Workflow Issue: IIQ User Created but AD Account and Group Not Provisioned

Which IIQ version are you inquiring about?

8.4 / 8.5

Please share any other relevant files that may be required (for example, logs).

Form.txt (2.3 KB)

Quick link.txt (800 Bytes)

workflow.xml (21.9 KB)

Share all details about your problem, including any error messages you may have received.

My requirement is to create a contractor or external user and then assign an Active Directory (AD) group to that user. For this purpose, I have implemented a workflow, a custom form with all required fields, and a QuickLink.

The issue I am facing is that the user is being created successfully in IIQ, but the AD account is not being created and the AD group is not being assigned. I will attach the relevant files for reference.

@IAMKhalid

Are you seeing any error related to AD Account creation in Logs.

What is the process of creating an AD account you are using in your Workflow?

Can you please the full set of requirements.

Thanks

Any exception in backend.

Are you able to see logs printed which you mentioned on line 376,378?

In the workflow, I could see you are creating a plan for AD account creation but some mandatory field values are missing like password.

I would suggest adding the password in your plan and then try to process it.

Set a dummy password in the plan.

Thanks

when i fill the form , it creates user in IIQ and logs says “
Supplied nativeIdentity jack.chan is invalid!!”

No Currently only logs are “nativeIdentity jack.chan is invalid!!”

try passing identity name in setNativeIdentity method.

Are you using any field value rule or script for samAccountName ?

yes i tried this there is some progress, i will keep you posted. thank you for the help.

Let me know if it resolves or not.

Thank you !

If it resolved your problem. Please mark it as a solution and close this discussion.

Thanks

@IAMKhalid I checked your plan in workflow.

you need to fix some parts.

a. acctReq.setNativeIdentity(samAccountName); // should be dn not samAccountName. dn is might be you can create dn = displayname + container

b. password is missing for create ad account

acctReq.add(new ProvisioningPlan.AttributeRequest(“password”, somePassword));

c. container you don’t need or it might not supported

d. check samAccountName length, AD only support 20 chars so it might blocking you. so you need to add some logic to truncate.

e. optimisticProvisioning is missing so you have to wait for aggregation to pull the AD account to add in Group.

f. you need to create another account request for IIQ to update some attribute in identity at same time.

let me know if you still facing issue on create. happy to help.

thanks,

Pravin

Thank you @pravin_ranjan , yes the error was in “acctReq.setNativeIdentity(samAccountName); // should be dn not samAccountName. dn is might be you can create dn = displayname + container”

I have one more question instead of AD Account creation logic in the workflow, can i use Provisioning Policies –> Create Account policy which is already configured.

Screenshot 2026-01-20 123935842×642 21.7 KB

@pravin_ranjan @msingh900 @sukarande

In the provisioning policy, you can write filed value rule or script to automate the generation of attribute value.

Yes, you can do it. You autogenerate your values.

As Manish Mentioned, In Account provisioning policy, you can add rule or script logic for value but that we do for common attribute setup so you don’t need to write logic in custom workflow.