Accessing the SCIM api

schall8 · January 11, 2022, 3:51pm

I created an identity just to access the SCIM API. I have given it both user rights for SCIM and to the REST api. When I attempt to execute a call to either the SCIM or rest I get a 401 not authorized. Is there additonal rights I need to add to the user past these two?

SCIM Executor
WebServices Executor

This is the endpoint I am trying to connect to.
https://:8443/identityiq/scim/v2/list

I am running identityiq 8.1

Postman response:
{“schemas”:[“urn:ietf:params:scim:api:messages:2.0:Error”],“detail”:“User does not have access.”,“status”:“401”}

Also is there a logfile that collects the errors for the SCIM and REST api’s? I didn’t see anything int he log directory on tomcat.

paulo_urcid · January 11, 2022, 5:39pm

I tested in my local sandbox by giving these same 2 Capabilities to an identity, and I can query the SCIM APIs just fine (I tested with GET http://localhost:8080/identityiq_82/scim/v2/Users). It seems like the endpoint you are calling is not valid: https://:8443/identityiq/scim/v2/list

Check the list of valid IdentityIQ API endpoints: IdentityIQ API | SailPoint Developer Community

schall8 · January 11, 2022, 6:49pm

I removed the servername I updated the call matching yours.

https://d2lg12535.dev-resource.iam.hpecorp.net:8443/identityiq/scim/v2/Users

{

"schemas": [

    "urn:ietf:params:scim:api:messages:2.0:Error"

],

"detail": "User does not have access.",

"status": "401"

}

Bernie · January 18, 2022, 10:00pm

The ReadScimUser SPRight is required to make this call. By default, this is included in the SCIMExecutor Capability. You might want to verify that this is still the case. If that still doesn’t work, then it’s possible that the session you’re using to make the SCIM query timed out and is no longer authorized. If neither of those options pan out, enable tracing on the sailpoint.web.Authorizer class to verify that whatever is getting passed into the hasAccess() method is as expected.

adam_creaney · January 19, 2022, 7:00pm

Are you using basic auth, or client credentials (oauth)?

Have you tried removing the user from the workgroup, and just assigning those two capabilities directly?

schall8 · January 20, 2022, 1:40am

I was trying to use the auth headers I switched it to basic auth and removed the header. Its working now.

adam_creaney · January 20, 2022, 3:11pm

Excellent - glad to hear it!

schall8 · February 15, 2022, 1:35pm

Anusha is out today but Samuel has offered to walk you through the ITG deployment. Scheduling a 2 hour call just in case there are a lot of questions.

schall8 · February 15, 2022, 2:12pm

Anusha is out today but Samuel has offered to walk you through the ITG deployment. Scheduling a 2 hour call just in case there are a lot of questions.

Topic		Replies	Views
SCIM API Authentication Problem With Postman IIQ Discussion and Questions	3	2228	July 19, 2023
IIQ SCIM API Token Generation IIQ Discussion and Questions apis , identityiq	3	497	February 12, 2024
SCIM API - API Services Triggered Failed IIQ Discussion and Questions	2	1547	July 19, 2023
Enable API in IIQ IIQ Discussion and Questions apis , identityiq	4	743	November 20, 2023
IIQ REST API information for 8.1 IIQ Discussion and Questions	10	9276	July 19, 2023

Accessing the SCIM api

Related topics