Issue with Okta SaaS Connector: Test Connection Fails When Created via API

I’m working on creating Okta connectors through Postman and encountered an issue.

Scenario 1: Okta Connector

I used the following payload to create an Okta connector:

{
	"description": "TestOktaThroughAPI",
	"owner": {
		"type": "IDENTITY",
		"id": "e1fc5ae146404b088bc5c5e66046eb90",
		"name": "Thippeswamy H.anumanthappa"
	},
	"cluster": {
		"type": "CLUSTER",
		"id": "96e363830182411c8bcedf505a19ec4d",
		"name": "AWS Cluster"
	},
	"passwordPolicies": null,
	"type": "Okta",
	"connector": "okta-angularsc",
	"connectorClass": "sailpoint.connector.OpenConnectorAdapter",
	"connectorAttributes": {
		"connectionType": "direct",
		"connectorClass": "openconnector.connector.okta.OktaConnector",
		"authtype": "API Token",
		"host": "https://trial-5102834.okta.com/",
		"cloudExternalId": "204498",
		"templateApplication": "Okta",
		"apiToken": "00DeSyytRbSQcIBRH-0f2fyLbguufvdseNNMXZWR8rgMSukXBb8q",
		"encrypted": "apiToken,private_key,private_key_password,accessToken",
		"cloudDisplayName": "TestOktaThroughAPI",
		"connectorName": "Okta"
	},
	"connectorId": "okta-angularsc",
	"connectorName": "Okta",
	"connectionType": "direct",
	"connectorImplementationId": "okta-angularsc",
	"name": "TestOktaThroughAPI"
}

The connector was created successfully, and the test connection showed as successful in SailPoint.

Scenario 2: Okta SaaS Connector

I used the following payload to create an Okta SaaS connector:

{
	"description": "TestOktaSaasThroughAPI",
	"owner": {
		"type": "IDENTITY",
		"id": "e1fc5ae146404b088bc5c5e66046eb90",
		"name": "Thippeswamy H.anumanthappa"
	},
	"cluster": {
		"type": "CLUSTER",
		"id": "96e363830182411c8bcedf505a19ec4d",
		"name": "AWS Cluster"
	},
	"type": "49836d9c-290a-4225-8380-641237e98cc2",
	"connector": "oktasaas",
	"connectorClass": "",
	"connectorAttributes": {
		"connectionType": "direct",
		"authtype": "API Token",
		"host": "https://trial-5102834.okta.com/",
		"cloudExternalId": "205923",
		"templateApplication": "Okta SaaS",
		"apiToken": "00DeSyytRbSQcIBRH-0f2fyLbguufvdseNNMXZWR8rgMSukXBb8q",
		"cloudDisplayName": "TestOktaSaasThroughAPI",
		"connectorName": "Okta SaaS"
	},
	"connectorId": "oktasaas",
	"connectorName": "Okta SaaS",
	"connectionType": "direct",
	"connectorImplementationId": "oktasaas",
	"name": "TestOktaSaasThroughAPI"
}

The connector was also created successfully in SailPoint, but when I attempt to test the connection, I receive the following error:
sailpoint.tools.GeneralException: Couldn’t load connector class:

Observation

  • For both “Okta” and “Okta SaaS” connectors, we retrieve the connector class name using the “Get Connector Source Template API.”

  • While we receive a connector class name for the Okta connector, the Okta SaaS connector returns an empty class name. Therefore, we didn’t include a connector class name in the Okta SaaS payload.

  • We also tried using the Okta connector class name for Okta SaaS, but the test connection still fails with the same error.

  • Interestingly, when creating the Okta SaaS connector through the SailPoint UI using the same host name and API key, the test connection is successful.

Request for Help

Can someone please guide us on how to resolve this issue?
Also what is the difference between Okta and Okta-Saas Connector?

Hello @swamy97,

I unfortunately cant provide much help regarding the problem itself.
If you examine the UI-made and the API-made SaaS connector using list-sources, do you see a difference?

However, I just wanted to answer your questions regarding the SaaS vs not, the big difference is that the Okta SaaS connector does not require a VA. The connector is hosted by the Sailpoint cloud instead of the VA.

Looks like your missing some code.

