Create user provisioning for webservice question

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Unsure

Please share any images or screenshots, if relevant.

Connector Operations.png
Connector Operations.png1659×535 36.1 KB

Share all details related to your problem, including any error messages you may have received.

Good day,
I’m trying to create a user via webservice below is the json format I’m using same in postman
below JSON format
{“userName”: “$plan.nativeIdentity$”,“name”: {“givenName”: “$plan.givenName$”,“familyName”: “$plan.familyName$”},“displayName”: “$plan.displayName$”,“emails”: {“value”:“$plan.email$”}]}

and this is the JSON format generated after provisioning
{[email protected],planNativeIdentity=711224215,givenName=D2T11224,familyName=215,nativeIdentity=61124225}

would like to know why is it that nativeIdentity is not assiging to userName? tried using also the planNativeIdentity same thing happened it’s not assiging to the userName
and I’ve attach the list of http connector I’m using.

Thank you

2

Can you share your plan.xml from logs.

3

Hi @iamksatish,

This is the one you need?

<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="711224215" targetIntegration="SAP Analytics Cloud Treasury" trackingId="749509ed5c884f79bba17c9f409dd226">
  <AccountRequest application="SAP Analytics Cloud Treasury" assignmentIds="f042d9fd30404abea12463526cf9d0e2" nativeIdentity="61124225" op="Create" sourceRole="Dummy_00001_00001-DM-GLB_Security">
    <Attributes>
      <Map>
        <entry key="selectorRuleSource" value="Dummy_00001_00001-DM-GLB_Security"/>
      </Map>
    </Attributes>
    <AttributeRequest name="groups" op="Add" value="SECURITY"/>
    <AttributeRequest name="Email" op="Add" value="[email protected]"/>
    <AttributeRequest name="displayName" op="Set" value="T11224.215"/>
    <AttributeRequest name="givenName" op="Set" value="D2T11224"/>
    <AttributeRequest name="familyName" op="Set" value="215"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0001257236"/>
      <entry key="requester" value="2895281"/>
      <entry key="source" value="Batch"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a5541178c7c18c9818c7d8caeb90d6c" name="2895281"/>
  </Requesters>
</ProvisioningPlan>
4

Hey Jomar,

Can you confirm what exactly is getting assigned for username if not any and if the rest of the attributes are getting populated or not?

I would suggest to add logs in before provisioning rule for create account and log out the request body so that we know that exactly is being sent currently?

Also what you shared earlier was the provisioning plan can you share the logs generated when the create account operation is being called so that we know what is the exact issue here?

5

Hi @DeepanshuBisht,

for the userName it should be assign with sapusernm

 <Field displayName="userName" name="userName" type="string">
          <Script>
            <Source>return identity.getAttribute("sapusernm");</Source>
          </Script>
        </Field>

then I have added a log for the before provisiong rule for create account
below log for your reference.

2024-02-07T22:47:35,280 ERROR BeanShellThread-4 sailpoint.server.InternalContext:166 - SAC: Entering before Provisioning Rule<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="711224215" targetIntegration="SAP Analytics Cloud Treasury" trackingId="749509ed5c884f79bba17c9f409dd226">
  <AccountRequest application="SAP Analytics Cloud Treasury" assignmentIds="f042d9fd30404abea12463526cf9d0e2" nativeIdentity="61124225" op="Create" sourceRole="Dummy_00001_00001-DM-GLB_Security">
    <Attributes>
      <Map>
        <entry key="selectorRuleSource" value="Dummy_00001_00001-DM-GLB_Security"/>
      </Map>
    </Attributes>
    <AttributeRequest name="groups" op="Add" value="SECURITY"/>
    <AttributeRequest name="Email" op="Add" value="[email protected]"/>
    <AttributeRequest name="displayName" op="Set" value="T11224.215"/>
    <AttributeRequest name="givenName" op="Set" value="D2T11224"/>
    <AttributeRequest name="familyName" op="Set" value="215"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0001257236"/>
      <entry key="requester" value="2895281"/>
      <entry key="source" value="Batch"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a5541178c7c18c9818c7d8caeb90d6c" name="2895281"/>
  </Requesters>
</ProvisioningPlan>

