Issue updating Atlassian Cloud accounts via the SCIM 2.0 connector

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

IdentityIQ 8.4p2

Share all details about your problem, including any error messages you may have received.

I’m configuring a SCIM 2.0 connector in IdentityIQ to manage Atlassian Cloud accounts. Account creation works fine using the provisioning policy, but updates to existing accounts aren’t applying. The modify operation generates a provisioning plan with the correct value in the master plan, and no errors appear. Other attributes are correctly filtered out because their values haven’t changed. (See logs below for details.)

I’m testing this using a custom rule in debug which sets up the Modify account request, but doesn’t pass any attribute requests since I want to test the provisioning policy setting the values.

I’ve included the application Update provisioning policy xml code below. The naming conventions of the attributes in the policy match the SCIM 2.0 schema, but I’m not sure if it will work to have it in the dot notation for name.familyName updates.

Any guidance would be much appreciated!

Please share any other relevant files that may be required (for example, logs).

(Logs) Compiled provisioning project:

<ProvisioningProject identity="V0123456">
  <ExpansionItems>
    <ExpansionItem application="Atlassian Cloud Manage Users" cause="ProvisioningPolicy" name="schemas" nativeIdentity="testaccount.dev@org.ca" operation="Add" sourceInfo="Atlassian Cloud Manage Users" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
  </ExpansionItems>
  <Filtered>
    <AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="testaccount.dev@org.ca" op="Modify">
      <AttributeRequest name="userName" op="Set" value="testaccount.dev@org.ca">
        <Attributes>
          <Map>
            <entry key="reason">
              <value>
                <FilterReason>Exists</FilterReason>
              </value>
            </entry>
          </Map>
        </Attributes>
      </AttributeRequest>
      <AttributeRequest name="name.givenName" op="Set" value="Jane">
        <Attributes>
          <Map>
            <entry key="reason">
              <value>
                <FilterReason>Exists</FilterReason>
              </value>
            </entry>
          </Map>
        </Attributes>
      </AttributeRequest>
      <AttributeRequest name="emails.work.primary.value" op="Set" value="testaccount.dev@org.ca">
        <Attributes>
          <Map>
            <entry key="reason">
              <value>
                <FilterReason>Exists</FilterReason>
              </value>
            </entry>
          </Map>
        </Attributes>
      </AttributeRequest>
      <AttributeRequest name="active" op="Set">
        <Attributes>
          <Map>
            <entry key="reason">
              <value>
                <FilterReason>Exists</FilterReason>
              </value>
            </entry>
          </Map>
        </Attributes>
        <Value>
          <Boolean>true</Boolean>
        </Value>
      </AttributeRequest>
    </AccountRequest>
  </Filtered>
  <MasterPlan>
    <ProvisioningPlan>
      <AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="testaccount.dev@org.ca" op="Modify">
        <AttributeRequest name="name.familyName" op="Set" value="DoeTestFromProvisioningPolicy"/>
      </AccountRequest>
    </ProvisioningPlan>
  </MasterPlan>
  <ProvisioningPlan targetIntegration="Atlassian Cloud Manage Users" trackingId="1c72d6b9d19e4497bf9d54c33e3108a0">
    <AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="1234ab4c-04c6-35e4-abb1-5ec1337fc4d6" op="Modify">
      <AttributeRequest name="name.familyName" op="Set" value="DoeTestFromProvisioningPolicy"/>
      <AttributeRequest name="schemas" op="Add" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
    </AccountRequest>
  </ProvisioningPlan>
<ProvisioningTarget assignmentId="a12b12345664fd0acfe8bc850007f23" retain="true" role="Alumni">
    <AccountSelection applicationId="0ee84309437962c701437966ba920004" applicationName="LDAP" selection="uid=testaccount,ou=people,dc=org,dc=ca">
      <AccountInfo displayName="testaccount" nativeIdentity="uid=testaccount,ou=people,dc=org,dc=ca"/>
    </AccountSelection>
    <AccountSelection applicationId="8e6876c485361392848536a3c89b0025" applicationName="Affiliator" selection="V00123456">
      <AccountInfo displayName="V00123456" nativeIdentity="V00123456"/>
    </AccountSelection>
  </ProvisioningTarget>
...
  <ProvisioningTarget assignmentId="12345f0b6a904671822f4d20b75b1eda" retain="true" role="Adobe Employee Subscriber">
    <AccountSelection applicationId="0ee1234567962c701437966ba920004" applicationName="LDAP" selection="uid=testaccount,ou=people,dc=org,dc=ca">
      <AccountInfo displayName="testaccount" nativeIdentity="uid=testaccount,ou=people,dc=org,dc=ca"/>
    </AccountSelection>
  </ProvisioningTarget>
</ProvisioningPlan>

