We’re trying to integrate IDN with CyberArk Cloud version using OOTB CyberArk Privilege Cloud Shared Services Connector and we’re getting a timeout error. We already managed to connect to another CyberArk instance using a different service account but the instance that our client has throws a timeout error even though all the configuration is the same. Client Credentials are correct, and the user has “user management” permission in CyberArk. The VA should also work since it already connected to the other CyberArk instance.
We also tried adding “healthCheckTimeout” to the source but we still get the same error. Token URL and Host URL should also be correct since the other instance worked with similar configuration. We’re using OAuth2 authentication type.

Any suggestions, thoughts?

Welcome to the Developer Community Aref. Is this timeout occurring during a test connection? That would tell me there is a connection issue between the VA and the target system. This could be due to a proxy configuration issue, bad URL configuration, or a firewall issue. Can you SSH into the VA and try to reach the target CyberArk URL using cURL or ping?

Hi Colin,
Yes, the timeout error is occurring during test connection. We don’t have access to the VA directly (at least for now) but we were able to get an access token by making a Postman API call using client ID and Secret which tells me that the issue should be the connection between the VA and the source system. Our client said they might have an issue with how their CyberArk instance is configured. As you said, it is probably a proxy or firewall config issue.

I am experiencing the same issue. I am seeing in the ccg log that it’s getting a 200 response, but somehow not finding that

{
        "stack": "ccg",
        "pod": "stg02-useast1",
        "connector-logging": "150",
        "Operation": "TestConfiguration",
        "clusterId": "1009",
        "buildNumber": "925",
        "apiUsername": "EEdqJYDaVsehgGEL",
        "orgType": "",
        "file": "ApacheHttpClientWrapper.java",
        "encryption": "1266",
        "messageType": "test-connection",
        "connector-bundle-identityiq": "206",
        "line_number": 329,
        "@version": 1,
        "CB_version": "1053",
        "logger_name": "connector.common.http.client.impl.ApacheHttpClientWrapper",
        "mantis-client": "1266",
        "class": "connector.common.http.client.impl.ApacheHttpClientWrapper",
        "atlas-api": "1752",
        "va-gateway-client": "46",
        "tracing": "1391",
        "clientId": "3781",
        "request_milliseconds": "1068",
        "source_host": "5b3a1130ef02",
        "method": "execute",
        "org": "chk-sb",
        "level": "INFO",
        "IdentityIQ": "8.3p4 Build 1527a593753-20230805-223436",
        "message": "Response received for URL https:\\/\\/REDACTED.id.cyberark.cloud\\/OAuth2\\/Token\\/SailPointIdentityNow in 683 millis, status code 200, Response size 951 bytes.",
        "pipeline": "1266",
        "@timestamp": "2023-11-15T21:22:14.282Z",
        "thread_name": "pool-6-thread-1788",
        "atlas-util": "1752",
        "metrics": "1266",
        "region": "us-east-1",
        "AppType": "CyberArk Privilege Cloud Shared Services",
        "Application": "CyberArk POC [source]",
        "request_id": "67fb894b7f1d4c499f0d22e31684e308",
        "CB_Type": "connector-bundle-webservices",
        "queue": "stg02-useast1-chk-sb-cluster-1009",
        "SCIM Common": "8.0 Build 00b1f252d1b-20200225-190809"
    }

@ArefSadeghi are you able to get a response from GET /scim/v2/users? It took forever for me to get a response in Postman and eventually got a 500. Perhaps that is why we get a timeout on the IdN side… IDK what SCIM endpoints it’s trying to test when doing Test connection

GET /scim/v2/users HTTP/1.1
Authorization: Bearer REDACTED
User-Agent: PostmanRuntime/7.34.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 0000f62c-3245-4012-bf87-cdad19833895
Host: REDACTED.id.cyberark.cloud
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: antixss=K2hVaElWaml3aTBqeEdZN0YyQXhSS21PRTlhWTM3VitSV3JLWTNUaFZjdz0_-pqb7MuHE0_6WrH24MeQd3w__-OGFvixufJgVHutRPdkx6TQ__-MjsxEC5Gel3xLjoxN2RmSg__-yJ9O9cLYTGDzs5aPH.WwfA__-ENlHJ.NWZCX.RaTtgyJHCg__-Kg5p94vVsR9h0W8XLMhClA__-YGW1CHUrQwtkcPj7AmbKSA__-ho7P9Q7urXXKuxwWrAhftg__; sessdata=L3dVSFFVSkNOREU0TWdLT1dwQUVvZWQzSHJrQmxrNHhxUXZOK2w5aCtxK0NYdWJsRFVGelhzcUpXd28vZlJPOVJKRkxZQTY4NnhuL3lNVkNVS2NOUTIraU5tTDUyeEllZmhXdTVZU0NlMkppMGhnU0s2b05LWGJWOU9pVUt3TnhHS0lPd3ptVnp1bmFZRjA9
 
