Solved

Custom Unique Identifier for User when SCIM Provisioning

  • 24 February 2023
  • 6 replies
  • 270 views
D
Rank
Badge +5

Hi Everyone,

 

I have configured the SCIM Provisioning for IFS Cloud with AzureAD.

 

When the Users are provisioned, the ‘Identity’ attribute is created using a combination of name.givenName and name.familyName (as mentioned in the Technical Documentation).

 

  • Is there a way to override this default behaviour and set a custom value? 
  • Is there a SCIM attribute for this we could use to map a custom value to?

 

Appreciate any information on this.

 

Best Regards,

Devin Amarasekara

 

 

icon

Best answer by devin.amarasekara 5 May 2023, 12:51

View original

6 replies

D
Rank
Badge +5

I reached out through the support channels and it seems this is a limitation from the SCIM side.

“Regarding the Identity creation, unfortunately there is no mechanism available to override the current identity creation process in SCIM provisioning. It is a limitation in the SCIM not in the IFS side. Also there is no SCIM attribute available to map the identity value as a custom option.”

K
Rank
Userlevel 5
Badge +15

Hi @devin.amarasekara 

It means when have two AD users: “Jan.Kowalski@domain.com” and “Jan.Kowal@domain.com” SCIM synchronization will fail?

Piotr --> https://www.linkedin.com/in/piotr-skowronek-8425aa6/
C
Rank
Badge

Hello,

i want to react from the support answer.

when i check the IFS documentation it said:

“This mapping table is to be used by Administrators when configuring a new Provisioning Service. The SCIM Attribute maps to certain fields of the IFS Cloud database. When first creating a new User through provisioning, a unique Identity will be created. This Id is used as a unique identified for the new User, and will be generated based on the values of the SCIM attributes name.givenName and name.familyName. Some Identity Managers will have all of these attributes by default, but in some cases a manual attribute mapper will need to be added. As an example, which can be seen in the configuration example for Okta, a attribute mapper for name.formatted has to be added.”

 

So if i understand well, the identity value is generated by IFS  from the name.formatted attribute and not from azure.

i expect/hope that we can change this Identity  generation. Because like @knepiosko  said the provisoning failed if we encounter 2 users with same identity combinaison.

 

Best Regards

Cedric Pimont

D
Rank
Badge +5

Hi @devin.amarasekara 

It means when have two AD users: “Jan.Kowalski@domain.com” and “Jan.Kowal@domain.com” SCIM synchronization will fail?

HI @knepiosko, sorry for the really late reply. But I think yes. Since the Identity would be JANKOW for both.

and @cedric pimont , yes that’s what I understood as well. And I hope there will be a workaround eventually as well for the Identity Generation.

C
Rank
Badge

Hi all,

after many test on 23R1 SU8 environnement. it seems to be ok now.

When the Identity generation encounter same combinasion, It add one more letter to the identifier:

 

Best Regards 

Cedric Pimont

K
Rank
Userlevel 5
Badge +15

I have tested provisioning with one of our customer on 23R2 and one time user “Agata Kowalska” was created with identity AGAKOW second time AGATA1. If someone wants to check logic look inside package: SCIM_HANDLING_SVC and procedure Create_User___ to understand behaviour.

Piotr --> https://www.linkedin.com/in/piotr-skowronek-8425aa6/

Reply


Terms & ConditionsCookie settings