Here’s the update provisioning policy on the application:

  <ProvisioningForms>
    <Form name="Atlassian Cloud Manage Users Account Creation Policy" objectType="account" type="Create">
      <Attributes>
        <Map>
          <entry key="pageTitle" value="Atlassian Cloud Manage Users Account Creation Policy"/>
        </Map>
      </Attributes>
      <Section>
        <Field displayName="UserName (org Email)" name="userName" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountCreationPolicy");
                            String value = identity.getAttribute("netlink");
                            String updatedValue = (value != null) ? value + ".dev" + "@org.ca" : value;
                            log.debug("Atlassian Cloud Manage Users account creation policy get userName (org Email): " + updatedValue);
                            return updatedValue;
                        </Source>
          </Script>
        </Field>
        <Field displayName="Last Name" name="name.familyName" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountCreationPolicy");
                            String value = identity.getLastname();
                            log.debug("Atlassian Cloud Manage Users account creation policy get familyName: " + value);
                            return value;
                        </Source>
          </Script>
        </Field>
        <Field displayName="First Name" name="name.givenName" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountCreationPolicy");
                            String value = identity.getStringAttribute("pref_first_name");
                            log.debug("Atlassian Cloud Manage Users account creation policy get givenName (preferredName): " + value);
                            return value;
                        </Source>
          </Script>
        </Field>
        <Field displayName="Primary Email" name="emails.work.primary.value" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountCreationPolicy");
                            String value = identity.getAttribute("netlink");
                            String updatedValue = (value != null) ? value + ".dev" + "@org.ca" : value;
                            log.debug("Atlassian Cloud Manage Users account creation policy get primary email (org Email): " + updatedValue);
                            return updatedValue;
                        </Source>
          </Script>
        </Field>
        <Field displayName="Active Status" name="active" type="boolean" value="true"/>
        <Field displayName="Groups" multi="true" name="groups" type="list"/>
        <Field name="schemas" type="string" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
      </Section>
    </Form>
    <Form name="Atlassian Cloud Manage Users Account Update Policy" objectType="account" type="Update">
      <Attributes>
        <Map>
          <entry key="pageTitle" value="Atlassian Cloud Manage Users Account Update Policy"/>
        </Map>
      </Attributes>
      <Section>
        <Field displayName="UserName (org Email)" name="userName" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                                Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountUpdatePolicy");
                                String value = identity.getAttribute("username");
                                String updatedValue = (value != null) ? value + ".dev" + "@org.ca" : value;
                                log.debug("Atlassian Cloud Manage Users account update policy get userName (org Email): " + updatedValue);
                                return updatedValue;
                        </Source>
          </Script>
        </Field>
        <Field displayName="Last Name" name="name.familyName" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountUpdatePolicy");
                            String value = identity.getLastname();
                            log.debug("Atlassian Cloud Manage Users account update policy get familyName: " + value);
                        		
              							//testing
              							log.debug("setting name.familyName to DoeTestFromProvisioningPolicy");
              							value = "DoeTestFromProvisioningPolicy";
                            return value;
                        </Source>
          </Script>
        </Field>
        <Field displayName="First Name" name="name.givenName" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountUpdatePolicy");
                            String value = identity.getStringAttribute("pref_first_name");
                            log.debug("Atlassian Cloud Manage Users account update policy get givenName (preferredName): " + value);
                            return value;
                        </Source>
          </Script>
        </Field>
        <Field displayName="Primary Email" name="emails.work.primary.value" type="string">
          <Script>
            <Source>
                            import org.apache.logging.log4j.Logger;
                            import org.apache.logging.log4j.LogManager;

                            Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountUpdatePolicy");
                            String value = identity.getAttribute("username");
                            String updatedValue = (value != null) ? value + ".dev" + "@org.ca" : value;
                            log.debug("Atlassian Cloud Manage Users account Update policy get primary email (org Email): " + updatedValue);
                            return updatedValue;
                        </Source>
          </Script>
        </Field>
        <Field displayName="Active Status" name="active" type="boolean" value="true"/>
        <Field displayName="Groups" multi="true" name="groups" type="list"/>
        <Field name="schemas" type="string" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
      </Section>
    </Form>
2

The dot notation should be fine. Are you expecting only familyName to update in this scenario? It’s the only attribute that doesn’t seem to be getting filtered. You also didn’t provide your full ProvisioningProject log. Is there a true integration plan after the master plan?