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
X-CFY-TX-PN: pod1011
X-CFY-TX-ID: 497a58cd338340db824f6711fbc46fe2
X-CFY-TX-DT: MTEvMTYvMjAyMyAzOjA5OjQ2IFBN
X-Frame-Options: SAMEORIGIN
P3P: CP="NON COR ADMa CURa DEVa OUR IND COM UNI NAV INT PRE LOC ONL PHY STA ONL"
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Robots-Tag: noindex, nofollow
Date: Thu, 16 Nov 2023 15:14:48 GMT
Content-Length: 559
 
<!doctype html>
<html>
<head>
<title>Idaptive</title>
<link rel="stylesheet" type="text/css" href="https://pod1011.idaptive.app/vfslow/lib/branding/idaptive/errorpages/style.css" />
</head>
<body class="error idaptive">
<div class="wrap">
<img src="https://pod1011.idaptive.app/vfslow/lib/branding/idaptive/errorpages/cyberark-logo.svg">
<div class="text">
<h1>Something went wrong &#133;</h1>
<p>Please try again or contact your system administrator for assistance.</p>
</div>
</div>
</body>
</html>

Looks like the user endpoint might be the issue here, because I’m able to successfully do an entitlement aggregation, but the account aggregation gets the same 500 error I saw in postman

Error while performing operation : Account Aggregation Error code : 500 <!doctype html> Idaptive

Something went wrong �

Please try again or contact your system administrator for assistance.

The TestConfiguration operation appears to hit the /scim/v2/users (specifically /scim/v2/Users?startIndex=1&count=1) endpoint based on the error message in the CCG log. This is an issue with the CyberArk SCIM API

