Azure AD Sync Transform Map

Chris Sanford1 · ‎09-26-2018

We have recently set up an Azure AD integration with automatic user provisioning. I followed the steps at https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-tutorial which included giving Azure admin credentials and having them automatically create an IDP. I see there was also a transform map created, but my question is, does Azure even use this transform map?

I've been seeing user fields getting set that are not even mapped in the transform map at all, and it looks like the admin account I gave them has been making SOAP transactions directly into our user table. It also appears these SOAP transactions are ignoring business rules. We have a business rule to check for duplicate email addresses, but this Azure SAML sync is bypassing it. Is there a way to make sure Azure only sets the user fields in the transform map, and that business rules are run on every transaction?

kevclark · ‎01-22-2020

Hi @Stephan S. Unfortunately no, I don't work at the place I encountered this issue any more. I'd tag the guy who replaced me to see how he went, but I'm not sure what his community handle is. Sorry I can't be more help.

FilipVacula · 3 weeks ago

Thank you very much for sharing this, Chris! I am wondering how can it ever be a good practice to let a 3rd party system have direct write access to the core User table, while completely avoiding the standard import procedures (i.e., staging Import Set table and a Transform Map) and having zero control the integration in ServiceNow.

If something goes wrong and the integration starts corrupting data in ServiceNow, how could we disable the User table updates without also locking ourselves out by disabling the Identity Provider?

In my professional experience this looks like a textbook example of a badly designed integration, an anti-pattern, if you will. I am really interested in hearing from the ServiceNow architect designing this integration.

Raja Mohsin1 · ‎05-19-2020

Hi

Is there any update on this issue? What I can see is that it is clearly skipping out the transform map and if it is skipping out the transform map then how can we set the scripting and create new reference values in the tables.

is their any possibility than azure ad can create new values or we can use tranform map ?

Any kind of help will be appreciated. Thanks.

Kim Sullivan · ‎07-27-2020

Inside the Azure app, the provisioning piece has a lot of mapping options now. Especially for ServiceNow. You can add additional attributes and use constant or different expressions to populate the fields in SN. The bad part is that this is all controlled by the Azure admin, rather than the SN admin in with a transform map. So you are at the mercy of a different team to follow the instructions you set out or to make changes for you. I've read that with OpenID Connect authentication coming in Paris, the transform power is back in SN... but just a rumor.