Smart Correlation Webinar Summary

MidPoint 4.6 brought about a new feature called “Smart Correlation” that allowed us to correlate accounts flexibly and powerfully.

In the webinar that took place on March 21, 2024, we described the basics of correlation in general and the Smart Correlation midPoint feature in particular. Composable correlation rules with set confidence levels, approximate matching, human involvement, and two experimental features (custom indexing and the support for multiple sources of truth) were explained in more detail. Two instructive demos were presented to help comprehend the topic.

Watch the webinar recording or take a look at the presentation.

There were some interesting questions raised during the webinar. Let me answer some of them here. The questions are rephrased a little, where needed.

Q: Could you please share the configuration on the “midpoint-sample” project on GitHub?

A: Yes. Here it is:

Q: What version of midPoint is this available in?

A: The feature has been there since midPoint 4.6. There were some fixes and improvements, and the version as presented works in midPoint 4.8.2.

Q: How do you bring a case to the attention of a human (e.g., the help desk)? Is it possible to use other messaging systems like Slack or a ticket system? Does midPoint expect anything back from the help desk system (such as a ticket number)?

A: You can use standard midPoint notifications for this. They can be filtered for correlation cases if needed. Notifications are sent out via e-mail or SMS by default, but it’s possible to write a custom transport that would use any other mechanism. Currently, midPoint does not expect anything back from the eventual ticketing system. (Thank you for an idea for future improvement here.)

Q: If the smart correlation rule cannot identify a match with sufficient confidence and so creates a case for an administrator to review, and the given resource has policy and outbound mappings to create a user account on that system, how does midPoint know how long to wait until it attempts to create an account vs. waiting for manual correlation?

A: Currently, midPoint will try to create the account immediately. There are two possibilities here:

  1. If the account cannot be created because it conflicts with the already existing (disputed) account – for example, because it uses the same login name – then the operation will end with an error, and administrator intervention will be required. It is because midPoint tries to apply so-called opportunistic synchronization (correlation) when it encounters conflict, but it still won’t identify the correct owner with certainty. In the future, opportunistic synchronization could take the new information about the intention to create an account for a particular user into consideration.

  2. If there is no conflict, so the account can be created, it will be created and linked to the user. (No conflict means that, e.g., the login name generated by midPoint differs from the existing login name.) The original account will remain disputed.

This use case probably should be analyzed in more detail. Thank you for pointing this out.

Q: Is it possible to run the import without the correlation or the correlation without the import to reduce the turnaround time?

A: To run the correlation without the import, you can simply turn off (disable) the synchronization reactions. This approach can be seen, e.g., in the First Steps Methodology. The opposite is possible as well: when importing, you can decide to avoid creating correlation cases for disputed accounts, which is, by the way, the default setting. The correlation itself will be tried by midPoint, but no correlation cases will be created in the case of uncertain results.

Leave a Reply

Your email address will not be published.