{
        "exception": {
            "stacktrace": "connector.sdk.webservices.exception.WebServicesSdkException: <!doctype html>\r\n<html>\r\n<head>\r\n  <title>Idaptive<\\/title>\r\n  <link rel=\"stylesheet\" type=\"text\\/css\" href=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/style.css\" \\/>\r\n\r\n<\\/head>\r\n<body class=\"error idaptive\">\r\n\r\n  <div class=\"wrap\">\r\n\r\n    <img src=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/cyberark-logo.svg\">\r\n\r\n    <div class=\"text\">\r\n      <h1>Something went wrong &#133;<\\/h1>\r\n      <p>Please try again or contact your system administrator for assistance.<\\/p>\r\n    <\\/div>\r\n\r\n  <\\/div>\r\n\r\n<\\/body>\r\n<\\/html>\n\tat connector.sdk.webservices.ExecutionMediator.processEndpoint(ExecutionMediator.java:646)\n\tat openconnector.connector.scim2.SCIM2RelaxConfigExecutor.executeEndpoint(SCIM2RelaxConfigExecutor.java:250)\n\tat openconnector.connector.scim2.SCIM2RelaxConfigExecutor.testConfiguration(SCIM2RelaxConfigExecutor.java:65)\n\tat openconnector.connector.pam.PAMService.testConnection(PAMService.java:75)\n\tat openconnector.connector.pam.cyberark.CyberarkCloudConnector.testConnection(CyberarkCloudConnector.java:27)\n\tat sailpoint.connector.OpenConnectorAdapter.testConfiguration(OpenConnectorAdapter.java:789)\n\tat sailpoint.connector.ConnectorProxy.testConfiguration(ConnectorProxy.java:411)\n\tat com.sailpoint.ccg.cloud.container.Container.testConnection(Container.java:331)\n\tat com.sailpoint.ccg.cloud.container.ContainerIntegration.ping(ContainerIntegration.java:73)\n\tat com.sailpoint.ccg.handler.TestConnectionHandler.invoke(TestConnectionHandler.java:29)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage_aroundBody0(CcgPipelineMessageHandler.java:47)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler$AjcClosure1.run(CcgPipelineMessageHandler.java:1)\n\tat org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:167)\n\tat com.sailpoint.tracing.otel.TracedAspect.lambda$traceExecution$0(TracedAspect.java:34)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:157)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:136)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:124)\n\tat com.sailpoint.tracing.otel.TracedAspect.traceExecution(TracedAspect.java:36)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage(CcgPipelineMessageHandler.java:36)\n\tat com.sailpoint.pipeline.server.PipelineServer$InboundQueueListener$MessageHandler.run(PipelineServer.java:369)\n\tat java.base\\/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)\n\tat java.base\\/java.util.concurrent.FutureTask.run(FutureTask.java:264)\n\tat java.base\\/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n\tat java.base\\/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n\tat java.base\\/java.lang.Thread.run(Thread.java:829)\nCaused by: HttpException [url=https:\\/\\/REDACTED.id.cyberark.cloud\\/scim\\/v2\\/Users?startIndex=1&count=1, errorCode=500, getMessage()=<!doctype html>\r\n<html>\r\n<head>\r\n  <title>Idaptive<\\/title>\r\n  <link rel=\"stylesheet\" type=\"text\\/css\" href=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/style.css\" \\/>\r\n\r\n<\\/head>\r\n<body class=\"error idaptive\">\r\n\r\n  <div class=\"wrap\">\r\n\r\n    <img src=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/cyberark-logo.svg\">\r\n\r\n    <div class=\"text\">\r\n      <h1>Something went wrong &#133;<\\/h1>\r\n      <p>Please try again or contact your system administrator for assistance.<\\/p>\r\n    <\\/div>\r\n\r\n  <\\/div>\r\n\r\n<\\/body>\r\n<\\/html>, getCause()=null, responseHeaders={X-Frame-Options=SAMEORIGIN, Strict-Transport-Security=max-age=31536000; includeSubDomains, X-Robots-Tag=noindex, nofollow, X-CFY-TX-DT=MTEvMTYvMjAyMyA0OjIyOjA4IFBN, Cache-Control=private, X-CFY-TX-PN=pod1011, X-CFY-TX-ID=3e50c8d62f3e4cb69f13e91a37c24d59, P3P=CP=\"NON COR ADMa CURa DEVa OUR IND COM UNI NAV INT PRE LOC ONL PHY STA ONL\", Content-Length=559, Date=Thu, 16 Nov 2023 16:27:21 GMT, Content-Type=text\\/html; charset=utf-8}]\n\tat connector.common.http.client.impl.ApacheHttpClientWrapper.handleFailedRequest(ApacheHttpClientWrapper.java:560)\n\tat connector.common.http.client.impl.ApacheHttpClientWrapper.execute(ApacheHttpClientWrapper.java:338)\n\tat connector.common.http.client.HttpClientWrapper.execute(HttpClientWrapper.java:137)\n\tat connector.sdk.webservices.ExecutionMediator.processEndpoint(ExecutionMediator.java:616)\n\t... 24 more\n",
            "exception_class": "connector.sdk.webservices.exception.WebServicesSdkException",
            "exception_message": "<!doctype html>\r\n<html>\r\n<head>\r\n  <title>Idaptive<\\/title>\r\n  <link rel=\"stylesheet\" type=\"text\\/css\" href=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/style.css\" \\/>\r\n\r\n<\\/head>\r\n<body class=\"error idaptive\">\r\n\r\n  <div class=\"wrap\">\r\n\r\n    <img src=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/cyberark-logo.svg\">\r\n\r\n    <div class=\"text\">\r\n      <h1>Something went wrong &#133;<\\/h1>\r\n      <p>Please try again or contact your system administrator for assistance.<\\/p>\r\n    <\\/div>\r\n\r\n  <\\/div>\r\n\r\n<\\/body>\r\n<\\/html>"
        },
        "stack": "ccg",
        "pod": "stg02-useast1",
        "connector-logging": "150",
        "Operation": "TestConfiguration",
        "clusterId": "1009",
        "buildNumber": "925",
        "apiUsername": "EEdqJYDaVsehgGEL",
        "orgType": "",
        "file": "SCIM2RelaxConfigExecutor.java",
        "encryption": "1266",
        "messageType": "test-connection",
        "connector-bundle-identityiq": "206",
        "line_number": 463,
        "@version": 1,
        "CB_version": "1053",
        "logger_name": "openconnector.connector.scim2.SCIM2RelaxConfigExecutor",
        "mantis-client": "1266",
        "class": "openconnector.connector.scim2.SCIM2RelaxConfigExecutor",
        "atlas-api": "1752",
        "va-gateway-client": "46",
        "tracing": "1391",
        "clientId": "3781",
        "request_milliseconds": "314509",
        "source_host": "5b3a1130ef02",
        "method": "processException",
        "org": "chk-sb",
        "level": "ERROR",
        "IdentityIQ": "8.3p4 Build 1527a593753-20230805-223436",
        "message": "Exception while performing operation : Test Connection exception : Error while performing operation : Test Connection  Error code : 500 <!doctype html>\r\n<html>\r\n<head>\r\n  <title>Idaptive<\\/title>\r\n  <link rel=\"stylesheet\" type=\"text\\/css\" href=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/style.css\" \\/>\r\n\r\n<\\/head>\r\n<body class=\"error idaptive\">\r\n\r\n  <div class=\"wrap\">\r\n\r\n    <img src=\"https:\\/\\/pod1011.idaptive.app\\/vfslow\\/lib\\/branding\\/idaptive\\/errorpages\\/cyberark-logo.svg\">\r\n\r\n    <div class=\"text\">\r\n      <h1>Something went wrong &#133;<\\/h1>\r\n      <p>Please try again or contact your system administrator for assistance.<\\/p>\r\n    <\\/div>\r\n\r\n  <\\/div>\r\n\r\n<\\/body>\r\n<\\/html>",
        "pipeline": "1266",
        "@timestamp": "2023-11-16T16:27:22.196Z",
        "thread_name": "pool-6-thread-1817",
        "atlas-util": "1752",
        "metrics": "1266",
        "region": "us-east-1",
        "AppType": "CyberArk Privilege Cloud Shared Services",
        "Application": "CyberArk POC [source]",
        "request_id": "f876994156d146e6af75cd3ad493ec36",
        "CB_Type": "connector-bundle-webservices",
        "queue": "stg02-useast1-chk-sb-cluster-1009",
        "SCIM Common": "8.0 Build 00b1f252d1b-20200225-190809"
    }

