AnyIdentity linked account domain name and/or UPN attribute
0 vote
Hello.
When using a 'Domain User' linked account on an AnyIdentity provider, only the username and password is provided to the scripts that runs for discovery and heartbeat. When using powershell remoting within the scripts to connect to endpoints in other domains, sometimes it is necessary for the username to be in the format of UPN or DOMAIN\Username. Additionally I've noticed the hearbeat script will work when manually checking syncronization of a PAM credential, but not when the schedular runs the periodic heartbeat check, which I assume is due to one using the 'local system' account and the other using the 'local service'.
While it is possible to work around this by adding additionaly properties to an AnyIdentity provider for username suffix or prefix, it would be cleaner if additional attributes of the linked account could be passed as parameters to the scripts (i.e. UPN and domain name). Possibly, another approach would be for a setting on the linked account page allowing for customization of the username name format, similar to what is available in the 'Advanced' section of an RDM entry (see below).
Please let me know if you would like any additional info.
Thanks
Joe
c30916d7-eab1-4edd-a234-8536ecd545ad.png
All Comments (2)
Hello Joe,
Thank you for your request. I understand your request and it is true that it would be useful to get more information, particularly with account from AD provider. I'm taking note of that and we will see what could be done. We will post back here once we have an update.
Best regards,
François Dubois
Thanks François.
A while back we talked about updating the properties of existing PAM accounts during the scheduled heartbeat (https://forum.devolutions.net/topics/40093/anyidentity-source-metadata-retrieval), however one associated challenge was that the respective PAM entry is not directly accessible from within the AnyIdentity scripts , nor is the object ID of the PAM entry passed to the script, so it is difficult to use native DVLS powershell cmdlets to locate the correct entry when there are multiples with identical usernames.
Just mentioning it, as there maybe some crossover if the solution to linked account domain attribute involves passing the PAM object/s directly into/outof the AnyIdentity scripts via parameter/return vaules.
Thanks
Joe