Troubleshooting Password Management with Provisioning Plan Debugging

Password changes are managed as provisioning activities, creating a provisioning plan that reflects the password change as an account modification request. Problems encountered with password management during the early set-up phases can be more easily diagnosed by turning on logging of the provisioning plan for individual applications as a debugging tool. The provisioning plan shows the actions IdentityIQ intends to perform on the account.

To turn on logging, add this XML block to the desired application's XML through the IdentityIQ Debug pages.

Copy 
  <!-- Inserting a provisioning configuration to support dumping the
       provisioning plan out to the log file during every execution. -->
  <!-- The deleteToDisable flag prevents account deletion activities, changing them  
       to disable account requests instead of delete  -->
  <ProvisioningConfig deleteToDisable="true">
    <PlanInitializerScript>
      <Source>
         System.out.println("DEBUG: ProvisioningPlan: \n" + plan.toXml());
      </Source>
    </PlanInitializerScript>
  </ProvisioningConfig>

This writes the provisioning plan to standard out (appearing as shown below). Note that the password is written in the provisioning plan in plain text, so this ProvisioningConfig should not be left in the Application XML in a production environment.

Copy 
DEBUG: ProvisioningPlan: 
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan targetIntegration="ADAM">
  <AccountRequest application="ADAM" nativeIdentity="CN=Adam.Kennedy,DC=sailpoint,DC=com" op="Modify">
    <AttributeRequest name="password" op="Set" value="test123">
      <Attributes>
        <Map>
          <entry key="preExpire">
            <value>
              <Boolean>true</Boolean>
            </value>
          </entry>
        </Map>
      </Attributes>
    </AttributeRequest>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0000000028"/>
      <entry key="requester" value="admin"/>
      <entry key="source" value="LCM"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="2c901c1e34aa96a70134aa96e40200ba" name="admin"/>
  </Requesters>
</ProvisioningPlan>