Hi @mcheek We have exactly the same issue. We’re able to hit the scim/v2/groups endpoint using Postman and get a successful response. When trying scim/v2/users (or scim/users) no matter what filter we use on this endpoint, Postman keeps running and running with no response.

@mcheek Curious to know what was the issue with your users endpoint if happen to have it fixed?

I’ve opened a case with CyberArk support. The users API works for pulling back a specific user like /scim/v2/users/{id}, just not /scim/v2/users

I had tons of timeout issues trying to integrate with the CyberArk SaaS SCIM APIs. We’ve been through the ringer with CyberArk support and even after making changes on their side things still don’t work 100%. If your vault/PVWA is on-prem I recommend using the standalone Java SCIM server you can get from the CyberArk marketplace.

Thanks for the sharing the information. We are using Privilege Cloud and plan to create ticket with CyberArk.

We also use Privilge Cloud so this is our only option currently.

@sunnyajmera have you had any luck using the SCIM containers endpoints? I get a 404 whenever I call it and I’m not sure what the issue is. I have safes that the service user has full access to so I assume that’s what’s needed

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Hi All,

Had some people ask me about the solution here. I’m not sure if it’s 100% correct, but it was the case for me.

In order to get rid of the 500 errors, the support team at CyberArk had to enable an additional entitlement on my tenant. I’m not sure what that entitlement is called.

The 500 went away, but I still wasn’t able to manage containers (safes) through the SCIM API. My CyberArk account team told me that requires an additional entitlement called Privilege Lifecycle Management, which I do not currently own.

Unsure if this will be applicable to everyone, but I thought I’d share my experience on where I landed

Now that this thread is back open.

@mcheek - Thanks again for your help!

Our issue is now resolved, we also had to contact CyberArk to have an additional ‘feature flag’ set on the tenant.

@mcheek No, getting 404 when tries to access /containers endpoint though all the access is there on service user.

@hreimert Can you share more information about this “feature flag” and did get also encountered 404 while accessing SCIM endpoint /scim/v2/containers?

I was on a call with a SME from CyberArk and we confirmed the service user had all the appropriate permissions on the vault side, and he concluded that the 404 was due to the lack of a Privilege Lifecycle Manager entitlement.

Whether or not that is the actual correct answer, I don’t know. I suppose I have to trust what CyberArk say about it