Having issue with this message when running a provision Unauthorized, HTTP Error Code: 401

SLP- 2232024.txt (2.4 MB)

I was trying to provision using OAuth2 and having the Message: 401 : Unauthorized, HTTP Error Code: 401 I tried the payload generated by IIQ in postman and it’s working
payload={“userName”:“61124477”,“name”:{“givenName”:“T11224”,“familyName”:“477”},“emails”:[{“value":"[email protected]”}]} not sure if the access token is generating in the create operation

here’s the code I try to fetch the access token

import org.json.simple.JSONArray;
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import sailpoint.connector.webservices.WebServicesClient;
import sailpoint.connector.webservices.EndPoint;
import sailpoint.tools.Util;
import org.apache.log4j.Logger;
import sailpoint.object.Application;

Logger log = Logger.getLogger(this.getClass());
log.error("SAC: Start BeforeOperationRule");

Application application = context.getObjectByName(Application.class, "SAC Treasury");
String url = application.getAttributeValue("token_url").toString();
String clientID = application.getAttributeValue("client_id").toString();
String clientSecret = context.decrypt(application.getAttributeValue("client_secret").toString());

String resource = "https://proquire-q.us10.sac.cloud";
String grantType = "client_credentials";

Map payload = new HashMap();
payload.put("client_secret", clientSecret);
payload.put("client_id", clientID);
payload.put("resource", resource);
payload.put("grant_type", grantType);

List codes = new ArrayList();
codes.add("2**");
codes.add("4**");

Map headers = new HashMap();
headers.put("Content-Type", "application/json");

Map arg = new HashMap();
arg.put(restClient.ARG_URL, url);
restClient.configure(arg);

String response = restClient.executePost(url, payload, headers, codes);
JSONParser jsonParser = new JSONParser();
JSONObject jsonObject = (JSONObject) jsonParser.parse(response);
String accessTokenGeneratedInBeforeRuleScript = (String) jsonObject.get("access_token");
log.error("AccessToken: " + accessTokenGeneratedInBeforeRuleScript);

Map updatedInfoMap = new HashMap();
Map headerMap = new HashMap();
headerMap.put("Authorization", "Bearer " + accessTokenGeneratedInBeforeRuleScript);
log.error("Access Token: " + accessTokenGeneratedInBeforeRuleScript);
requestEndPoint.setHeader(headerMap);
Map connectorStateMap = new HashMap();
connectorStateMap.put("accesstoken", "Bearer " + accessTokenGeneratedInBeforeRuleScript);
updatedInfoMap.put("updatedEndPoint", requestEndPoint);
updatedInfoMap.put("connectorStateMap", connectorStateMap);
log.error("SAC: End BeforeOperationRule");
return updatedInfoMap;

Hi Jomar,
Is there any reason why you need to handle authentication in the before operation rule instead of using standard IIQ authentication mechanism which supports oAuth2?

Hi @kjakubiak, Actually I’ve tried to the run provision without the before operation rule I’m having the same error Unauthorized, Exception occurred while performing ‘Create’ operation on identity ‘null’ HTTP Error Code: 401 not sure which part of the create operation is Null. that’s why I’m trying to get the access token via before operation rule.

Also when you say standard IIQ authentication sample of this is OAuth2 with client credential? Sorry I’m new in using IIQ.

That’s correct - here you can see some details
https://documentation.sailpoint.com/connectors/identityiq/webservices/help/integrating_webservices/basic_configuration_parameters_iiq.html
please follow this section to configure client credentials authentication - this should work quite straight forward.

