Hello. We have a scenario that seems to have changed recently. We have 2 different AD sources set up; one is for an Identity’s regular AD accounts and the second one we set up for those identities that have an ‘Admin’ account in AD. So, an Identity “Jane” is associated with Source AD and Source AD Admins . The Source AD is correlated with a identity field ‘login’ to AD samAccountName and the Source AD Admins is correlated on identity field ‘employee id’ to AD admin source extensionAttribute1. (of course extensionATtribute1 is populated with our employeeID). This is working perfectly for all Identities - EXCEPT for mine and 3 of my co-workers of which we ALL have IdentityNow admin accounts. For our accounts the correlation is not seemingly working. unlike “Jane” above my Identity does not reflect that i have a Anthony-Admin account in Source AD Admin. Why is that? We believe when we first implemented this it indeed showed us as having an account in that admin source - in the last week or so we noticed our accounts are missing that correlation. WHY? HELP!
Hi @AnthonyF,
What is your 3 admins authorative sources ?
Is IdentityNow default admin sources ?
can you confirm that in your identity information you an “employee id” value ?
First run an unoptimized aggregation. If an account isn’t correlated the first time it is aggregated then IdentityNow will not attempt to correlate it on subsequent aggregations unless they are run via the API with optimization disabled.
If they still can’t correlate, then you need to review the account data, the identity data and the correlation rules. There are only two reasons accounts don’t correlate:
- The account cannot be matched to any identity according to the correlation rules set in the source
- The account matches more than one identity according to the correlation rules set in the source
Thanx Kevin for your response. In reviewing what you’re saying… your #2 point has me intrigued. In my “Source AD” i have my Anthony account with SamAccountName=Anthony extAttr1=12345; for the Source AD we have create account set up; our correlation for Source AD is (Identity attribute) “login”=(Account attribute ) samAccountName in AD
In my “Source AD Admin” - this is not a create account source; in our config we merely select all of the records in Active Directory where extAttr9 = ‘ADMIN’ or ‘DA’ my Active Directory account for my ADMIN account is Anthony-Admin; (so in AD, the samAccountName for that record is Anthony-Admin). In that source my extAttribute1 =12345 also. But for my Anthony-Admin account I AM doing the correlation setup as (Identity attribute) EmployeeNumber=(account attribute) extAttribute1
it is NOT the same attributes to do the correlation BUT at the AD level in both accounts the extAttribuite1 is both set to 12345 on both accounts (Anthony and Anthony-Admin).
Is THAT what you mean?
If so - what I still a confused about is WHY is it just 3 of our accounts that have this correlation failure? everyone is setup in AD the same way…
I only have 1 Authoritative Source (My connection to our Peoplesoft HR data)
We aggregate that source and we CREATE Active Directory accounts in our “Source AD” source. (on this source we have create account configured).
the correlation for Source AD is
Identity Attribute LoginID EQUALS Account Attribute sAMAccountName
We have a second source called Source AD Admin. On that source Create Account is NOT setup.
We only read in the data from that source using an Ldap Search Filter where sAMAccountName must be like ‘%-Admin’ or like ‘%-DA’).
On that source Correlation is:
Identity Attribute Employee Number EQUALS Account Attribute extensionAttribute1
Here is some info about the identity information.
Identity:
Identity=Anthony Febbraro
LoginID=Anthony
Employee Number=12345
I also have in Identity:
Identity=Anthony.Febbraro_admin
Employee Number=12345
Active Directory:
sAMAccountName=Anthony
extAttribute1=12345
extAttribute9=null
also in Active Directory:
sAMAccountName=Anthony-Admin
extAttribute1=12345
extAttribute9=ADMIN
in IdentityNow Admins source:
AccountID=Anthony.Febbraro_admin
employeeNumber=12345
Kevin - see also my reply to Ousmane N’DIAYE for further details regarding the data in the sources…
if i understand the correlation on ad admin source work for all accounts except 3 identitynows admin idenitty ?
For the Identity=Anthony Febbraro at hr source, can you confirm that identity attribute employeeNumber is empty ?
Maybe correlation not working because there exist more than one identity with same employeeNumber.
Make sure also that employeeNumber is searchable attribute.
There are 2 identities with employeeNumber 12345. There is no way for IdentityNow to know which identity to link the account to.
The “create account” configurations are entirely irrelevant. And each source is correlated independently, so it doesn’t matter if there are similar accounts in multiple sources (or even if they are in the same source for that matter). IdentityNow needs to link each account to only one identity. If it can’t do so, it won’t guess which identity you want. It will leave the account uncorrelated.
Hmm… ok, so this is starting to make a little more sense to me. So here is what I did. I went to my IdentityNowAdmin Identity (Anthony.febbraro_admin) and on the Identity it DID show (as I stated above) that “Employee Number” was set to 12345. I updated my IDNow Admins CSV source file and blanked out the Employee Number. I ran an aggregation of the IdentityNow Admins source using that csv file. And now my IDN Admin record in IdentityNow Admins does NOT have Employee Number.
Next I ran an aggregation of my Source AD ADmins again. BUT it Still did not correlate my Anthony identity to my Anthony AD account and my Anthony-Admin AD account. the latter still shows as uncorrelated.
So, while your explanation makes sense to me… unless I still don’t get it… blanking out the employee number on my IDNow Admin account did not fix it. I do not have any other Identities for me in identitynow; only my regular ID (Anthony Febbraro) and my ID NOW Admin (anthony.febbraro_admin).
??
Now you have to run an unoptimized aggregation. Because once an account can’t be correlated, IdentityNow will skip future correlation attempts.
If it is only 3 accounts, you can correlate them manually and call it a day.
Kevin - thank you. We ran the unoptimized agg and things are good now! thanx for you (and others) assist!
HOWEVER… I DO wish to add something that happened that seems a bit odd. If i didn’t mention before let me mention i t again… we all here believe (3 of us) that our accounts had been corellated before. and that something happened - on the SailPoint side… That being said, and I follow/understand all of what you stated above… after i did all the things you stated but BEFORE i ran the unop-agg, MY own account seemed to have become corellated again. the others were not. but mine was… we thought that strange. We ran the unop-agg and again, now all of us are corellated and back to what we want. but this one item made us believe again, that something changed with SailPoint … but i dunno… whatever, we are fine now. thanx again!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.