Add-entitlement in http operations for webservice connector

JoakimSandin · May 16, 2025, 8:41am

We are trying to add a entitlement for a user. We are using webservice-connector to our Onelogin(idp) tennant but we are always getting this error.

["[ConnectorError] HttpClientWrapper.ts Response status :400 doesn\u0027t match to allowed success codes : 2**,2**,2** \n                    response : {\"status\":400,\"error\":\"BadRequestError\",\"description\":\"Expected array in request\"} (requestId: 6d1de6724ad94850bfe72232bdfe697c)"]

The api for add a rule(entitlement) in Onelogin looks like this

curl 'https://<subdomain>/api/2/roles/:id/users' \
-X POST \
-H "Authorization: bearer <access_token>" \
-H "Content-Type: application/json" \
-d '[123, 456, 789]'

The Http-operation we are trying looks like this in the body
[
“$getObject.nativeIdentity$”
]
and the context url looks like this
/api/2/roles/$plan.OneloginRoleID$/users

when I am looking in the CLI logs the context url is correct but it is always says that it expects a array. The “[ … ]” should indicate it is an array even if it is only one value.

Has anyone come across this?

/Regards

sidharth_tarlapally · May 16, 2025, 8:57am

Hello @JoakimSandin

Is entitlement attribute , mapped as multi-valued ?

JoakimSandin · May 16, 2025, 9:08am

Yes it is set as Multi-valued

vguleria · May 16, 2025, 9:25am

Hi @JoakimSandin

Did you check the VA logs if the web service connector is not strigyfying the array body may be that is what causing the issue.
You can try to set the log level to debug and then see what the request body is. Generally I have seen in the web service connector when you are passing json body, the connector expects the body to be key value pairs and if the value is not found then it simply removes the entire line in the request.
So can you please double check in VA logs what is the actual body being passed. If it is blank, then may be you might need to write small rule to make this work.

I hope this helps, please let me know if it works.

Thank You.
Regards
Vikas.

JoakimSandin · May 20, 2025, 12:32pm

This is from the log

DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"BaseHttpRequestBuilder.ts Entering prepareRawBody() for : [\n\"user_id\": \"$getObject.nativeIdentity$\"\n]","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}

As i can see it, it sends an array even if it is only one key:value pair

[\n"user_id": "$getObject.nativeIdentity$"\n]

JoakimSandin · May 20, 2025, 12:37pm

Some more from the log

{"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"BaseHttpRequestBuilder.ts Attempting to extract placeholders from: [\n\"user_id\": \"$getObject.nativeIdentity$\"\n]","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"BaseHttpRequestBuilder.ts Entering determinePlaceholderValue()...","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"determinePlaceholderValue for: nativeIdentity","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"determinePlaceholderValue for from planAttributes: nativeIdentity","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"BaseHttpRequestBuilder.ts Exiting determinePlaceholderValue()...","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"BaseHttpRequestBuilder.ts Exiting buildBody()...","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"JsonRequestBuilder.ts Exiting buildBody()...","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}
[2025-05-20T14:25:30.274+02:00] DEBUG | connectorMessage ▶︎ {"AppType":"Web Services SaaS","commandType":"std:account:update","invocationId":"75d08c1b-6355-4e54-990f-a0011925b195","message":"ExecutionMediator.ts processEndpoint: Attempting to trigger request for\"\n                            + \" endpoint Add entitelment at: https://xxxxxx.onelogin.com/api/2/roles/$plan.OneloginRoleID$/users","requestId":"1d86972739944399ad967b755789ec80","timestamp":"2025-05-20T12:25:29.770Z","version":37}

sidharth_tarlapally · May 20, 2025, 1:25pm

@JoakimSandin

What is the payload for the api call , what are we sending in add entitlement body ..

JoakimSandin · May 20, 2025, 2:00pm

sidharth_tarlapally · May 20, 2025, 3:20pm

Here’s a more polished and professional rephrasing:

@JoakimSandin

I’m not quite sure why you’re using $getObject.nativeIdentity$ instead of $plan.entitlementIDAttribute$ .

Based on the input you’ve provided, the request body for the “Add Entitlement” API doesn’t include a "user_id" attribute.

Could you try using the following in the request body instead?

$plan.entitlementIDAttribute$

Also, please avoid using square brackets ([]) in the body.

JoakimSandin · May 21, 2025, 5:45am

The api call need to have the entitlement ID in the URI and the users ID that are getting the entitlement in the body. The bodd needs also be an array therfore i use the brackets to indicate that is a array.

What value has the plan.entitlementIDAttribute? Is it the id of the entitlement?

Here is the api that we are trying to use

sidharth_tarlapally · May 21, 2025, 6:22am

Hi @JoakimSandin,

Thanks for sharing the document reference — that really helped clarify things.

Based on my review of the API documentation, it looks like the user_ids are of type INT and are expected in the request body, while the role_id is passed in the URL. So you’re partially correct. However, there’s one adjustment needed: the body of the API call.

The correct body format should look like this:

But currently, the composed body looks like this:

Which would result in a body like:

[
  "user_id": "123"
]

Assuming 123 is the nativeIdentity.

To fix this, we need to check two things:

The user_id attribute in the Account Schema must be of type INT, not String:

image2610×114 4.35 KB
The body should be composed like this:

[$plan.nativeIdentity$]

This will result in the expected body format:

 [123]

This is based on curl command that is provided in the documentation .

Hope this helps!

Tulasi · May 21, 2025, 6:24am

Hi joakim ,
I am not sure whether this works or not from the scenario u said I think if the body is like this this may work
{
“user_id”: [
$getObject.nativeIdentity$ or $plan.nativeIdentity$
]
}
Thanks
Tulasi