {
							"attributes": {
								"delimiter": "\\@",
								"index": 0,
								"input": {
									"attributes": {
										"value": "[email protected]"
									},
									"type": "static"
								}
							},
							"type": "split"
						},
						"value": "CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxx,DC=local"
					}
				},
				"attributes": {},
				"isRequired": false,
				"type": "string",
				"isMultiValued": false
			}

The error is:

trackingId: 1d05b63b35504ee38f7dc92ee4258a26 java.lang.RuntimeException: sailpoint.tools.GeneralException: java.lang.NullPointerException
7

I haven’t tested this myself, but could the delimiter be the culprit? I don’t think you need to escape the @ symbol. Have you tried "delimiter": "@", ?

1 Like
8

Sorry, was off for a few days.

I have tried just using the @ sign too.

I am reverting back to a rule, but using a rule how can I pass a previous attribute from the Create Profile in the template to the rule. I have tried the $userPrincipalName, but it takes it as a literal value. I want to be able to reuse the first part of the UPN that has been generated for the sAMAccountName and the CN.

9

Hi @jothinvallathol,
Could you check if the below transform works for you?

{
   "name":"distinguishedName",
   "transform":{
      "type":"static",
      "attributes":{
         "cn":{
            "attributes":{
               "input":{
                  "attributes":{
                     "value":"$userPrincipalName"
                  },
                  "type":"static"
               },
               "regex":"(?=@).*",
               "replacement":""
            },
            "type":"replace"
         },
         "value":"CN=$cn,OU=Users,OU=xxxxx,DC=xxxxxxxx,DC=local"
      }
   },
   "attributes":{},
   "isRequired":false,
   "type":"string",
   "isMultiValued":false
}
2 Likes
10

That worked !!! thank you