Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.
CSV connector with multivalued attributes
Is it possible to have multivalued attributes in a CSV connector?
Hey Adrian,
The CSV connector does support multi value attributes. If you wrap the mutli value column in quotes, and comma separate each value inside that column, the connector will import into a multi value field - as long as you set the connector schema to the appropriate multi value that you're after.
For example, a CSV like so:
id,name,data 1,user1,"value1,value2,value3,value4" 2,user2,"value1,value2,value3,value4" 3,user3,"value1,value2,value3,value4" 4,user4,"value1,value2,value3,value4" 5,user5,"value1,value2,value3,value4"
will return "value1, value2, value3, value4" as 4 different values inside the multi value string schema field "data".
Safety Catch Feature
In a MIM context we have been refining our Safety Catch to ensure that unwanted changes (not just deletes) are not replicated to target systems if the change count exceeds a threshold (% or raw number). The latest version is presently pending deployment for a long-term MIM site.
With the roll-out of more Broker+/UNIFYConnect implementations, an equivalent safeguard feature is now required - over and above the "connector delete threshold" native to UNIFYBroker itself. Until such a feature is available in a forthcoming release, a work-around should be considered for each implementation.
Join with Sliding Window with Most Relevant doesn't match record with NULL end date
UNIFYBroker v5.3.2 with Chris21.
Chris21 Person adapter is configured with a Join transformation to a Chris21 placement connector with a Sliding Window and type Relevant. A placement with a start date in the past and a NULL end date is not being selected (a NULL end date means ongoing placement, with no scheduled end date). Instead, the most recent placement with a non-NULL end date is selected.
Here is the placement data:
Here is the configuration:
The transformed adapter data shows an incorrect posstart and posend (and all other selected attributes):
This problem did not occur in Identity Broker v4.
It may also be relevant to note that the 'First' or 'Priority Selection' radio box does not appear for the Relevant type. It used to appear for this transform and type in Identity Broker v4.
Hi Beau, sorry I thought I'd already responded to this. The problem was just a handful of records and Generate Changes cleared it. Please close this ticket.
Updating the Microsoft Office Enterprise agent from Azure Graph API to MS Graph API
The documentation for the Microsoft Office Enterprise agent refers to the Azure Graph API. Given that API is deprecated and will be turned off in 2022, are there plans to upgrade it to use the MS Graph API?
REST API endpoint for external Azure Access Request call-ins
In this morning's MS Identity Advisors session MS provided a clear indication that they are planning to move towards a call-out model for on-demand Access Request integration with external systems. To get ahead of the curve on this, we could look at offering an extensible REST API endpoint in UNIFYBroker.
Typical usage would be:
Azure sends UNIFYBroker a request for user "bobsmith" asking UNIFYBroker for a certain attribute for that user (e.g. department number) or asking UNIFYBroker to provide an answer to a question (such as "is this user allowed to get access to resource X at the moment?") UNIFYBroker responds and Azure uses that information to approve or deny an in-flight Access Request.
My suggested solution is that the request for user "bobsmith" (and/or "resource X") would map to a adapter record lookup, and the "answer" UNIFYBroker gives back would be the value of one or more fields for that matching record.
Hi Adrian
Since v5.2, Broker has included the OData gateway, which allows adapter entities to be queried via an OData REST API, which would cover the use case in your example. That said, since it's introduction I don't believe it's seen much, if any, real usage so may not fully support the types of request and filtering features that would be expected of it. Improving the OData gateway is definitely something we're interested in for future releases, so if you have the chance to try it out your feedback would be appreciated.
Also introduced in v5.2, the SCIM gateway provides a REST API conforming to the SCIM 2 specification, a standardized data schema for transmitting identity information via JSON payloads. The primary usage of this gateway thus far has been to connect Broker with Azure AD, which operates as a SCIM client to pull and push standardized users and groups from Broker. I mention it because it does support search and filtering features that would cover your example use case, however the rigid data structure it provides may be too limiting for non-SCIM-specific scenarios.
