IDN SCIM 2.0 Requesting Access not calling target apis

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Im having some issues with Sailpoint making calls back into the target source when trying to request access

I have verified that “Test Connection” works and I can also “Discover Schema”, so I know that Sailpoint can talk to my target.

When I go make a request for an entitlement in the Request Center, I get the successful banner and I also receive the email that a request has been requested.

This is with users currently attached to the target source and ones that are not.
I have also checked the boxes that disable any approvals needed.

Im not seeing any of these requests back in the target system.

in reading the docs, and also talking with our Sailpoint contact, I have implemented these SCIM apis on the target system

/ServiceProviderConfig (GET)
/Schemas (GET)
/Schemas/{schemaId} (GET) e.g. /Schemas/urn:ietf:params:scim:schemas:core:2.0:User

/ResourceTypes (GET)

/ResourceTypes/Users (GET)
/ResourceTypes/Groups (GET)
/ResourceTypes/User (GET)
/ResourceTypes/Group (GET)
** I added both collection and entity endpoints, because I have seen/told both ways. Im not sure which is correct. but in any case it should call one of them

/Groups (GET, POST)
/Groups/{groupId} (GET, PATCH, PUT, DELETE)
/Users (GET, POST)
/Users/{userId} (GET, PATCH, PUT, DELETE)

Along with the proper Oauth set up. Which works because I can see the test connection and discover schema calls.

Anything else that I may be missing. It seems like a configuration issue.

2

Hi Bob,
Few questions:

  1. Is the provisioning executed on the target app?
  2. After aggregation - does the changes show in IDN?
  3. Did you configured any schema mappings in the app json?
  4. Any errors?

If that’s possible - it would be good to add here the source definition so we can take a look on that.

3

Here is a general idea of what gets used to create the source. I removed all the entitlements etc… just to make it less noisy

{
  name,
  description: `${name} - Generated Source`,
  owner: {
    type: 'IDENTITY',
    id: ownerId,
    name: ownerName,
  },
  cluster,
  accountCorrelationConfig: null,
  accountCorrelationRule: null,
  managerCorrelationMapping: null,
  managerCorrelationRule: null,
  beforeProvisioningRule: null,
  type: 'SCIM 2.0',
  features: [
    'DIRECT_PERMISSIONS',
    'DISCOVER_SCHEMA',
    'ENABLE',
    'SEARCH',
    'UNLOCK',
    'UNSTRUCTURED_TARGETS',
    'PROVISIONING',
    'GROUP_PROVISIONING',
    'SYNC_PROVISIONING',
    'PASSWORD',
  ],
  connector: 'scim20-angularsc',
  connectorClass: 'sailpoint.connector.OpenConnectorAdapter',
  connectorAttributes: {
    accept: 'application/json',
    'contentType ': 'application/scim+json',
    grant_type: 'CLIENT_CREDENTIALS',
    connectorName: 'SCIM 2.0',
    templateApplication: 'SCIM 2.0',
    cloudDisplayName: `${name} - Generated Source`,
    healthCheckTimeout: 30,
    'load-by-sysclassloader': ['json.jar'],
    deltaAggregationEnabled: true,
    pageSize: '100',
    connectionType: 'direct',
    client_id: apiKeys.clientId,
    client_secret: apiKeys.clientSecret,
    host: *** SCIM URL ***,
    sourceConnected: true,
    skipGrpUpdate: true,
    relaxConfiguration: false,
    usePatch: true,
    connectorClass: 'openconnector.connector.scim2.SCIM2Connector',
    hasFullAggregationCompleted: true,
    authType: 'OAuth2Login',
    token_url: *** OAUTH URL ***,
    customTimeout: '1',
    deleteThresholdPercentage: 10,
    schemaPropertyMappings: [...],
    schemas: [...],
    deleteThreshold: 10,
    authoritative: false,
    healthy: true,
    status: 'SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS',
    since: timestamp,
    connectorId: 'scim20-angularsc',
    connectorName: 'SCIM 2.0',
    connectionType: 'direct',
    connectorImplementationId: 'scim20-angularsc',
    passwordPolicies: null,
  }
4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.