ISC Webservice HTTP operation account created but entitlement not added

erie-erie · November 15, 2024, 12:27am

Source account is created when entitlement is requested for web service and the problem is entitlement is not added.

I have configured below HTTP operation:
Account aggregation
Create account
Add Entitlement

Also enabled “Create Account With “Ent” Request”

The source API limitation is it cannot add entitlement when calling user API. To add/update entitlement separate call to entitlement API has to be made.

Business expectation is user should be created with entitlement populated when access request is approved.

Any suggestions?

Thanks

Santhakumar · November 15, 2024, 5:36am

@erie-erie You need to do the entitlement relationship with the account, can you check the below link it may used for your case.

zeel_sinojia · November 15, 2024, 7:20am

Hey,

You have enabled Create Account With “Ent” Request option, even if Source API cannot add entitlement along with User?

Whenever a request is made for new user, and Create Account With “Ent” Request is not selected then following operations would trigger:

Account Aggregation
Add Entitlement

When you select the option, it would only run the Create Account operation and skip the Add Entitlement.

erie-erie · November 19, 2024, 12:05am

How can I create account and add entitlement?

vguleria · November 19, 2024, 5:18am

Hi @erie-erie

It is normal scenario where create account and add entitlement could have different endpoint. Looking at the description you have provided in the query it seems to me that add entitlement operation is having some issues.

If possible could you share the request body and contextURL (ofcourse please hide the domain or sensitive information) so that I can check and suggest further.

Another tip will be that you can just hardcode the endpoint once and body as well and then try to make the request and see what happens. If it works then it is obvious that there is some issue either in contextURL or body generated with provisioning plan.

I hope this works, please keep me posted.

Regards
Vikas

zeel_sinojia · November 19, 2024, 5:22am

Hey,

If Create Account With “Ent” Request flag is enabled, it should handle the Create Account along with Add Entitlement.

For example,

Create Account With “Ent” Request is Enabled.
1.1. Create User operation is triggered.
1.2. SailPoint assumes that entitlements that need to be provisioned are included in the Create User operation.
1.3. Because of point (1.2), it will skip the Add Entitlement operation.
1.4 Total one operation was called i.e., Create Account
Create Account With “Ent” Request is Disabled.
2.1. Create User operation is triggered.
2.2. SailPoint will trigger the second operation to update the entitlement as well.
2.3. Because of point (2.2), it will call the Add Entitlement operation.
2.4 Total two operations are called i.e., Create Account & Add Entitlement in that order.

RAKGDS · November 19, 2024, 6:15am

Hi Erie,
For your webservice to work do the following.

Disable the Create Account With Ent Request
Configure Create Account and in response mapping take the id which will return from the response.
In the Add Entitlement make sure you are passing that value from the response of the Create Account so that IdentityNow identifies that user created and response.

Let us know if you are still facing the issue.

Thanks
Rakesh Bhati

erie-erie · November 19, 2024, 5:37pm

Hi, I appreciate you help. Here is my setup below

Create Account:

Context URL POST : /scim/v2/users
Header -> Accept: application/json
          Content-type: application/json
Request Body:
*{*
*    "schemas": [*
*        "urn:ietf:params:scim:schemas:core:2.0:User"*
*    ],*
*"userName": "$plan.userName$",*
*    "name": {*
*        "givenName": "$plan.givenName$",*
*        "familyName": "$plan.familyName$"*
*    },*
*    "emails": [*
*        {*
*            "value": "$plan.email$"*
*        }*
*    ]*
*}*

Root Path is empty
Response Mapping: Schema Attribute: id ----> Attribute Path: id

==================================================
POST method API Response:
*{*
*    "schemas": [*
*        "urn:ietf:params:scim:schemas:core:2.0:User"*
*    ],*
*    "id": "1111111111-2222222-33333",*
*    "externalId": "ewtqtkllrek",*
*    "meta": {*
*        "created": "2020-01-27T13:29:58.303-05:00",*
*        "location": "https://api.abc.com/scim/v2/users/1111111111-2222222-33333"*
*    },*
*    "userName": "[email protected]",*
*    "name": {*
*        "givenName": "aAdMn5",*
*        "familyName": "CZTIv3"*
*    },*
*    "displayName": "aAdMn5 CZTIv3",*
*    "active": true,*
*    "emails": [*
*        {*
*            "value": "[email protected]",*
*            "primary": true*
*        }*
*    ],*
*    "groups": []*
*}*

Add Entitlement:

Context URL PATCH Method: /scim/v2/groups/$plan.roles$
Header -> Accept: application/json
          Content-type: application/json
Request Body: 
*{*
*    "schemas": [*
*        "urn:ietf:params:scim:api:messages:2.0:PatchOp"*
*    ],*
*    "Operations": [*
*        {*
*            "op": "Add",*
*            "path": "members",*
*            "value": [*
*                {*
*                   "value": "$plan.nativeIdentity$"*
*                }*
*            ]*
*        }*
*    ]*
*}*

erie-erie · November 19, 2024, 5:39pm

Do I have to define any root path? In my previous reply, I have included my setup and API response

vguleria · November 20, 2024, 7:58am

Hi @erie-erie

Fortunately, I have done the same integration in the past. So here is what you need to do

please configure the root path and response mapping for create account operation. This will help then ISC to store the information about the account created.
for the add entitlement the main thing is that you should set the attribute for entitlement correctly in context url. For which you can open an entitlement and see the value of attribute field and make sure that it is roles. If it is group or something else then you should use that like $plan.groups$ in context url. In my case, the attribute name for entitlement is groups.

Please make these adjustments and then it shall work hopefully.

Let us know the outcome.

Thank You
Regards
Vikas.

erie-erie · November 21, 2024, 3:44am

I configured as you said and in middle of testing this, I started getting another issue which I posted in new thread.

vguleria · November 21, 2024, 8:05am

Hi @erie-erie

Great to know that we have mode a progress. Let me have a look at the other thread and see if i can suggest something.

Regards
Vikas.

erie-erie · November 25, 2024, 3:14pm

Adding Get Object is the solution after create operation and then add entitlement operation

In get object operation:
/scim/v2/users/$getObject.nativeIdentity$

In Response mapping:
id ---->$.id

For add entitlement:
id—> $plan.nativeIdentity$

For us, id is the nativeIdentity (for newly created user, id is retrieved from getObject operation)

Topic		Replies	Views
Assistance Needed for Webservice Connector - Create Account Operation ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	7	136	September 9, 2024
Unable to add entitlement to access profile and run create account web service http operation ISC Discussion and Questions webservice-connector , identity-security-cloud	7	205	September 2, 2024
Add entitlement is not working in Web services ISC Discussion and Questions identity-security-cloud , entitlements	9	52	November 25, 2024
Add Entitlement Operation in webservice connector IIQ Discussion and Questions webservice-connector , identityiq	2	31	November 24, 2024
Web Services Connector \| Provisioning \| Order of HTTP Operations ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	10	639	October 16, 2023

ISC Webservice HTTP operation account created but entitlement not added

Related topics