SailPoint and Automatic AD provisioning – Identity Trigger

I have already talked about the different methods of Automatic AD provisioning. I have talked about using Roles. Lets look at the method of using an Identity Trigger. Here is what we want

  • All HR joined accounts must have an AD account.
  • When an Identity has an HR link and no AD link then SailPoint should create an AD account.
  • We are not using multiple AD accounts for an identity, an Identity can only have one AD account. So if you have Admin accounts and Regular accounts joined to the same identity then you have to add a filter for Admin accounts.
  • We want to use the provisioning create account policy plan of the AD application and not create a separate provision plan.


  1. Create an Identity Trigger – Get_AD_Account_for_HR_Object
  2. The trigger will be a rule. Write a Rule to do a Link query for Identity, AD App name and HR App name. If it does not exist set your identity Trigger to True.

QueryOptions myquery = new QueryOptions();


    myquery.add(Filter.eq(“”, HR_APP_NAME));

    myquery.add(Filter.eq(“”, AD_APP_NAME));

List<Link> links =context.getObjects(Link.class, myquery);

      if(Util.isEmpty(links)) {


3. The Identity trigger will call a Workflow called MyWorkflow1. Write a Workflow to call the provision plan of the AD application.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s