Synchronization mechanism makes sure that the state of accounts corresponds to the state of the user that owns them with respect to the configured policies. For this to work properly there needs to be a way how to set which user owns which account. Account linking is used as a primary mechanisms for this. The links are created automatically when account is created as a consequence of user modification (e.g. a role is assigned to the user).
However, there may be accounts that existed before the IDM solution was deployed. Or there may be accounts that were created outside midPoint. It is possible to manage these accounts manually by linking them to corresponding users. But this solution does not scale and is not efficient. Therefore midPoint has a mechanism how to correlate users and accounts automatically.
Correlation and confirmation expressions are used to find an owner for an account. It is important to remember that these expressions always work by having a fixed account and searching for an owner (user). This is the usual case in synchronization. The expressions are not designed to work the other way around.
The goal of correlation expression is to (quickly and efficiently) find a list of candidate owners. Correlation expression takes information from the account and constructs a search query. This query is then used to locate account owner. Following diagram illustrates the use of correlation expression to correlate accounts and users by
employeeNumber attribute. In this case the value of account attribute
employeeNumber is used to construct a query that is looking for all the users that have a specific value in the
employeeNumber user property. Therefore it can overcome the ambiguity of account username
jsparrow by using a more reliable correlation identifier (
If correlation expression matches no user then it is assumed that the account has no owner. If correlation expression matches one or more accounts then a confirmation expression is used.