Okta Payload :

{
	"description": "TestOktaThroughAPINew1",
	"owner": {
		"type": "IDENTITY",
		"id": "e1fc5ae146404b088bc5c5e66046eb90",
		"name": "Thippeswamy H.anumanthappa"
	},
	"cluster": {
		"type": "CLUSTER",
		"id": "96e363830182411c8bcedf505a19ec4d",
		"name": "AWS Cluster"
	},
	"passwordPolicies": null,
	"type": "Okta",
	"connector": "okta-angularsc",
	"connectorClass": "sailpoint.connector.OpenConnectorAdapter",
	"connectorAttributes": {
		"connectionType": "direct",
		"connectorClass": "openconnector.connector.okta.OktaConnector",
		"authtype": "API Token",
		"host": "",
		"cloudExternalId": "204498",
		"templateApplication": "Okta",
		"apiToken": "00DeSyytRbSQcIBRH-0f2fyLbguufvdseNNMXZWR8rgMSukXBb8q",
		"encrypted": "apiToken,private_key,private_key_password,accessToken",
		"cloudDisplayName": "TestOktaThroughAPINew1",
		"connectorName": "Okta"
	},
	"connectorId": "okta-angularsc",
	"connectorName": "Okta",
	"connectionType": "direct",
	"connectorImplementationId": "okta-angularsc",
	"name": "TestOktaThroughAPINew1"
}

Okta-Saas Payload :

{
    "description": "TestOktaSaasThroughAPI2",
    "owner": {
        "type": "IDENTITY",
        "id": "e1fc5ae146404b088bc5c5e66046eb90",
        "name": "Thippeswamy H.anumanthappa"
    },
    "cluster": {
        "type": "CLUSTER",
        "id": "96e363830182411c8bcedf505a19ec4d",
        "name": "AWS Cluster"
    },
    "connector": "oktasaas",
    "connectorClass": "",
    "connectorAttributes": {
        "connectionType": "direct",
        "authtype": "API Token",
        "host": "",
        "cloudExternalId": "205923",
        "templateApplication": "Okta SaaS",
        "apiToken": "00DeSyytRbSQcIBRH-0f2fyLbguufvdseNNMXZWR8rgMSukXBb8q",
        "encrypted": "apiToken,private_key,private_key_password,accessToken",
        "cloudDisplayName": "TestOktaSaasThroughAPI2",
        "connectorName": "Okta SaaS"
    },
    "connectorId": "oktasaas",
    "connectorName": "Okta SaaS",
    "connectionType": "direct",
    "connectorImplementationId": "oktasaas",
    "name": "TestOktaSaasThroughAPI2"
}

The payloads I’m using are nearly identical for both Okta and Okta-Saas, with the primary difference being that I do not pass the connector class name for the Okta SaaS connector since it’s not available in the Connector Source Template.

Despite the similar setup, the test connection works for the Okta connector but fails for the Okta SaaS connector.

Below are the connector details retrieved from the API after creation:
Okta Connector details :

