This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Endpoint Filter for Active Directory connection using group attributes

sahil
Saviynt Employee
Saviynt Employee

‎01-24-2023 11:58 AM - edited ‎01-24-2023 04:35 PM

Detailed Question: Is there any way to use the ENDPOINT FILTER attribute in AD connection, but instead of using the memberOf attribute, it uses any other attribute in an AD group ? The filtering for child endpoints will be done based on that attribute .
 
If this is not supported using the endpoint filter. can any other JSON like groupImportMapping be used? The requirement is : The AD groups having a common attribute value (e.g. a set of AD groups for which 'INFO' attribute has the value 'XYZ') should be imported into a separate endpoint (the groups as well as the associated accounts) , and this endpoint should be requestable and certifiable separately.
 
Answer: If you are able to search with the filter in your LDAP browser, you should be able to use the same under ENDPOINT FILTER to pull the Groups accordingly.

Use the same filter as you are using in the LDAP browser under ENDPOINTS_FILTER config in AD Connection. Replace the memberOf string below with the search filter value you are using in LDAP browser.

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

 
Comments
sahil
Saviynt Employee
Saviynt Employee
‎01-24-2023 11:59 AM

If you are able to search with the filter in your LDAP browser, you should be able to use the same under ENDPOINT FILTER to pull the Groups accordingly.

rushikeshvartak
All-Star
All-Star
‎01-24-2023 02:22 PM

What is solution ?

sahil
Saviynt Employee
Saviynt Employee
‎01-24-2023 04:06 PM

Use the same filter as you are using in the LDAP browser under ENDPOINTS_FILTER config in AD Connection. Replace the memberOf string below with the search filter value you are using in LDAP browser.

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

 

rushikeshvartak
All-Star
All-Star
‎01-24-2023 04:24 PM

Post says we need to update groupImportMapping also?

sahil
Saviynt Employee
Saviynt Employee
‎01-24-2023 04:38 PM

No changes are required for groupImportMapping. I have also updated the original post to highlight the query and Suggestion.

 

rushikeshvartak
All-Star
All-Star
‎01-24-2023 06:08 PM

Thanks for edit

rushikeshvartak
All-Star
All-Star
‎01-25-2023 07:10 PM

Can we use any other attribute of entitlement instead of entitlement_value

sahil
Saviynt Employee
Saviynt Employee
‎01-26-2023 10:04 AM

Can you explain a little more on where you want to use the attribute.

rushikeshvartak
All-Star
All-Star
‎01-27-2023 04:37 AM

We want endpoint_filter to be done on specific custom property other than entitlement_value

 

example

if entitlement customproperty1 will be application name 

business use case- it won’t be possible to change group name in ad , as those used by many applications

sahil
Saviynt Employee
Saviynt Employee
‎01-31-2023 08:56 AM

The ENDPOINTS_FILTER works on the LDAP query and does not have any dependency on Saviynt attributes. The best way to test this is to run your filter query in LDAP browser and then use that same query in Saviynt. Replace memberOf with your AD attribute you used in your LDAP browser and CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local with the value you searched with.

 

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

rushikeshvartak
All-Star
All-Star
‎02-01-2023 08:15 PM

{
"AWS Azure": [
{
"displayName": [
"aws%"
]
}
]
}

 

I have tested this ,it does not work here displayName is expected as entitlement Type 

sahil
Saviynt Employee
Saviynt Employee
‎02-02-2023 09:25 AM

Can you try using the below  once. 

{
"AWS Azure": [
{
"memberOf": [
"displayName=aws%"
]
}
]
}

rushikeshvartak
All-Star
All-Star
‎02-03-2023 01:16 PM

Its not working it made all groups inactive

sahil
Saviynt Employee
Saviynt Employee
‎02-03-2023 03:36 PM

And just to be sure, was this same filter returning the data in LDAP browser?

If it was, we may need to check this further if there are any code dependencies. Can you please confirm.

rushikeshvartak
All-Star
All-Star
‎02-03-2023 04:22 PM

I am testing for azure AD. 

sahil
Saviynt Employee
Saviynt Employee
‎02-06-2023 02:09 PM

Are you using AD connector or AzureAD  connector?

 

rushikeshvartak
All-Star
All-Star
‎02-06-2023 06:09 PM

AzureAD  connector

sahil
Saviynt Employee
Saviynt Employee
‎02-07-2023 10:50 AM

I would recommend you to reach out to Saviynt implementation team, since it will not be a standard solution.

Please note, the filter you wish to use should also be supported by Graph API before you can check for integration with Saviynt. For information about the filter conditions that Microsoft supports, see basic query in the Microsoft documentation.

Version history
Last update:
‎01-24-2023 04:35 PM
Updated by:
Saviynt Employee
Contributors
Copyright © 2023 Khoros, LLC