We have a use case where the user name of the identity should be taken from sAMAccountName in AD. As AD account is provisioned after the identity is created, we are planning to create identities with a user name based on the unique ID from HR source and then update it with the sAMAccountName once AD account is provisioned. I have read that it is not best practice change the user name of an identity, but wanted to know what are the consequences of doing so.
Any inputs will be appreciated
If you have a unique Id from the HR source, why not just keep that? Do you need to use the sAMAccountName as a correlating value for other sources?
If so, just create an identity attribute that’s populated with the AD sAMAccountName
I’m just curious what the use case is
The identity’s name cannot really be changed after its created. This is the "account name* in the UI. It’s populated based on the display attribute you pick on the schema from the authoritative source the identity was created from and immutable. This is probably what you have read is not best practice to change, and that probably only really applies to IIQ, not ISC.
The uid, or username in the UI, can be changed no problem. It’s a required attribute in ISC as well, so I typically use a first valid transform so a new identity may initially have it populated with something like an employee ID, but once AD is created, it gets populated with sAMAccontName. Some features of ISC like pass through authentication or password reset actually require the identity’s username/uid to be set to the authentication attribute for pass through authentication (again typically sAMAccountName for AD).
This is an IIQ to ISC Migration project and based on what has been practiced in IIQ, we are trying to keep things as close as possible. Having sAMAccountName as the user name in ISC is to maintain the user experience, and I wanted to ensure our approach would not cause major issues in future. And, yes sAMAccountName will be used for provisioning to some other sources a well as this will be users’ universal login name to all systems.
My question was based on new identities not having an AD account initially until an account is provisioned. Plus, when user’s sAMAccountName changes due to change in their names.
Thanks @patrickboston
We are not going to change the “Account Name” of the identity. Just the User name (uid) and, yes, there will be PTA which means users will use their AD (or Entra) password while logging in to ISC.