{
    "description": "TestOktaSaasThroughAPI2",
    "owner": {
        "type": "IDENTITY",
        "id": "e1fc5ae146404b088bc5c5e66046eb90",
        "name": "Thippeswamy H.anumanthappa"
    },
    "cluster": {
        "type": "CLUSTER",
        "id": "96e363830182411c8bcedf505a19ec4d",
        "name": "AWS Cluster"
    },
    "accountCorrelationConfig": null,
    "accountCorrelationRule": null,
    "managerCorrelationMapping": null,
    "managerCorrelationRule": null,
    "beforeProvisioningRule": null,
    "schemas": [{
        "type": "CONNECTOR_SCHEMA",
        "id": "fe4bbb1d749e4b14bafb5d569f70cb92",
        "name": "account"
    }, {
        "type": "CONNECTOR_SCHEMA",
        "id": "f6309e684f854334ad06c4c89fb7855f",
        "name": "group"
    }],
    "passwordPolicies": null,
    "features": ["UNLOCK", "ENABLE", "PASSWORD", "GROUP_PROVISIONING", "PROVISIONING"],
    "type": "49836d9c-290a-4225-8380-641237e98cc2",
    "connector": "oktasaas",
    "connectorClass": "",
    "connectorAttributes": {
        "deleteThresholdPercentage": 10,
        "connectionType": "direct",
        "authtype": "API Token",
        "cloudCacheUpdate": 1723122461540,
        "templateApplication": "Okta SaaS",
        "apiToken": "2_{\"KEY_ID\":\"\",\"KEY\":\"lvv2qKHLKDB3XM29FUiQyj2ECYKu0262ZCZmdcKpsRWhBiGAup+xYD58aYpEYAxti/wUFVnIo5P/\\r\\nvKR/73zx/zfCtJnKYMkUefO9wRivPGyGwOqhJS0M3SkaFdOyRCooGd17YhPGTZFp6RL2X60Bp5Xy\\r\\nq0rqGKMX2/q1gmJCYC+I3JzscFKbj6GCpYkY5HXtCPXtzivsCNIJLXN6vdffmRs1HnZAwpXkelfN\\r\\nUJ1OfAQK3SrNfvMq7BGJkbtQEu+1cXHBcmmgWXUvdA/gPy9P2otVKy8Ga9DJycRHXjZhroHAkfZV\\r\\nlQb03iUHQQtdvW+aEMErip3wFPt3/qPR9ExkOw\\u003d\\u003d\",\"SECRET\":\"B2CB3746E07E94FA43B7505BFE1BFD79B338B9F583C90DFA277D29B9862961D3104A176A546B0BB669743419DB8FCD9A456420A3::2D3C193A67320B7501D8CA3DE5564DF7\"}",
        "encrypted": "apiToken,private_key,private_key_password,accessToken",
        "healthy": false,
        "cloudDisplayName": "TestOktaSaasThroughAPI2",
        "host": "",
        "cloudExternalId": "210295",
        "connectorName": "Okta SaaS",
        "beforeProvisioningRule": null,
        "since": "2024-08-08T13:07:39.896Z",
        "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS"
    },
    "deleteThreshold": 10,
    "authoritative": false,
    "healthy": false,
    "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS",
    "since": "2024-08-08T13:07:39.896Z",
    "connectorId": "oktasaas",
    "connectorName": "Okta SaaS",
    "connectionType": "direct",
    "connectorImplementationId": "oktasaas",
    "managementWorkgroup": null,
    "credentialProviderEnabled": false,
    "category": null,
    "id": "c78e2ce2a6544e458ee498d85104bacf",
    "name": "TestOktaSaasThroughAPI2",
    "created": "2024-08-08T13:07:39.896Z",
    "modified": "2024-08-08T13:07:41.540Z"
}

Okta-Saas Connector details :

