Hi,
I’m working on an integration using the SCIM 2 connector. The idea is to manage the user lifecycle and also manage the users group membership from Sailpoint. The application is not fully SCIM 2 compliant but it offers the /Users and the /Groups endpoints.
User provisioning and termination works just fine, but I’m having problems adding users to groups and also removing them. I enabled debugging at the Virtual Appliance side and I found why the app refuses to update the groups and it returns and http error 500.
The problem, is Sailpoint sends the request to the Group endpoint like this:
{
"displayName":"test",
"id":"test",
"members":[
{
"value":"testUser"
}
],
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"meta":{
"resourceType":"Group"
}
}
but the application expects the payload to be like this (instead of “members.value”, it expects “member.display”. It’s just a slight change, but it breaks the entire operation):
{
"displayName":"test",
"id":"test",
"members":[
{
"display":"testUser"
}
],
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"meta":{
"resourceType":"Group"
}
}
Is there a way to modify that HTTP call to the /Groups endpoint? I have tried using a custom Group schema like this one below, but it doesn’t make any difference, the http call to the /Groups endpoint is sent exactly the same way as if I use the default Group schema:
{
"nativeObjectType": "Group",
"identityAttribute": "id",
"displayAttribute": "displayName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "id",
"type": "STRING",
"schema": null,
"description": "Unique identifier for the group ",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "displayName",
"type": "STRING",
"schema": null,
"description": "Displayable Name of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "members.display",
"type": "STRING",
"schema": null,
"description": "Members of the group",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
}
],
..
}
I also tried adding and “UPDATE_GROUP” provisioning policy like the one below, but it also didn’t make any difference:
{
"name": "Update Group",
"description": null,
"usageType": "UPDATE_GROUP",
"fields": [
{
"name": "displayName",
"transform": null,
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": false
},
{
"name": "members.display",
"transform": null,
"attributes": {},
"isRequired": false,
"type": "string",
"isMultiValued": true
}
]
}
How can I make Sailpoint to send the HTTP call in with the right format?? It’s a bit frustrating to be honest…maybe it’s my fault, but I would expect that if you add a new group schema IdentityNow should respect that group schema to make the call…the same goes for the UPDATE_GROUP provisioning policy…not sure why they are there if they don’t make any difference once applied.
Any help is appreciated.
Thanks.