Also check if provisioning policy is defined for create operation and there is value for nativeidentity or account name as per scehma and it is not null

Hi @kjakubiak test connection and both account and group schema are working for me it’s just when provisioning that the ‘Create’ operation on identity ‘null’ HTTP Error Code: 401 but I’ve tried it the payload in postman and it’s working and this is the provisioning in Access Request

image1843×838 32.8 KB

Hi @abhishek_chowdhury yes it’s native identity is define on our end

image1093×687 21.6 KB

also added the log error for start and end before provisioning rule
not sure what to look in the log with the name SLP- 2232024.txt I’ve attach earlier

2024-02-23T03:23:16,167 ERROR BeanShellThread-7 sailpoint.server.InternalContext:166 - SAC: Entering before Provisioning Rule<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="711224459" targetIntegration="SAC  Treasury" trackingId="0d56b32ff78d4e0f8a241f08ca29c627">
  <AccountRequest application="SAC  Treasury" assignmentIds="72b725e565dd43f8b660c6f3da7440e8" op="Create" sourceRole="BR_177049_00001-DM-GLB_IT">
    <Attributes>
      <Map>
        <entry key="selectorRuleSource" value="BR_177049_00001-DM-GLB_IT"/>
      </Map>
    </Attributes>
    <AttributeRequest name="groups" op="Add" value="SECURITY"/>
    <AttributeRequest name="Username" op="Add" value="61124459"/>
    <AttributeRequest name="email" op="Set" value="[email protected]"/>
    <AttributeRequest name="Displayname" op="Add" value="User, SAP459"/>
    <AttributeRequest name="givenName" op="Set" value="T11224"/>
    <AttributeRequest name="familyName" op="Set" value="459"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0001117208"/>
      <entry key="requester" value="2895281"/>
      <entry key="source" value="Batch"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a5542848af31ece818af6f4977c0925" name="2895281"/>
  </Requesters>
</ProvisioningPlan>

2024-02-23T03:23:16,264 DEBUG https-openssl-nio-443-exec-39 sailpoint.web.util.TimingFilter:92 - Request /identityiq/monitor/tasks/viewTasks.jsf took 72 ms
2024-02-23T03:23:16,264 TRACE https-openssl-nio-443-exec-39 sailpoint.web.util.TimingFilter:150 - Exiting doFilter = null
2024-02-23T03:23:16,244 ERROR BeanShellThread-7 sailpoint.server.InternalContext:166 - assignedRoles:[sailpoint.object.Bundle@408e9494[id=0a5544e87f24125e817f265f394712be,name=AP_90090-DM_000828], sailpoint.object.Bundle@5a578e89[id=0a5542848d581a72818d598041c05422,name=BR_177049_00001-DM-GLB]]
2024-02-23T03:23:16,311 ERROR BeanShellThread-7 sailpoint.server.InternalContext:166 - SAC: Exiting before Provisioning Rule<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="711224459" targetIntegration="SAC  Treasury" trackingId="0d56b32ff78d4e0f8a241f08ca29c627">
  <AccountRequest application="SAC  Treasury" assignmentIds="72b725e565dd43f8b660c6f3da7440e8" op="Create" sourceRole="BR_177049_00001-DM-GLB_IT">
    <Attributes>
      <Map>
        <entry key="selectorRuleSource" value="BR_177049_00001-DM-GLB_IT"/>
      </Map>
    </Attributes>
    <AttributeRequest name="groups" op="Add" value="SECURITY"/>
    <AttributeRequest name="Username" op="Add" value="61124459"/>
    <AttributeRequest name="email" op="Set" value="[email protected]"/>
    <AttributeRequest name="Displayname" op="Add" value="User, SAP459"/>
    <AttributeRequest name="givenName" op="Set" value="T11224"/>
    <AttributeRequest name="familyName" op="Set" value="459"/>
  </AccountRequest>
  <Attributes>
    <Map>
      <entry key="identityRequestId" value="0001117208"/>
      <entry key="requester" value="2895281"/>
      <entry key="source" value="Batch"/>
    </Map>
  </Attributes>
  <Requesters>
    <Reference class="sailpoint.object.Identity" id="0a5542848af31ece818af6f4977c0925" name="2895281"/>
  </Requesters>
</ProvisioningPlan>

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.