Currently, I have SailPoint IIQ integrated with CyberArk PAM using SCIM.
I am already able to aggregate accounts, groups, and privileged data successfully. After that, I tried to perform Container Aggregation (Safes). However, although the container aggregation process completes successfully, the Safes that already exist in CyberArk PAM do not appear in SailPoint under the Privileged Account Management menu.
On the other hand, if I create a new Container (Safe) directly from SailPoint, it is successfully created and becomes visible both in SailPoint and in CyberArk PAM.
Another issue is that when I try to add identities to a Container (Safe), I always get the following error:
“The system has encountered a serious error while processing your request. Report the following incident code to your system administrator: 1264036.”
The user I am trying to add already exists in my CyberArk PAM accounts, so I am not sure why this error occurs.
In addition, the Containers (Safes) that were aggregated can be seen in the SailPoint debug logs with the object type “Managed Attribute”. However, they do not appear in the Privileged Account Management menu.
Could u try to make the necessary Get call directory to the scim server and see if u get the containers (safes) back that u are lacking. Just to single out where the issue is occuring?
sailpoint.tools.GeneralException: The external application 'LDAP' could not be found.
at sailpoint.service.pam.PamExternalUserStoreService.getExternalApplication(PamExternalUserStoreService.java:125)
at sailpoint.service.pam.PamExternalUserStoreService.getExternalLink(PamExternalUserStoreService.java:145)
at sailpoint.service.pam.PamIdentitySuggestService.getPamAccounts(PamIdentitySuggestService.java:75)
at sailpoint.service.pam.PamIdentitySuggestService.getIdentities(PamIdentitySuggestService.java:49)
at sailpoint.rest.ui.pam.PamIdentitySuggestResource.getIdentities(PamIdentitySuggestResource.java:58)
at jdk.internal.reflect.GeneratedMethodAccessor11068.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219)
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:475)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:397)
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.web.SailPointResponseFilter.doFilter(SailPointResponseFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.rest.jaxrs.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:90)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.rest.RestCsrfValidationFilter.doFilter(RestCsrfValidationFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.rest.AuthenticationFilter.doFilter(AuthenticationFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.web.TraversalVulnerabilityFilter.doFilter(TraversalVulnerabilityFilter.java:69)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.web.EntraProxyTeamsHeaderFilter.doFilter(EntraProxyTeamsHeaderFilter.java:105)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.web.SailPointContextRequestFilter.doFilter(SailPointContextRequestFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.web.SailPointPollingRequestFilter.doFilter(SailPointPollingRequestFilter.java:158)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at sailpoint.web.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:656)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:935)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1833)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:975)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:493)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:829)
Please find below the syslog associated with the incident you requested.
Do you mean that I should test the Get Container API using the SCIM URL?
If that is what you mean, I have already performed that test and it was successful.
However, one of the issues I am facing is that the Containers (Safes) that already exist in CyberArk do not appear in the Privileged Account Management menu after I run the aggregation process.
What makes this confusing is that when I check the SailPoint debug output, the Containers from CyberArk are present and can be seen in the list with the object type “ManagedAttribute”. In other words, the aggregation appears to be retrieving all the existing Safes correctly, but they are still not displayed in the Privileged Account Management interface.
AFAIK the error u are seeing because u are aggregating “External” accounts, e.g. AD Accounts. So IIQ will use the “source” attribute on e.g. the account and try to find a corresponding application in IIQ that matches the name “LDAP” to do a lookup (I remember as if this is for e.g group membership info).
You have 2 options here from what i know.
Either transform the attribute via an aggregation rule to match an existing (e.g.) AD application where the account “lives”.
Or remove the source attribute from the schema, then run aggregation etc. and the error should not appear anymore. It only does it for accounts/groups with the source attribute set.
Ah i understood it is there weren’t getting in IIQ at all.
Could u send an example of one of these objects from debug mode, if possible, to verify if attributes look correct. Feel free to redact the needed values from the object if anything is sensitive.
The solution you suggested was successful. After renaming my Active Directory application from AD to LDAP, the functionality started working correctly. I am now able to successfully add identities to the Container/Safe, and the issue appears to be resolved.
I performed a Container/Safe aggregation, and the process completed successfully with a Success status. However, when I open the Privileged Account Management menu, none of the Containers/Safes are displayed there.
I then checked the SailPoint debug output and found that the Containers/Safes from CyberArk are present as Managed Attributes.
Based on my understanding, these Containers/Safes should be visible in the Privileged Account Management menu after a successful aggregation. However, although they appear as Managed Attributes, they are not being displayed in the Privileged Account Management interface.
Your suggestion worked. The Containers/Safes are now visible in the Privileged Account Management menu after running the Target Aggregation Task.
I would like to better understand the purpose of the Target Aggregation Task. Is it only used to make Containers/Safes appear in the Privileged Account Management menu, or does it have other use cases and functions as well?
