I’m having some trouble finding the answer to this in the documentation or the videos. What specifically must be true when synchronizing from a new application for it to create (or attach) an identity to an existing user?
I am doing some testing and imported some users from CSV per the videos. I have also configured the AD Powershell connector and was able to get a successful sync. In this case it’s a fresh install of 4.2.1.10 Community Edition. The “Principal” for the CSV import is the Employee ID, which makes sense if it is emulating an HR system connection. I have configured the AD Powershell sync with the Source Attribute Name and OpenIAM Field Name to also be the Employee ID. I can see in the logs that the record was updated. When I look at the user in “Classic View” under “Identities” I still see just the OpenIAM one.
I was wondering if I need to create a business rule or something to add the identity, but it seems to me like something that should just work out of the box. What am I missing?
Hello,
Are you referring to creating an OpenIAM ID, or are you referring to being unable to do any downstream provisioning? If the latter, you need to add the resource, which is AD in this case, to the user, this can be done directly through a role or through business rules.
Thanks,
Ameet
Hey Ameet,
Thanks for the reply.
So I am referring to this screen, which is where I would assume you should be able to see what identities a user has in other managed systems:
So you can see the managed system is OpenIAM (Makes sense with the CSV import), but I assumed that when I did a sync with AD powershell, and the same user is found (based on Employee ID, which I am matching and the log shows the user was updated), that I would see the AD Powershell managed system in there as well.
I noticed when you did the AD Powershell video the same thing happened, but you hadn’t imported users from a CSV first. In the LDAP video from a year or two ago, the LDAP managed system showed up under Identities after you configured the sync.
I basically just wanted confirmation other than the logs that this user exists both in the OpenIAM and AD Powershell managed systems.
Hopefully that makes sense and appreciate your help!
@ameet_shah,
Just wondering if you have any more info. I might be wrong about how this works. What I really want to do is see what managed systems users have been synced from to confirm that a) the users exists in OpenIAM and b) the user exists in the other managed system (ie AD using the AD Powershell connector).
I played around with the transform scripts per an answer in another thread about JDBC, but noticed that by default that section will only run if it’s a new user. I assumed the behaviour would be to “append” a new identity to an existing user.
Like I said, maybe I am misunderstanding what should be appearing under User Identities, and maybe the information I am looking for would be elsewhere. For example, I can see the user appears in some groups in AD under User Entitlements.
Appreciate any additional information you can provide.