{
    "description": "TestOktaThroughAPINew1",
    "owner": {
        "type": "IDENTITY",
        "id": "e1fc5ae146404b088bc5c5e66046eb90",
        "name": "Thippeswamy H.anumanthappa"
    },
    "cluster": {
        "type": "CLUSTER",
        "id": "96e363830182411c8bcedf505a19ec4d",
        "name": "AWS Cluster"
    },
    "accountCorrelationConfig": {
        "type": "ACCOUNT_CORRELATION_CONFIG",
        "id": "8393414cae2f4daf8b9571aab5b86fd0",
        "name": "Okta Account Correlation Config"
    },
    "accountCorrelationRule": null,
    "managerCorrelationMapping": null,
    "managerCorrelationRule": null,
    "beforeProvisioningRule": null,
    "schemas": [{
        "type": "CONNECTOR_SCHEMA",
        "id": "71ad636574ad402e945f0814b55ebc38",
        "name": "account"
    }, {
        "type": "CONNECTOR_SCHEMA",
        "id": "c55cb25335894313bf4360276d0c1aee",
        "name": "group"
    }],
    "passwordPolicies": null,
    "features": ["SEARCH", "AUTHENTICATE", "DISCOVER_SCHEMA", "UNLOCK", "ENABLE", "PASSWORD", "SYNC_PROVISIONING", "PROVISIONING", "CURRENT_PASSWORD"],
    "type": "Okta",
    "connector": "okta-angularsc",
    "connectorClass": "sailpoint.connector.OpenConnectorAdapter",
    "connectorAttributes": {
        "sourceConnected": true,
        "deleteThresholdPercentage": 10,
        "connectionType": "direct",
        "connectorClass": "openconnector.connector.okta.OktaConnector",
        "authtype": "API Token",
        "slpt-source-diagnostics": "{\"connector\":\"okta-angularsc\",\"status\":\"SOURCE_STATE_HEALTHY\",\"healthy\":true,\"healthcheckDisabled\":false,\"healthcheckCount\":1,\"lastHealthcheck\":1723120990619,\"statusChanged\":1723120990619}",
        "cloudCacheUpdate": 1723120997807,
        "templateApplication": "Okta",
        "apiToken": "2_{\"KEY_ID\":\"\",\"KEY\":\"X8sRG0BOGeZUsjV/SpqQXVymy6om86OpRCvJBFuOZ2EfIMZ1rwyDvimz+dlxr9ey7Oa1F6cSejhV\\r\\niI6tgO6l4zkk1s2Wi6ltyMMt7e6NRvfwH8iYGXQD8I6I0TCx0hyVgYdeqhUkj/Md+chBpV6FLnE0\\r\\nl5beabRjXUYpT+ixFDWJwcEW/DtQz8taujj8t20DwknxJEmsxq1m6OAMtwnfyjFGtHbJ+705fgKV\\r\\nabCVN0aFPC/0pc91qzNUFhMNlynqw7OgAWbR0zkZOzykK5uM0iRiNHnRCvE2ivvcqQZbPYbXmBEa\\r\\nzLr/9iFk5IeBik/P5bdxLfLWOyxpXghsHEtj8A\\u003d\\u003d\",\"SECRET\":\"8F8B01129BBEA65711F4AC4CFCE1455498F014F8BE2B0673AC81897891D2018573AE2BD402C6B7134C28::300A1E98A3ED2DAAE670E28EAEAA0A28\"}",
        "encrypted": "apiToken,private_key,private_key_password,accessToken",
        "healthy": true,
        "cloudDisplayName": "TestOktaThroughAPINew1",
        "host": "",
        "cloudExternalId": "210289",
        "connectorName": "Okta",
        "beforeProvisioningRule": null,
        "since": "2024-08-08T12:43:10.619Z",
        "status": "SOURCE_STATE_HEALTHY"
    },
    "deleteThreshold": 10,
    "authoritative": false,
    "healthy": true,
    "status": "SOURCE_STATE_HEALTHY",
    "since": "2024-08-08T12:43:10.619Z",
    "connectorId": "okta-angularsc",
    "connectorName": "Okta",
    "connectionType": "direct",
    "connectorImplementationId": "okta-angularsc",
    "managementWorkgroup": null,
    "credentialProviderEnabled": false,
    "category": null,
    "id": "d076b8dabec34926a87c2432e9ac76a1",
    "name": "TestOktaThroughAPINew1",
    "created": "2024-08-08T12:42:39.929Z",
    "modified": "2024-08-08T12:43:17.807Z"
}

Key Differences Noticed:

  • Connector Class:
    • Okta: sailpoint.connector.OpenConnectorAdapter
    • Okta SaaS: "" (Empty)
  • Health Status:
    • Okta: "healthy": true, "status": "SOURCE_STATE_HEALTHY"
    • Okta SaaS: "healthy": false, "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS"

Question:

What could be causing the test connection to fail for the Okta SaaS connector? Do I need to specify the connectorClass for the Okta SaaS connector, and if so, what value should I use?

Note: I’m using the correct host URL in the payloads, but due to browser limitations, I can only paste one link at a time.

Give it a try connectorClass": “sailpoint.connector.OpenConnectorAdapter”,

1 Like

I added the connectorClass : sailpoint.connector.OpenConnectorAdapter attribute in the payload:

{
	"description": "TestOktaSaasThroughAPI3",
	"owner": {
		"type": "IDENTITY",
		"id": "e1fc5ae146404b088bc5c5e66046eb90",
		"name": "Thippeswamy H.anumanthappa"
	},
	"cluster": {
		"type": "CLUSTER",
		"id": "96e363830182411c8bcedf505a19ec4d",
		"name": "AWS Cluster"
	},
	"connector": "oktasaas",
	"connectorClass": "sailpoint.connector.OpenConnectorAdapter",
	"connectorAttributes": {
		"connectionType": "direct",
		"authtype": "API Token",
		"host": "https://trial-5102834.okta.com/",
		"cloudExternalId": "205923",
		"templateApplication": "Okta SaaS",
		"apiToken": "00DeSyytRbSQcIBRH-0f2fyLbguufvdseNNMXZWR8rgMSukXBb8q",
		"encrypted": "apiToken,private_key,private_key_password,accessToken",
		"cloudDisplayName": "TestOktaSaasThroughAPI3",
		"connectorName": "Okta SaaS"
	},
	"connectorId": "oktasaas",
	"connectorName": "Okta SaaS",
	"connectionType": "direct",
	"connectorImplementationId": "oktasaas",
	"name": "TestOktaSaasThroughAPI3"
}

