Calling API from Web Services BeforeOperationRule

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4p3

Share all details about your problem, including any error messages you may have received.

Hello everyone,

I have a requirement to retrieve an additional account attribute in a Web Services connector before executing the “Enable” operation, so I can adjust the logic accordingly.

The only way to obtain this attribute is via the API method getUser, which is currently used in the “Get Object” operation (single account aggregation).

What would be the best way to call this method from a rule and process the response?
Alternatively, is it possible to trigger the “Get Object” operation from within a rule instead of making a direct API call?

I’d appreciate any guidance or examples.

Thanks!

2

Hi @d_pustovoitov ,

If you have get obect operation configured, you can use befor rule to call the get object like below

for (AccountRequest accReq : plan.getAccountRequests()) {

    i(ProvisioningPlan.AccountRequest.Operation.Create/Modify.equals(accReq.getOperation())) {

        String appName = accReq.getApplicationName();
      log.error("App name iss : "+appName);
      Application app = context.getObjectByName(Application.class, appName);
        String nativeIdentity = accReq.getNativeIdentity();


            Connector connector = ConnectorFactory.getConnector(app, null);
            ResourceObject identityfound= connector.getObject("account", nativeIdentity, null);
          log.error(" use exists "+identityfound);

            if (identityfound!= null) {
then your code, to do something s
}
3

Hi @d_pustovoitov ,

You can use a WebServicesClient class methods to call the API in the before operation rule. You can use restClient parameter of type WebServicesClient to call the APIs

4

@d_pustovoitov You can also achieve this without using any rule. I believe you already have a getObject endpoint configured, you can duplicate it and give the same name as you gave for Enable endpoint. if there are multiple entries available for the same operation, IIQ executes all of them in top to bottom order. So your getObject will call first → then Enable endpoint. Give it a try if it helps you out.

5

Hi @Chathuryas ,

Thank you. This helped a lot. However, using the Before Operation rule isn’t a good option for our case, since we need to modify the provisioning plan for subsequent operations. From what I’ve tested, this approach doesn’t work with this rule type.

Thanks again.

6

Hi @naveenkumar3 ,

Thank you for your reply.

I’ve tried implementing this code, but identityFound is always null in our case. I also verified the connectorDebug get account command from the IIQ console, and it returns the following error:

sailpoint.connector.ConnectorException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Could this SSL error be the reason why the account is not being returned?

Thanks

7

Hi @neel193 ,

Thank you for the information. I believe it will be useful for future integrations. Unfortunately, it looks like I won’t be able to use this approach for this particular case.

Thanks

8

Yes, this is related to certificate error, two systems are not able to communicate to each other. please import the app cert in your sailpoint envionrnment.

9

Is this error only coming when you are doing single account aggregation in before rule? or for erverything, like test connection or aggregation, etc.

10

When I use the Before Provisioning rule (based on the example Naveen shared), connector.getObject() returns null.

Aggregation and provisioning both work correctly, but I only see an error when executing connectorDebug in the IIQ console for this application.

11

can you get the cert from the app team, or if you can export it from browser using below command and then try it, it should work, prix path validation failed error, are always related with certificate.

keytool -import -alias yourAppCert -file yourCert.cer
-keystore /app/java11lib/security/cacerts
-storepass changeit

12

Certification error is only coming for single account aggregation, but it is working for aggregation or test connection.

@d_pustovoitov could you please check if the error is coming for the same app or for different app?

13

I’ve imported the cert, but the error still occurs on get account operation from console

14

There is only this web services app connected to our iiq instance, so I can’t check the other apps with this connector type. Every other connector works perfectly fine

15

@d_pustovoitov Could you please try this, in your customization rule make getUser API call for every user which can populate your attribute. As this will populate during aggregation, it’ll persist on the user.
Then in your enable endpoint and workflow, you can directly access this attribute. Please give it a try.

16

Hi @neel193

Unfortunately, we’re still working on the issue with the certificates with the support. And Get Object still returns null every time. So, I’ll try as soon as we’ll be able to execute the Get Object operation.

Thanks

17

Hello,

We’ve finally managed to fix the issue with the certificates.
And now the getObject works perfectly fine returning full account attributes from the single account aggregation.

I’m currently working on passing it inside the plan and using it later in workflows.

Thanks for help!