2024-02-07T22:47:35,360 ERROR BeanShellThread-4 sailpoint.server.InternalContext:166 - assignedRoles:[]
2024-02-07T22:47:35,402 ERROR BeanShellThread-4 sailpoint.server.InternalContext:166 - SAC: Exiting before Provisioning Rule<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="711224215" targetIntegration="SAP Analytics Cloud Treasury" trackingId="749509ed5c884f79bba17c9f409dd226">
  <AccountRequest application="SAP Analytics Cloud Treasury" assignmentIds="f042d9fd30404abea12463526cf9d0e2" nativeIdentity="61124225" op="Create" sourceRole="Dummy_00001_00001-DM-GLB_Security">
    <Attributes>
      <Map>
        <entry key="selectorRuleSource" value="Dummy_00001_00001-DM-GLB_Security"/>
      </Map>
    </Attributes>
    <AttributeRequest name="groups" op="Add" value="SECURITY"/>
    <AttributeRequest name="Email" op="Add" value="[email protected]"/>
    <AttributeRequest name="displayName" op="Set" value="T11224.215"/>
    <AttributeRequest name="givenName" op="Set" value="D2T11224"/>
    <AttributeRequest name="familyName" op="Set" value="215"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0001257236"/>
      <entry key="requester" value="2895281"/>
      <entry key="source" value="Batch"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a5541178c7c18c9818c7d8caeb90d6c" name="2895281"/>
  </Requesters>
</ProvisioningPlan>

Thank you

6

As @DeepanshuBisht mentioned, can you log the Body that is getting passed and provide the logs, by this way, we can debug what went wrong

From the JSON you provided, ideally “$plan.nativeIdentity$” should take 61124225, if you are using “$plan.planNativeIdentity$” should take 711224215

But we can know what is being passed from the logs.

7

Hi @iamksatish,

here’s the payload generated in IIQ

2024-02-07T22:47:40,116 TRACE BeanShellThread-4 connector.webservices.v2.RequestOrchestratorV2:108 - Exiting processBeforeRequest: Arguments => EndpointConfig [sequenceId=1, endpointIdentifier=Create user, operationType=Create Account, parent=null, requestConfig=RequestConfig [url=*****/Users, httpMethod=POST, requestBuilder=sailpoint.connector.webservices.*****.JsonRequestBuilder@4e3f0088, headers=[Authorization, Content-Type], body=*****, sslOptions=[httpCookieSpecsStandard]], responseConfig=ResponseConfig [rootPath=null, attributeMapping={}, possibleHttpErrorCodes=[], possibleHttpErrorMessages=[], successCodes=null, responseParser=null], pagingProcessor=connector.sdk.webservices.paging.impl.GenericExpressionPagingProcessor@4b1f3c61, resourceResolutionStrategy=connector.sdk.webservices.resource.SimpleMergeResourceStrategy@4c68c823, childEndpoints=null, authenticationProvider=connector.sdk.webservices.auth.impl.OAuth2Authentication@a1749a4c, beforeRequestProcessor=connector.sdk.webservices.EndpointConfig$1@69c6c92d, afterResponseProcessor=connector.sdk.webservices.EndpointConfig$2@7cf1c743, endpointAttributes=null, rawResponse=null], null, {acctAggregationEnd=Wed Feb 07 01:15:22 EST 2024, nativeChangeDetectionAttributeScope=*****, acctAggregationStart=Wed Feb 07 01:14:57 EST 2024, afterProvisioningRule=null, private_key_to_update=null, accesstoken=Bearer *****, oAuthJwtHeader={alg=*****}, throwProvBeforeRuleException=*****, enableHasMore=*****, client_id=*****, isGetObjectRequiredForPTA=*****, timeoutInSeconds=null, genericWebServiceBaseUrl=*****, connectionParameters=[{httpMethodType=GET, pagingInitialOffset=0, sequenceNumberForEndpoint=1, uniqueNameForEndPoint=Test Connection, afterRule=null, curlCommand=null, rootPath=$, body={bodyFormData=null, jsonBody=null, bodyFormat=raw}, customAuthUrl=null, paginationSteps=null, responseCode=[2**], resMappingObj=null, contextUrl=/Users, pagingSize=50, curlEnabled=false, header={x-sap-sac-custom-auth=*****}, operationType=Test Connection, beforeRule=null, xpathNamespaces=null, parentEndpointName=null}, {httpMethodType=GET, pagingInitialOffset=0, sequenceNumberForEndpoint=2, uniqueNameForEndPoint=Account Aggregation, afterRule=SAP_Account_AfterOperation_rule, curlCommand=null, rootPath=$.Resources, body={bodyFormData=null, jsonBody=null, bodyFormat=raw}, customAuthUrl=null, paginationSteps=null, responseCode=[2**], resMappingObj={displayName=displayName, familyName=name.familyName, givenName=name.givenName, roles=roles[*].value, active=active, groups=groups[*].value, id=id, userName=userName, email=emails[0].value}, contextUrl=/Users?startIndex=1, pagingSize=50, curlEnabled=false, header={x-sap-sac-custom-auth=*****, Content-Type=application/json}, operationType=Account Aggregation, beforeRule=SAP_Account_BeforeOperation_rule, xpathNamespaces=null, parentEndpointName=null}, {httpMethodType=GET, pagingInitialOffset=0, sequenceNumberForEndpoint=3, uniqueNameForEndPoint=Group Aggregation, afterRule=SAP_Group_AfterOperation_rule, curlCommand=null, rootPath=$.Resources, body={bodyFormData=null, jsonBody=null, bodyFormat=raw}, customAuthUrl=null, paginationSteps=null, responseCode=[2**], resMappingObj={displayName=displayName, id=id}, contextUrl=/Groups?startIndex=1, pagingSize=50, curlEnabled=false, header={x-sap-sac-custom-auth=*****, Content-Type=application/json}, operationType=Group Aggregation, beforeRule=SAP_Group_BeforeOperation_rule, xpathNamespaces=null, parentEndpointName=null}, {httpMethodType=POST, pagingInitialOffset=0, sequenceNumberForEndpoint=4, uniqueNameForEndPoint=Create user, afterRule=null, curlCommand=null, rootPath=null, body={bodyFormData=null, jsonBody={
    "userName": "$plan.userName$",
    "name": 
    {
        "givenName": "$plan.givenName$",
        "familyName": "$plan.familyName$"
    },
    "displayName": "$plan.displayName$",
    "emails": [
        {
            "value": "$plan.email$"
        }
    ],

