can't match FederatedID using custom attribute

Question

can't match FederatedID using custom attribute

himmelmrm opened this issue 2 years ago · 5 comments

I have an Adobe Org with a directory trust relationship.
FederatedID login works correctly.

I'm attempting to:

read group membership from LDAP
create FederatedIDs for users who don't already exist (understanding that these IDs already exist in domain owner org)

The domain owner org is using a non-standard attribute for user.
I can't use "user_username_format" directly because the attribute in LDAP is prefixed with "User_"
Therefore, I am calculating the username with the custom attributes feature of User Sync Tool.

DEBUG log indicates success until the new FederatedID is being created in the trustee org. It seems to ignore my calculated "username", and instead uses email address.
As a result, no existing FederatedID users are matched, and all users get created using email address as their username (instead of the custom calculated username)

sanitized config files
ust-redacted.zip

redacted log file
z_redacted-log-sample.txt

Environment

UST version: 2.7.3
OS type and version: Fedora 36

Answer 1 · 2022-08-29T18:30:11.000Z

The createFederatedID JSON signature in the log does not match the connector-ldap config you presented.
I think it's better to open a support ticket from Admin Console's Support menu and request UST assistance from the specialised team.

Answer 2 · 2022-08-29T18:49:33.000Z

The createFederatedID JSON signature in the log does not match the connector-ldap config you presented. I think it's better to open a support ticket from Admin Console's Support menu and request UST assistance from the specialised team.

I don't know exactly what that means but it's probably because I pasted together some log output from different runs in order to redact the sensitive content -- intended as an example only.

Answer 3 · 2022-08-29T23:29:12.000Z

I don't know if I've ever tried altering the username in the extension config. We generally see it used to customize group mapping or normalize the country code. I'd have to do some testing but my guess is that it isn't going to work for this purpose. The after-mapping extension hook executes after the identity-side user is matched with the adobe-side user.

I'd like to know what you mean here -

I can't use "user_username_format" directly because the attribute in LDAP is prefixed with "User_"

Why would the name of the LDAP attribute impact your ability to specify it as the user_username_format field?

Answer 4 · 2022-08-30T05:52:03.000Z

I took a second look and I see that you're removing the first 5 characters from the custom attribute value, which is why the direct mapping won't work. Is there another field you can use that doesn't have the prefix? If not, you may need to look at a solution outside the UST for the time being. The extension config executes too late in the sync workflow to affect the username. I unfortunately don't that changing any time soon.

Your best bet is to write a script that queries the users you want to sync from LDAP and builds a CSV for the sync tool to use as the identity source. That would grant you a greater amount of flexibility in formatting the username. Just keep in mind that the CSV needs to contain every user you intend to include in sync at any given time, not just deltas.

Answer 5 · 2022-08-30T13:43:27.000Z

Thank you for the detailed explanation and suggestion.