Identity Broker Forum
Welcome to the community forum for Identity Broker.
Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

Allow timezone configuration for watermark in the WD Connector for IDB
Workday have confirmed that they cannot change their timezone in Workday to match the UTC timezone we use in our Import Changes requests. Given our client is located across 12 different timezones, this means that we miss a lot of the (utc-x) requests. Would it be possible to add a timezone offset to the Connector so that we can change this to match the Workday set timezones? This will allow for a consistent set of changes to be detected

Aurion export failed "EMPLOYEE_NO expected"
I am trying to export Fax_Number to an Aurion Person connector.
There are two connectors for Person and Employee. The Person connector is the primary one that links through to the Adapter; the Employee connector is joined via the Adapter.
The schema of the Person connector (as I've implemented it) is as follows:
- PersonNumber (Person_Number)
- ContactPhoneNo (Contact_Phone_Number)
- FaxNo (Fax_Number)
- GivenNames (Given_Names)
- PreferredName (Preferred_Name)
- Surname (Surname)
I did not include EmployeeNumber as I didn't think it was relevant to Person so that's probably my mistake - I can see it's listed in the Default Schema Provider. So firstly - do I ask the customer to add that to the Aurion query?
And next - do I map it to "EMPLOYEE_NO"?
As a doco suggestion it would help if the schema was listed in the doco along with which fields are required.

Sorted out by adding Employee_Number to the Person connector's Aurion query. Initially I was not getting the data because I used the name Employee_No (as specified by that error message) but actually the query uses Employee_Number. Thanks to Ryan for suggesting I run the report directly in Aurion and inspect the resulting XML file.
Now that Employee_Number is populated in the Person connector my test export to Fax_Number has succeeded.

Cannot change Queue On Blocked through UI
I could not find a way to change the Queue on Blocked setting of the Aurion v5 connectors through the UI and had to do it in the XML.

Thanks Carol, this has already been fixed and is just awaiting release.

LDAP timeout
I am seeing a repeated error about LDAP timeouts when trying to read in changes from an IDB5 adapter. The error is:
Handling of LDAP change log request from user IdBAPPProxy on connection 127.0.0.1:57970 failed with error "This operation returned because the timeout period expired. (Exception from HRESULT: 0x800705B4)". Duration: 00:14:59.9992614.
That looks suspiciously like a 15 min timeout is set somewhere, but I simply cannot find where it is set.
Any advice would be appreciated

Aurion Security User update - USER_MATCH_VALUE expected
IdB 5.0.4, Aurion Connector v5
The Aurion Security User Import worked perfectly. I am now trying to export changes in the Status value back to Aurion and I get the error "USER_MATCH_VALUE expected" reported as an export error back to the MIM Sync service. There is nothing in the IdB logs (on Verbose setting - I haven't tried Diagnostic).
It sort of sounds like maybe the User_Id value is not being sent to Aurion along with the update - however User_Id is populated in the connector, and it came from the connector import, so is definitely what Aurion has.
Exports were working in the IdB 3 solution. Does v5 do something different? Is there anything that has to be changed in Aurion to support updates?

Hi Carol,
It's referring to the missing user id, which is the user field for the security user connector. This hasn't changed in v5.0. Try adding a new connector and running the schema provider again to see the correct list of fields.
Thanks.

Distinguished Name Generator using key in dn instead of input value
DN being generated inlcudes the users own key, instead of managers:
CN=00069,OU=AurionPerson,DC=Identity Broker
instead of:
CN=00203,OU=AurionPerson,DC=Identity Broker
I expect the Input value to become the key, as it's no longer selectable in the dropdown attribute list. How do I configure this so that the SupervisorWAMI is in the DN?
Attributes:
* SupervisorWAMI: 00203
* Key: 00069
Config:
* Input: SupervisorWAMI
* target: SupervisorDN
* Single Valued: Checked
* Skip Missing: Checked
* DN Template:
- Adapter: Aurion Person
- CN = @Key

Hi Matt,
You should be able to configure the DN template as CN = [SupervisorWAMI].

IdB5 partitions not working correctly
I have 2 OUs stemming from the main IdB partition as follows:
DC=Identity Broker
-- OU=AurionUsers,DC=Identity Broker
-- OU=FutureUsers,DC=Identity Broker
If I target my Full Imort Run Profile at the top of the tree (DC=Identity Broker), I expect to retrieve all objects in sub OUs, but I retrieve nothing. MIM reports completed-no-objects.
This seems like a bug to me. This is a problem, as it means that I need to have 2 MAs when 1 should suffice.

Hi Matt,
On further investigation this appears to be because the agent is being asked at the start of the run profile explicitly to exclude the two sub-containers, even if you explicitly configure it to include them with the "Containers ..." configuration on the "Configure Partitions and Hierarchies" page. This appears to be a bug with how FIM/MIM relays the configuration to the agent (note: I've been testing against FIM2010R2 but you appear to be experiencing the same behaviour).
Is there any functionality that you need that you can't achieve by targeting the two containers as individual partitions, and creating multi-step run profiles to operate on each partition?

Add Detail in Andre's document to FIM IdB5 configuration page
On this page, there is a document which contains vital configuration information missing from the actual page. it would be a good idea to move the content into the page itself.

Hi Matt,
Thanks for the feedback. The Extensible Connectivity 2.0 management agent is referenced in the first sentence of the article, although admittedly it could be clearer on the steps required to get started creating an agent. As such, I have added a section to the top of the article called Agent Creation.

How far off is IdB 5 from having a schema unique to each adapter?
How far off is IdB 5 from having a schema unique to each adapter? Both adapters will have feilds like Person_Number and Given_Names and I want to avoid having to have:
AdapterA_Person_Number
and
AdapterA_Given_Names
If I dont need to. I believe this is the case as it stands with the current version of IdB.

Hi Matthew,
Thanks for the question. The reason behind the single schema was a limitation in Microsoft's generic LDAP MA. Now that we have our own MA there is some flexibility in what parts of the LDAPv3 specification that we support. We have code in the v5.1 branch that we are currently testing which allows for multiple schemas for a single directory (1 per adapter), and it is our intention to have this available in the upcoming v5.1 release.
Thanks.

What format is IdB 5 expecting when trying to match a certificate by thumbprint?
Trying to select a cert by thumbprint. A few options below:
1) 05:0A:A7:C3:5F:85:F0:A8:5B:14:1D:B6:7F:67:8C:60:4F:2D:DE:D3
2) 05 0a a7 c3 5f 85 f0 a8 5b 14 1d b6 7f 67 8c 60 4f 2d de d3
3) 050aa7c35f85f0a85b141db67f678c604f2dded3
What format do I need to use?

Hi Matthew,
The value that comes out of the certificate browser, so number 2. Just be aware that if copied straight out there will be a non-printable character that needs to be removed (don't recall if it's preceding of trailing).
Thanks.
Customer support service by UserEcho