 }
, bodyFormat=raw}, customAuthUrl=null, paginationSteps=null, resMappingObj=null, contextUrl=/Users, pagingSize=50, curlEnabled=false, header={Authorization = *****, Content-Type=application/json}, operationType=Create Account, beforeRule=SAP_Account_BeforeOperation_rule, xpathNamespaces=null, parentEndpointName=null}], noPermissions=*****, operations=*****, grant_type=*****, nativeChangeDetectionOperations=null, compositeDefinition=null, client_secret=*****, token_url=*****, createAccountWithEntReq=false, sysDescriptions={en_US=null}, throwProvAfterRuleException=*****, nativeChangeDetectionEnabled=false, lastAggregationDate_account=*****, fixedPlanMultivaluedAttribute=*****, version=*****, saml_request_body=null, templateApplication=*****, oauth_token_info={"accessToken":"*****",*****,*****,*****,"expiresAt":1707367599065}, encrypted=*****, nativeChangeDetectionAttributes=null, authenticationMethod=*****, clientCertAuthEnabled=false, httpCookieSpecsStandard=*****, throttleEnabled=*****, enableStatus=null, oAuthJwtPayload={aud=null, sub=null, iss=null, exp=*****}, saml_assertion_url=null, beforeProvisioningRule=*****}, {[email protected], planNativeIdentity=711224215, givenName=D2T11224, familyName=215, nativeIdentity=61124225}, null, HttpRequestWrapper [url=*****/Users, headers={Authorization=Bearer *****, Content-Type=application/json}, payload=null, type=POST, allowedSuccessCodes=[2**], possibleHttpErrorCodes=[], possibleHttpErrorMessages=[]], Returns => {}
2024-02-07T22:47:40,116 TRACE BeanShellThread-4 sailpoint.connector.webservices.WebServiceConnectorUtil:97 - Entering checkRestrictedURL: Arguments => *****/Users
2024-02-07T22:47:40,116 TRACE BeanShellThread-4 sailpoint.connector.webservices.WebServiceConnectorUtil:108 - Exiting checkRestrictedURL: Arguments => *****/Users, Returns => N/A
2024-02-07T22:47:40,135 TRACE BeanShellThread-4 connector.webservices.v2.WebServiceFacadeV2:115 - Throwing create - connector.sdk.webservices.exception.WebServicesSdkException: Unauthorized
2024-02-07T22:47:40,136 TRACE BeanShellThread-4 connector.webservices.v2.WebServiceFacadeV2:97 - Entering lambda$provision$23: Arguments => sailpoint.object.ProvisioningPlan$AccountRequest@115dbab0
2024-02-07T22:47:40,136 TRACE BeanShellThread-4 connector.webservices.v2.WebServiceFacadeV2:108 - Exiting lambda$provision$23: Arguments => sailpoint.object.ProvisioningPlan$AccountRequest@115dbab0, Returns => Exception occurred in handling object request for ''61124225'' for operation ''Create''
2024-02-07T22:47:40,136 TRACE BeanShellThread-4 connector.webservices.v2.WebServiceFacadeV2:97 - Entering lambda$provision$23: Arguments => sailpoint.object.ProvisioningPlan$AccountRequest@115dbab0
2024-02-07T22:47:40,136 TRACE BeanShellThread-4 connector.webservices.v2.WebServiceFacadeV2:108 - Exiting lambda$provision$23: Arguments => sailpoint.object.ProvisioningPlan$AccountRequest@115dbab0, Returns => Exception occurred in handling object request for ''61124225'' for operation ''Create''
2024-02-07T22:47:40,136 ERROR BeanShellThread-4 connector.webservices.v2.WebServiceFacadeV2:598 - Exception occurred in handling object request for ''61124225'' for operation ''Create''
connector.sdk.webservices.exception.WebServicesSdkException: Unauthorized