Also, in your test rule are you executing the compiled project to actually provision the changes? You probably are but just double checking.

1 Like
3

yeah I’m just expecting the familyName to be updated in this scenario so the other items being filtered out because they aren’t changing is expected. I’ve updated this post to have the full compiled project output from the logs, after the master plan there’s a bunch of provisioning target items from other services in IIQ with attribute syncing, but I noticed there’s no status = "committed” XML section at the very end like other provisioning plans.

To confirm, I am executing the compiled project directly after logging it in the debug test rule:

provisioner.execute(project);
context.saveObject(identity);
context.commitTransaction();

but I added a before provisioning rule which does have the request so I’ll try adding an after provisioning rule as well since it does seem to be sending the request to the application

AtlassianCloudManageUsersBeforeProvisioning: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="V00123456" targetIntegration="Atlassian Cloud Manage Users" trackingId="2e123b45fcb67829823e6996ec6aa902">
<AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="1234cb4b-04c8-40e4-add1-5ec1007fc6d6" op="Modify">
<AttributeRequest name="name.familyName" op="Set" value="DoeTestFromProvisioningPolicy"/>
<AttributeRequest name="schemas" op="Add" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
</AccountRequest>
</ProvisioningPlan>

4

Interestingly, the provisioning plan is showing the status as committed in the after provisioning rule, however the IIQ link, nor the account in the Atlassian Cloud admin centre are getting updated with the new last name value.

I’m setting the nativeIdentity to the id since the account schema has id as the Identity Attribute and userName as the display name.

2025-09-19T16:43:13,126 DEBUG ajp-nio-127.0.0.1-8010-exec-1 ca.org.idam.SarahTestAtlassianCloudManageUsersBeforeProvisioning: accountRequest: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE AccountRequest PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="1234cb4b-04c8-40e4-add1-5ec1007fc6d6" op="Modify">
  <AttributeRequest name="name.familyName" op="Set" value="DoeTestFromProvisioningPolicy"/>
  <AttributeRequest name="schemas" op="Add" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
</AccountRequest>
2025-09-19T16:43:13,341 DEBUG ajp-nio-127.0.0.1-8010-exec-1 ca.uvic.idam.SarahTestAtlassianCloudManageUsersAfterAccountProvisioning: Atlassian Cloud Manage Users After Provisioning plan: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan nativeIdentity="V00123456" targetIntegration="Atlassian Cloud Manage Users" trackingId="1234e0d5ff3e455baa934837411d2981">
  <AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="1234cb4b-04c8-40e4-add1-5ec1007fc6d6" op="Modify">
    <AttributeRequest name="name.familyName" op="Set" value="DoeTestFromProvisioningPolicy"/>
    <AttributeRequest name="schemas" op="Add" value="urn:ietf:params:scim:schemas:core:2.0:User"/>
    <ProvisioningResult status="committed"/>
  </AccountRequest>
</ProvisioningPlan>
5

Update: I set up a target/source mapping on the identity ObjectConfig then updated the value coming from the source which did push out that value along with another test value from the update provisioning policy. It seems like having a programmatic request to kick off the update/modify plan AND having the values set with an update provisioning policy cancels out the request, but it still shows as committed with no error messaging.

Curious if anyone knows if it is possible to manually provision item values from a rule when those values have default mappings in the Update provisioning policy for the SCIM 2.0 connector?

Since the target/source mapping works, I don’t need the rule to, but I would expect that to at least error if it’s not actually getting a 200 response back from the SCIM 2.0 endpoint.

6

In general I try to avoid Update policies since these will be invoked every time there is any provisioning to target application. Instead I do like your approach to use a target in ObjectConfig.

About your question: What do you mean by manually provision something?

You can always create a provisioning plan, compile it and execute it using Provisioner.

Even more hardcore way would be to instantiate a connector and push a plan to it. This will result with a provisioning and IIQ will not even know about it so the changes will not be visible on the link until the aggregation (but I guess this is not what you want in this case)

Alek

1 Like
7

hi Alek,

By manually provisioning, I mean to create a one-off provisioning plan, compiled and executed in a one-off rule script. I think the issue is I had the assumption the values to return have to be mapped in the update policy in order to have data synced, but it seems like the target mapping in the object config should do essentially the same thing of enforcing the value is in sync with the source value. That’s good to know about the custom connector changes not showing data on the link until after the aggregation pulls it in.

Cheers!

8

I removed the update provisioning policy entirely and the identity objectConfig target/source mapping still pushed out the source value automatically when it changed so it seems like the provisioning policy is no longer required! In the past we’ve required at least an empty provisioning policy for the update provisioning to work.

1 Like
9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.