However, after creating the connector through the API, I retrieved the following connector details:

{
    "description": "TestOktaSaasThroughAPI3",
    "owner": {
        "type": "IDENTITY",
        "id": "e1fc5ae146404b088bc5c5e66046eb90",
        "name": "Thippeswamy H.anumanthappa"
    },
    "cluster": {
        "type": "CLUSTER",
        "id": "96e363830182411c8bcedf505a19ec4d",
        "name": "AWS Cluster"
    },
    "accountCorrelationConfig": null,
    "accountCorrelationRule": null,
    "managerCorrelationMapping": null,
    "managerCorrelationRule": null,
    "beforeProvisioningRule": null,
    "schemas": [
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "c7edc81796434200846b0abf1f1231ec",
            "name": "account"
        },
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "b142d0a71d844f3ea41e9678d78bdba0",
            "name": "group"
        }
    ],
    "passwordPolicies": null,
    "features": [
        "PASSWORD",
        "PROVISIONING",
        "GROUP_PROVISIONING",
        "ENABLE",
        "UNLOCK"
    ],
    "type": "49836d9c-290a-4225-8380-641237e98cc2",
    "connector": "oktasaas",
    "connectorClass": "",
    "connectorAttributes": {
        "deleteThresholdPercentage": 10,
        "connectionType": "direct",
        "authtype": "API Token",
        "templateApplication": "Okta SaaS",
        "cloudCacheUpdate": 1723125838603,
        "apiToken":"2_{\"KEY_ID\":\"\",\"KEY\":\"svEFxwu4JmamUIzqbipbA5G3xqPWy0bNzFcGVerjPyBdH/llctPu/WtnB6zZ6vZVJKSnRKLk3JB4\\r\\nHV/Um6hQ1ZO6DJh41CehRtURMn0bppgGy+z/s2JhiLtJq8/waAOG8pz6uoKQl3bb3M31qM1oQ4rx\\r\\nTKJzGDGbX9hfdTamjY4P9dN1RpwbuV6vRvkV/LiiL5UzB+E3uBzFIgtXDo76n2glnFlyZ+IWkJdF\\r\\nsXu5WuHbEY/7E1xelkPXfzfRvFZ1qJmR6y3aIHgTzJrB0HdSA1lnDFF7AjdnpUt3tca7feWf5GgY\\r\\nf+YA+ovENywPnWuivMD3AP04mUYFpEbAgFHM7Q\=\=\",\"SECRET\":\"15F4B6DAA65ED5C022463A83EEAC318011FE4AFA36260660BE9784D58C61B92E5FF73F324746565687B935BE6D31D6B513E83ACB::8536ACA875CD3D4B81181932052929EB\"}",
        "encrypted": "apiToken,private_key,private_key_password,accessToken",
        "healthy": false,
        "host": "https://trial-5102834.okta.com/",
        "cloudDisplayName": "TestOktaSaasThroughAPI3",
        "cloudExternalId": "210301",
        "connectorName": "Okta SaaS",
        "beforeProvisioningRule": null,
        "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS",
        "since": "2024-08-08T14:03:57.165Z"
    },
    "deleteThreshold": 10,
    "authoritative": false,
    "healthy": false,
    "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS",
    "since": "2024-08-08T14:03:57.165Z",
    "connectorId": "oktasaas",
    "connectorName": "Okta SaaS",
    "connectionType": "direct",
    "connectorImplementationId": "oktasaas",
    "managementWorkgroup": null,
    "credentialProviderEnabled": false,
    "category": null,
    "id": "d3bcfc00f9234b7f85c107c15290f524",
    "name": "TestOktaSaasThroughAPI3",
    "created": "2024-08-08T14:03:57.165Z",
    "modified": "2024-08-08T14:03:58.603Z"
}

I noticed that the connectorClass attribute is missing from the retrieved connector details, even though it was included in the payload and When i do test connection I’m getting the same error saying " * sailpoint.tools.GeneralException: Couldn’t load connector class:"

I tried various combinations like I have added the connectorClass name as “openconnector.connector.okta.OktaConnector” inside the connector attributes as well.
But still im getting the same error “sailpoint.tools.GeneralException: Couldn’t load connector class”

Might need to be looked at on the okta side do you have full scopes on the token?

Yes, I have full scopes on the token.