Please let me know if there’s anything information missing
Thank you

8

@jomartolosa

Does the account you are using have the right permissions to create a target account, the error here says Authorization error

Did you try creating the target account from postman, testing the permissions and right sample payload and check if the user is created properly, if not please go ahead and do this

9

Yes I can create via postman using this format

{
    "userName": "$plan.userName$",
    "name": 
    {
        "givenName": "$plan.givenName$",
        "familyName": "$plan.familyName$"
    },
    "displayName": "$plan.displayName$",
    "emails": [
        {
            "value": "$plan.email$"
        }
    ],

 }

I’ve tried also the one from IIQ generated paylod
via postman the error is unauthorized

{[email protected], planNativeIdentity=711224215, givenName=D2T11224, familyName=215, nativeIdentity=61124225}
10

It is very evident that the account doesn’t have required rigthts, please work with app team on this

11

Hi @iamksatish I tried also changing the “userName”: “$plan.planNativeIdentity$”

the same payload is generating rather than lanNativeIdentity=711224215 this should be userName:711224215 right?

12

Hi @iamksatis I can create an account in postman with the same credential that I’m using for IIQ.

13

Can you share the payload, you are using in postman?

14

This is the one I’m using in postman

{
    "userName": "11312312",
    "name": 
    {
        "givenName": "D1T11224",
        "familyName": "210"
    },
    "displayName": "User, SAP210",
    "emails": 
    [
        {
            "value":"[email protected]"
        }
    ]
}

and this is the the one in IIQ

{
    "userName": "$plan.nativeIdentity$",
    "name": {
        "givenName": "$plan.givenName$",
        "familyName": "$plan.familyName$"
    },
    "displayName": "$plan.displayName$",
    "emails": [
        {
            "value": "$plan.email$"
        }
    ]
    }
15

Hi Jomar,

First try hardcoding the payload in iiq like the one you have in postman and then trigger the create account action since it worked in postman that should be working and we’ll know there is some issue regarding the iiq object mapping in payload if even that doesn’t work we will need to look onto the authentication configuration for the webservice connector

16

Hi @DeepanshuBisht,

I tried to hardcode it but still having still having that unauthorized error but when I rename the attribute

<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="711224209" targetIntegration="SAP Analytics Cloud Treasury" trackingId="2ac76de4e0564a65bea0cd01940439c8">
  <AccountRequest application="SAP Analytics Cloud Treasury" assignmentIds="7b9acaf5d55042a991b6d10dc2114387" op="Create" sourceRole="Dummy_00001_00001-DM-GLB_Security">
    <Attributes>
      <Map>
        <entry key="selectorRuleSource" value="Dummy_00001_00001-DM-GLB_Security"/>
      </Map>
    </Attributes>
    <AttributeRequest name="groups" op="Add" value="SECURITY"/>
    <AttributeRequest name="**I_userName**" op="Add" value="61124209"/>
    <AttributeRequest name="**I_displayName**" op="Add" value="User, SAP209"/>
    <AttributeRequest name="**I_givenName**" op="Add" value="D2T11224"/>
    <AttributeRequest name="**I_familyName**" op="Add" value="209"/>
    <AttributeRequest name="**I_email**" op="Add" value="[email protected]"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0001257301"/>
      <entry key="requester" value="2895281"/>
      <entry key="source" value="Batch"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a5541178c7c18c9818c7d8caeb90d6c" name="2895281"/>
  </Requesters>
</ProvisioningPlan>

but now the operation is add rather than set

this is the new error I’m encountering

ERROR https-openssl-nio-443-exec-1 sailpoint.web.SailPointContextRequestFilter:74 - CSRF validation failed 
sailpoint.server.CsrfValidationException: CSRF validation failed

Have you encounter this CSRF validation failed?

17

Hi Jomar,
CSRF validation failed is also a type of authentication error as well.
Can you confirm what type of authentication are you using and is the test connection and account aggregation working or not?

18

We are using OAuth2 as our authentication and for both test connection and account aggregation result where test connection successful and we are able to see the account schema. Also this is the error in Access Request after doing account aggregation “Exception occurred while performing ‘Create’ operation on identity ‘61124209’: Unauthorized”

19

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.