Aggregate a subset of OKTA users

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

Context:
We have Sailpoint and OKTA in our IAM solution.
There is an end-user application, this application will create OKTA users with a specific group and profile.userType=“CMBHS-External”

Now, in Sailpoint , we are trying to get a subset of OKTA users those with profile.userType=“CMBHS-External” and use it as authorized application.

So, I configured the OKTA connector with

USER FILTER: profile.userType eq “CMBHS-External”

But that is failing with error

2024-01-23T17:24:50,476 WARN QuartzScheduler_Worker-3 openconnector.connector.okta.OktaConnector:6410 - Failed Request URL: https://txhhscdev.oktapreview.com/api/v1/users?limit=200&filter=profile.userType+eq+“CMBHS_External”
2024-01-23T17:24:50,476 WARN QuartzScheduler_Worker-3 openconnector.connector.okta.OktaConnector:6411 - Okta Request ID: x-okta-request-id: 0c85186119f9492668e7719ef9cbdeda
2024-01-23T17:24:50,477 ERROR QuartzScheduler_Worker-3 openconnector.connector.okta.OktaConnector:693 - Aggregation failed for account.
openconnector.InvalidConfigurationException: [ InvalidConfigurationException ]
[ Possible suggestions ] Ensure the ‘Filter Condition for Account’ is valid. The Filter Condition for Account is ‘profile.userType eq “CMBHS_External”’.
[ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : E0000031, errorSummary : Invalid search criteria., errorCauses:.

Documentation says I can query using any custom attribute

Hi @udaya1,
Without filter are you able to aggregate all the users ? If yes then check what is resource object coming for the user type for the aggregated users which you have mentioned.

@udaya1 - As per OKTA documentation -

• The User Type accessed as type.id.

Below are the sample search terms -

For more details please check the link.

Mark it as solved, if it helps.

Hi Amit,

Seems Sailpoint Connector is using filter API of OKTA that has very few options to filter

2024-01-30T23:10:42,947  WARN QuartzScheduler_Worker-1 openconnector.connector.okta.OktaConnector:6410 - Failed Request URL: https://txhhscdev.oktapreview.com/api/v1/users?limit=200&filter=type.id+eq+%22CMBHS_External%22
2024-01-30T23:10:42,947  WARN QuartzScheduler_Worker-1 openconnector.connector.okta.OktaConnector:6411 - Okta Request ID: x-okta-request-id: e2cbf934ba41c67f3f5fe52d11891948
2024-01-30T23:10:42,948 ERROR QuartzScheduler_Worker-1 openconnector.connector.okta.OktaConnector:693 - Aggregation failed for account.
openconnector.InvalidConfigurationException: [ InvalidConfigurationException ]
 [ Possible suggestions ] Ensure the 'Filter Condition for Account' is valid. The Filter Condition for Account is 'type.id eq "CMBHS_External"'.
 [ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : E0000031, errorSummary : Invalid search criteria., errorCauses:[].

The OKTA API page says

Supports the following limited number of properties: status, lastUpdated, id, profile.login, profile.email, profile.firstName, and profile.lastName.

But that leaves a question, why Sailpoint page says custom attribute can be used.

Supported Aggregation Filters (sailpoint.com)

profile.Custom_String eq “Custom Value for String__Updated”

Users with a specified custom attribute*

@udaya1 - I tried configuring the same and end up with the same result as you get.

image2493×365 32.2 KB

I don’t know why they have mentioned like this. I would strongly suggest you raise a support ticket with Sailpoint as Okta never supports custom attribute with Filter.

Let’s see what they are coming up with.

Thanks Amit for your help. I raised the ticket with Sailpoint.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.