Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AD Logical Application Duplicate Account Import Issue

SPAL
New Contributor
New Contributor

Requirement:

We are currently managing an AD Group-based application with five entitlements, utilizing AD Logical Applications for configuration(https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Logical-Active-Directory-Applications.htm).

To integrate the ABC application, we created an additional connection named "ABC_Connection" and established a Security System specific to the ABC application. We also configured five Organizational Units (OUs) in the Endpoint filter for the new logical application "ABC-Child," resulting in the creation of a Child Application. Separate provisioning and import data jobs were also set up for this Logical Application.

Our existing setup includes the following AD components:

AD Security System -Select EntitlementsOnly for the Create Task action in the security system.
AD Endpoint Parent
AD Connection-Endpoint Filter
AD Provisioning Job
AD Application Importing Job

Issue:

When a user submits a request for the ABC-Child application, the request is successfully created, tasks for Add access are generated, the account is created in the requested OU, and entitlement access is assigned as expected. However, we encountered a problem during the data import process for the Logical Application:

Error Message:

Duplicate entry '52-CN=EndUser20 EndUser20 (eenduser20),OU=Active,OU=Accounts,OU=' for key 'ENDPOINTKEY'

Additionally, we observed the following discrepancies:

An active account in the Parent Application
A deleted account in the parent endpoint.
A separate account in manually provisioned state in the Child Application due to the import failure caused by the duplicate entry issue

SPAL_0-1726251401075.png

 

Objective:

We aim to ensure that only a single account is created for each user. Specifically, when a user requests access to the Child Application, we want the relevant group to be assigned to the existing user account (ABC-Parent) rather than creating a new account. This approach should prevent duplicate account creation and streamline the entitlement assignment process.

Request for Assistance:

We seek guidance on how to resolve the duplicate entry issue and prevent the creation of multiple accounts for a single user. Any advice or recommendations on configuration adjustments, troubleshooting steps, or best practices would be greatly appreciated.

Thank you for your assistance!

16 REPLIES 16

stalluri
Valued Contributor II
Valued Contributor II

@SPAL 

For AD logical apps, please configure the feature to raise requests for access without an account. 

  1. Select EntitlementsOnly for the Create Task action in the security system.

Screenshot 2024-09-13 at 1.30.52 PM.png


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

SPAL
New Contributor
New Contributor

@stalluri This has been configured already.

Regards,

Saksham

rushikeshvartak
All-Star
All-Star

Rename account id using enhanced query to fix issue


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak We have used the same to fix but this issue persists again while provisioning new access and import.

Regards,

Saksham

NM
Honored Contributor II
Honored Contributor II

Hi @SPAL you shouldn't be having a seperate connection for child endpoint if you are using logical endpoint procedure to manage few entitlement.

SPAL
New Contributor
New Contributor

@NM we are not using separate connection. As mentioned we are using only one connection.

 

Regards,

Saksham

NM
Honored Contributor II
Honored Contributor II

Hi @SPAL you need to edit the reference account key column of the duplicate account.

SPAL
New Contributor
New Contributor

Hi @NM,

We have already used enhance query to modify the accountID of this user, But still the issue persists while reprovisioning other user.

objectGUID is the recon field. Please let us know what needs to be modified.

 

Regards,

Saksham

NM
Honored Contributor II
Honored Contributor II

Hi @SPAL , for child endpoint duplicate account you will see a reference account key make that null and then run both the jobs.

SPAL
New Contributor
New Contributor

Hi @NM ,

Is this behavior expected?

We've addressed this issue multiple times by updating the OU for the child application, which allows the import to succeed. However, every time we provision a new account and access, we encounter the same problem(duplicate and deleted account) again.

Any insights or recommendations would be appreciated.

Best regards,
Saksham

NM
Honored Contributor II
Honored Contributor II

Hi @SPAL multiple accounts are fine.. i hope you are using entitlementOnly feature in security system

This is data issue and there is no fix with this


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SPAL
New Contributor
New Contributor

Hi @NM

Yes we are using it.

Regards,

Saksham

 

SPAL
New Contributor
New Contributor

Hi @rushikeshvartak @NM @stalluri,

We have resolved the duplicate account entry issue.

Now there is another issue which we are facing: The accounts under Child Endpoint are not getting reconciled. The status of the account is in 'Manually Provisioned' state. 

We tried debugging and found that the microservice job is partially successful with Child Endpoint sync failure and its details as shown below.

SPAL_0-1726637921726.pngSPAL_1-1726637985682.png

Failed applications and failure details: [CW_<ABC>_Child:Direct self-reference leading to cycle (through reference chain: com.saviynt.ssm.entity.EndpointsElastic["parentEndpointkey"]->com.saviynt.ecm.identit, CW_<ABC>:Direct self-reference leading to cycle (through reference chain: com.saviynt.ssm.entity.EndpointsElastic["parentEndpointkey"]->com.saviynt.ecm.identit]

Kindly let us know how do we proceed here.

 

Regards,

Saksham

 

 

 

Please raise support ticket for further troubleshooting


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri
Valued Contributor II
Valued Contributor II

@SPAL 
Please go ahead and create the support ticket with all your findings.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.