Export import of Identity Profile

Hi Team,

Task: Identity Profile Export is done from the sp-config API.

1. Import is not happening with the help of sp-config API.
   POST https://.api.identitynow.com/beta/sp-config/import/

Getting Response::

{

    "jobId": "8d05fa37-df41-4405-9532-341219c71442",

    "status": "FAILED",

    "type": "IMPORT",

    "message": "java.lang.RuntimeException: Exception communicating with target service: HTTP Error 403 when communicating with URI https://stg04-useast1-diana.accessiq.sailpoint.com/v3/sources/sources/?filters=name+eq+%22Delimited+File+-+Testing+%5Bsource%5D%22 : {\"detailCode\":\"403 Forbidden\",\"trackingId\":\"c30767aebe3b46af84fdcd63f35c65ac\",\"messages\":[{\"locale\":\"en-US\",\"localeOrigin\":\"DEFAULT\",\"text\":\"The server understood the request but refuses to authorize it.\"}],\"causes\":[]}",

    "description": null,

    "expiration": "2022-04-14T09:19:08Z",

    "created": "2022-04-07T09:19:08.652Z",

    "modified": "2022-04-07T09:19:09.236Z",

    "completed": null

}

Note:: Everytime getting the same response…

Any need will be helpful.

Kind Regards,
Ritu Raj Akhauri

“The server understood the request but refuses to authorize it.” is a common error with the JWT. Are you sure you’re using a PAT with ORG_ADMIN rights for the import system?

Yeah, I am using the PAT Token to do that.

I am able to export and Import - Sources, Transform and Rules but not the Identity Profile.

@Ritu_Raj ,

Have you tried again recently? I’m wondering if there was a bit of downtime in our services that caused this failure.

Yeah @colin_mckibben I tried it yesterday.

I’m seeing the same error when importing Identity_profile from one tenant into another. Do you have any suggestions on how to resolve this?

Ran into the same issue when I was moving data over from Sandbox to Production. I noticed there are separate Export/Import API methods for Identity Profiles (Export, Import). This, too, resulted in a failure and did not provide an error code:

{
    "infos": [],
    "warnings": [],
    "errors": [
        {
            "key": "IDENTITY_PROFILE_IMPORT_FAILED",
            "text": "An error occurred while importing Identity Profile with name 'Test IdentityProfile'",
            "detail": {
                "exceptionMessage": null
            }
        }
    ],
    "importedObjects": []
}

I eventually just manually re-created everything in Production.

@Ritu_Raj , I just tried on my tenant and it worked. Here are the steps I took. The only thing to note is that I exported and imported to the same tenant since I don’t have a sandbox set up. If you follow these steps for your two tenants and still have an issue, try exporting and importing to the same tenant and see if it works. We might have a bug here, but I just want to make sure I have as much info as possible to send a proper bug report to engineering.

1. Export the identity profiles from tenant 1

POST https://{tenant1}.api.identitynow.com/beta/sp-config/export
Body

{
    "description": "Export Profiles",
    "excludeTypes": [
    ],
    "includeTypes": [
        "IDENTITY_PROFILE"
    ]
}

Response

{
    "jobId": "0e3ccd2f-700b-4416-b8f5-d3f4db059cce",
    "status": "NOT_STARTED",
    "type": "EXPORT",
    "message": null,
    "description": "Export Profiles",
    "expiration": "2022-04-28T01:25:13.6Z",
    "created": "2022-04-21T01:25:13.6Z",
    "modified": "2022-04-21T01:25:13.6Z",
    "completed": null
}

2. Get the export results and save them as a JSON file on your computer.

GET https://{tenant1}.api.identitynow.com/beta/sp-config/export/0e3ccd2f-700b-4416-b8f5-d3f4db059cce/download

Response (abbreviated)

{
    "version": 1,
    "timestamp": "2022-04-21T01:25:15.896063Z",
    "tenant": "devrel",
    "description": "Export Profiles",
    "options": {
        "excludeTypes": [],
        "includeTypes": [
            "IDENTITY_PROFILE"
        ],
        "objectOptions": null
    },
    "objects": [
        {
            "version": 1,
            "self": {
                "name": "Test",
                "id": "2c91808478189d26017822a5b9b80c9e",
                "type": "IDENTITY_PROFILE"
...
...
...

3. Import the downloaded file to the new tenant. Make sure to use the appropriate API access token for this new tenant.

cURL command

curl --location --request POST 'https://{tenant2}.api.identitynow.com/beta/sp-config/import' \
--header 'Authorization: Bearer {access_token}' \
--form 'data=@"/path/to/profile_export.json"'

4. Get the status of the import

GET https://{tenant2}.api.identitynow.com/beta/sp-config/import/5b30f2a1-bbb5-4ebd-834d-618f290bddde

Response

{
    "jobId": "5b30f2a1-bbb5-4ebd-834d-618f290bddde",
    "status": "COMPLETE",
    "type": "IMPORT",
    "message": "Download import results for details.",
    "description": null,
    "expiration": "2022-04-28T01:26:45Z",
    "created": "2022-04-21T01:26:45.68Z",
    "modified": "2022-04-21T01:26:53.599Z",
    "completed": "2022-04-21T01:26:53.594Z"
}

It is not working for 2 tenants

Hi @colin_mckibben, Unfortunately exporting / importing using the same tenant isn’t really the use case here. @Ritu_Raj @Aastha29 @ranjanik @brennenscott I was able to export and then import into another tenant using the APIs mentioned mentioned in this thread. The error messaging can be improved here as I had to look at the source code to figure out what was wrong. The API documentation could be improved as I used attributes that don’t exist in the docs. Here’s what I changed to get import to work:

• Change the object.authoritativeSource.id to match the source id in the new tenant
• replace the object.identityAttributeConfig.attributeTransforms.transformDefinition.attributes.sourceId attribute name with the attribute name and make the value the same as the attribute name value.
  Export

"attributes": {
    "attributeName": "name",
    "sourceName": "DemoData",
    "sourceId": "2c91808482ccea200182d62ae94961fb"
}

becomes this in Import

"attributes": {
    "attributeName": "name",
    "sourceName": "DemoData",
    "name": "name"
}

hope this helps someone in the future.

Hey Chris, is there no way we can automate this? I faced a similar issue trying to update an existing identity profile in production with changes we worked on in sandbox. The import to another environment didn’t work, so we had to do a full manual reconfiguration on production which was extremely tedious (given the number of identity attribute mappings and provisioning configurations involved).

Here’s my post on the compass forum which has all the details.

I faced the same issue, had no other choice but to do it manually in production.

Definitely possible you could automate the manual steps I outlined, but a simple find/replace would do the job just as well.
I understand your pain importing to another environment which is why I felt the need to reply to this thread. Please let me know if my post helps you in the future. - Chris

Export and import within same tenant:
I have tried the export and it worked fine. When I am trying to do import, I am not getting where to specify that its a second copy.
For example in object options or default reference?
I am trying to copy export Identity Profile IP1 from Tenant A and Importing in the same tenant Tenant A but need different name: IP2.
I do not see any option to provide different name.

How can we Export Source A from tenant A and import the same source A with different name within same tenant?

Thanks for sharing @chris_annino . This worked great!