Difference between the Time Offset configuration in IDB 4 and IDB 5
Hi Team,
In IDB 4, the Join Transformation has this configuration (see attached screenshot)
Whereas, in IDB 5 looks like this (see attached screenshot)
How come in IDB 4 its a - sign between [posstart] and time offset, whereas in IDB 5 its a + sign? What are the difference? Thank you
Regards,
Marc Laroza
Hi Marc
I believe the v4 UI was incorrect, and it was updated to reflect how the offset times are actually calculated. I don't think the actual behaviour of the transformation changed, but you should double check this to be sure.
Person update with WAMI instead of EmployeeNumber
Hello Unify people. A long time ago I posted this:
https://voice.unifysolutions.net/communities/6/topics/2467-aurion-export-failed-employee_no-expected
I have now found out it is not (or no longer) a requirement of the Aurion API method EMP_UPDATE_PERS to have the employee number, and it can work with the WAMIKey, as in the following:
API_FUNCTION=EMP_UPDATE_PERS|WAMI_NO=16798|CONTACT_PHONE=02 9898 9898|WORK_MOBILE=0404 040 404
If the customer asks for an update to the Aurion connector to use the WAMI if Employee_Number is not available, can you do that?
Issue with Google Groups Connector generating large numbers of RSA files on export
We have recently been having issue whereby the UNIFYBroker service account appdata directory (C:\Users\<IdB Service Account>\AppData\Roaming\Microsoft\Crypto\RSA\<user object SID>) seems to fill up rapidly with RSA files. At its currently rate it appears to be filling up with the addition of thousands of files a day. I have done some testing between UNIFYBroker and Process Monitor and have been able to narrow down a particular operation in UNIFYBroker that seems to be generating all the files in this directory and not clearing them after creating them.
The main operation from what I can tell seems to be the export operation on the google groups connector. I have tested imports on these same connector and this doesn't seem to be generating the files from what I can tell. Please see the images below showing the timings for these jobs lining up at exactly the same time.
Environment Details:
UNIFYBroker: v5.3.1
Google Connector: v5.3.2
Let me know if you need any further information.
AD Connector ObjectSid field not working with Postgresql
When running an import on AD Groups, the objectSid field is defined as a string on the connector schema. SQL can import this field fine (although shows as jargon on the UI). Postgres fails to import with the following error:
Connector Processing page 1 for connector On-Prem Groups failed with reason 22P05: unsupported Unicode escape sequence. Duration: 00:00:08.3359933. Error details: Npgsql.PostgresException (0x80004005): 22P05: unsupported Unicode escape sequence at Npgsql.NpgsqlConnector.<>c__DisplayClass161_0.<<readmessage>g__ReadMessageLong|0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Npgsql.NpgsqlConnector.<>c__DisplayClass161_0.<<readmessage>g__ReadMessageLong|0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at Npgsql.NpgsqlDataReader.<nextresult>d__46.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Npgsql.NpgsqlDataReader.NextResult() at Npgsql.NpgsqlCommand.<executedbdatareader>d__100.MoveNext()</executedbdatareader></nextresult></readmessage></readmessage>
Changing the field type to 'binary' and attempting an import yields a different error at an earlier stage:
nify.Product.IdentityBroker.EntitySchemaValidationException: Invalid binary - the value was a string, but was not able to be converted as a base64 encoded string from: ??? ? ---> System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength) at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength) at System.Convert.FromBase64String(String s) at Unify.Product.IdentityBroker.EntityBinaryTypeSchemaValidator.CreateValue(Object dataValue)
Extensibility config lost due to full hard disk
Hi,
Recently we had an issue come up where the server ran out of disk space while writing the XML config files.
Would we be able to request a feature where the existing file is renamed to a .bak file before writing a new XML file.
If the server runs out of disk space, the file will fail to rename, preventing the mentioned issue.
Thanks
Customer support service by UserEcho
