Error while creating groups in Azure AD from SailPoint

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

IIQ version 8.3 patch 3

Hi All,

I am trying to create a security group in Azure from SailPoint. When I give memberOf (group heirarchy attribute) in object request and execute the plan it gives below error.

sailpoint.connector.ConnectorException: Exception occurred. Error message - HTTP not ended OK. Response Code - 400 Error - . Property memberOf in payload has a value that does not match schema

My plan is as below:

  ProvisioningPlan plan = new ProvisioningPlan();
  ObjectRequest obj = new ObjectRequest();
  obj.setApplication("TEST Azure instance");
  obj.setOp(ObjectOperation.Create);
  obj.setType("group");

  obj.add(new AttributeRequest("securityEnabled", ProvisioningPlan.Operation.Set, true));

  obj.add(new AttributeRequest("mailNickname", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));
  obj.add(new AttributeRequest("displayName", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));
  obj.add(new AttributeRequest("sysAttribute", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));
  obj.add(new AttributeRequest("mailEnabled", ProvisioningPlan.Operation.Set, false));
  obj.add(new AttributeRequest("sysDisplayName", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));


  String desciption = "This is tetsing for security group";
  HashMap descriptions = new HashMap();
  descriptions.put("en_US", desciption);
  obj.add(new AttributeRequest("sysDescriptions", ProvisioningPlan.Operation.Set, descriptions));

  obj.add(new AttributeRequest("description", ProvisioningPlan.Operation.Set, desciption));

  List ownerList = new ArrayList();
  ownerList.add("***");
  obj.add(new AttributeRequest("owners", ProvisioningPlan.Operation.Add, ownerList));        


  List memberOfList = new ArrayList();
  memberOfList.add("***");
  obj.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Add, memberOfList));

  plan.add(obj);

  Provisioner p = new Provisioner(context);
  Attributes scriptArgs = new Attributes();
  scriptArgs.put("noFiltering", true);
  ProvisioningProject project = p.compile(plan, scriptArgs);

  p.execute(project);

** My group schema looks like this.

image
image1386Ă—81 6.92 KB

Thanks,
Harshita

2

Hi Harshita,

It seems that the format of the memberOf value is not being accepted as expected. Rather than supplying a list, you should provide a string value for the memberOf attribute and check.

Regards,
Arun

3

Hi @hmantri_sp

The schema attribute in the Azure AD application is not “memberOf” it is “groups”

1 Like
4

Your plan doesn’t look correct , it should be something like below

<ObjectRequest application="Azure AD" nativeIdentity="VishalAzureADSecurityGroupCreation" op="Create" type="Group"> 
	<AttributeRequest name="groupTypes" op="Add">
		<Value>
			<List>
				<String>Unified</String>
			</List>
		</Value>
	</AttributeRequest>
	<AttributeRequest name="description" op="Add" value="Test group created by Vishal in Dev IIQ."/> 
	<AttributeRequest name="displayName" op="Add" value="VishalAzureADSecurityGroupCreation"/>
	<AttributeRequest name="mailEnabled" op="Add">
		<Value>
			<Boolean></Boolean>
		</Value>
	</AttributeRequest>
	<AttributeRequest name="securityEnabled" op="Add">
		<Value>
			<Boolean>true</Boolean>
		</Value>
	</AttributeRequest>
</ObjectRequest>
5

@hmantri_sp Based on your code i think you want to create a group and add members also.

You can perform in 2 steps.

a. Create a Azure Group
b. Add Members in Groups

For a.

ProvisioningPlan plan = new ProvisioningPlan();
  ObjectRequest obj = new ObjectRequest();
  obj.setApplication("TEST Azure instance");
  obj.setOp(ObjectOperation.Create);
  obj.setType("group");

  obj.add(new AttributeRequest("securityEnabled", ProvisioningPlan.Operation.Set, true));

  obj.add(new AttributeRequest("mailNickname", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));
  obj.add(new AttributeRequest("displayName", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));
  obj.add(new AttributeRequest("sysAttribute", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));
  obj.add(new AttributeRequest("mailEnabled", ProvisioningPlan.Operation.Set, false));
  obj.add(new AttributeRequest("sysDisplayName", ProvisioningPlan.Operation.Set, "Test-MGH-Azure-Group-Creation-1"));


  String desciption = "This is tetsing for security group";
  HashMap descriptions = new HashMap();
  descriptions.put("en_US", desciption);
  obj.add(new AttributeRequest("sysDescriptions", ProvisioningPlan.Operation.Set, descriptions));

  obj.add(new AttributeRequest("description", ProvisioningPlan.Operation.Set, desciption));

  List ownerList = new ArrayList();
  ownerList.add("***");
  obj.add(new AttributeRequest("owners", ProvisioningPlan.Operation.Add, ownerList));        


  //List memberOfList = new ArrayList();
  //memberOfList.add("***");
  //obj.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Add, memberOfList));

  plan.add(obj);

  Provisioner p = new Provisioner(context);
  Attributes scriptArgs = new Attributes();
  scriptArgs.put("noFiltering", true);
  ProvisioningProject project = p.compile(plan, scriptArgs);

  p.execute(project);

For b. You can create Account Request and add members So in this case you can use “groups” not “memberOf”

Let me know if that works.

1 Like
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.