Entitlement Add/Remove Fails (“0 succeeded, 1 failed”) and No Logs Printed

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

I am running IdentityIQ 8.3 on Tomcat 9 and facing an issue when testing entitlement provisioning.

Problem:

  • When I try to assign or remove an entitlement for a user, the request fails with the UI message:

    image
    image1920×1080 251 KB

  1. No meaningful error details are printed in the sailpoint.log.

  2. I have already configured log4j2.properties to write logs into C:\SailpointSpace\sailpoint.log and enabled debug level.

  3. Hibernate debug logs (SQL/attribute loading) are appearing, but no workflow/provisioning logs are captured.

    Can anyone help me solving this Error.

2

Hi @Viraj
Could you please check if there’s anything related to this in the provisioning transactions from your admin console?
Also, you should see something in the syslogs and Tomcat-stdout, are you able to check these?

3

image
image1920×1080 326 KB
In provisioning Transaction there is nothing generated recently.
nothing is getting printed in Syslogs .
this was generated after the error caused:

image
image1920×1080 373 KB

4

Hello @Viraj what type of application you are requesting for entitlement or removing?

5

I was trying for JDBC application but as i checked now for all application it is giving me same error.

6

Check provisioning transactions with today’s date and let me know failed any

7

there is no transactions generated for today or yesterday as you can see in image

Screenshot (227)
Screenshot (227)1920×778 73.2 KB

8

According to the error shown, this seems to be related to the CSRF (Cross-Site Request Forgery) protection enforced by SailPoint IdentityIQ’s RestCsrfValidationFilter.

To confirm if this is the root cause, please try one of the following steps:

  1. Open a private/incognito browser session with only one tab and try the action again.

  2. Alternatively, edit iiq/WEB-INF/web.xml and temporarily remove (or comment out) the and entries for RestCsrfValidationFilter.
    Restart IIQ after making the change and then test again.

You may also want to review this related discussion:
How to develop an HTTP POST method in Java classes (Rest resources extend BasePluginResource)

Let me know how it goes after testing.

9

Another option for troubleshooting is to set the Variable named trace to "true" in your request Workflow. This will cause a lot of information to be printed to Tomcat’s standard output, which should show up in catalina.out.

You could also try searching the sources of your Workflow for the text “Your request was submitted”. If it is an out of the box message, you can check the OOTB messages list in identityiq.jar to find the message key, then search for that in your Workflows. The point of all this searching is to find where the message is coming from, then work backwards to infer where the failure is coming from.

10

Hi @Viraj

As you said this is a JDBC application, can you try adding some logs at the start and end of your JDBC Provisioning Rule, just to verify nothing is wrong in provisioning rule.