Hi @swamy97 ,

Can you try to create the OktaSaaS connector with cluster value as null. I think that since a cluster is defined, its trying to find the connector class on the VAs of the cluster. I could be wrong, but worth trying:


{
    "description": "TestOktaSaasThroughAPI3",
    "owner": {
        "type": "IDENTITY",
        "id": "e1fc5ae146404b088bc5c5e66046eb90",
        "name": "Thippeswamy H.anumanthappa"
    },
    "cluster": null,
    "accountCorrelationConfig": null,
    "accountCorrelationRule": null,
    "managerCorrelationMapping": null,
    "managerCorrelationRule": null,
    "beforeProvisioningRule": null,
    "schemas": [
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "c7edc81796434200846b0abf1f1231ec",
            "name": "account"
        },
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "b142d0a71d844f3ea41e9678d78bdba0",
            "name": "group"
        }
    ],
    "passwordPolicies": null,
    "features": [
        "PASSWORD",
        "PROVISIONING",
        "GROUP_PROVISIONING",
        "ENABLE",
        "UNLOCK"
    ],
    "type": "49836d9c-290a-4225-8380-641237e98cc2",
    "connector": "oktasaas",
    "connectorClass": "",
    "connectorAttributes": {
        "deleteThresholdPercentage": 10,
        "connectionType": "direct",
        "authtype": "API Token",
        "templateApplication": "Okta SaaS",
        "cloudCacheUpdate": 1723125838603,
        "apiToken":"2_{\"KEY_ID\":\"\",\"KEY\":\"svEFxwu4JmamUIzqbipbA5G3xqPWy0bNzFcGVerjPyBdH/llctPu/WtnB6zZ6vZVJKSnRKLk3JB4\\r\\nHV/Um6hQ1ZO6DJh41CehRtURMn0bppgGy+z/s2JhiLtJq8/waAOG8pz6uoKQl3bb3M31qM1oQ4rx\\r\\nTKJzGDGbX9hfdTamjY4P9dN1RpwbuV6vRvkV/LiiL5UzB+E3uBzFIgtXDo76n2glnFlyZ+IWkJdF\\r\\nsXu5WuHbEY/7E1xelkPXfzfRvFZ1qJmR6y3aIHgTzJrB0HdSA1lnDFF7AjdnpUt3tca7feWf5GgY\\r\\nf+YA+ovENywPnWuivMD3AP04mUYFpEbAgFHM7Q\=\=\",\"SECRET\":\"15F4B6DAA65ED5C022463A83EEAC318011FE4AFA36260660BE9784D58C61B92E5FF73F324746565687B935BE6D31D6B513E83ACB::8536ACA875CD3D4B81181932052929EB\"}",
        "encrypted": "apiToken,private_key,private_key_password,accessToken",
        "healthy": false,
        "host": "https://trial-5102834.okta.com/",
        "cloudDisplayName": "TestOktaSaasThroughAPI3",
        "cloudExternalId": "210301",
        "connectorName": "Okta SaaS",
        "beforeProvisioningRule": null,
        "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS",
        "since": "2024-08-08T14:03:57.165Z"
    },
    "deleteThreshold": 10,
    "authoritative": false,
    "healthy": false,
    "status": "SOURCE_STATE_UNCHECKED_SOURCE_NO_ACCOUNTS",
    "since": "2024-08-08T14:03:57.165Z",
    "connectorId": "oktasaas",
    "connectorName": "Okta SaaS",
    "connectionType": "direct",
    "connectorImplementationId": "oktasaas",
    "managementWorkgroup": null,
    "credentialProviderEnabled": false,
    "category": null,
    "id": "d3bcfc00f9234b7f85c107c15290f524",
    "name": "TestOktaSaasThroughAPI3",
    "created": "2024-08-08T14:03:57.165Z",
    "modified": "2024-08-08T14:03:58.603Z"
}

Hi @shaileeM,
I tried to create Okta-Saas connector by passing cluster value as null as you suggested but now its showing error “Test connection is disabled because no VA cluster is selected”

I think the issue here is actually that SaaS connectors need to be created using multiple API calls because there are certain aspects of the source configuration which are required (cluster and spConnectorSpecId) but which can only be determined after the source has been created and connection parameters have been saved.

First, the correct initial POST payload for creating a SaaS connector-based source should be much more lightweight than what you send when you create a VA-based source. For Okta, it should look like the below:

{
    "name": "TestOktaSaasThroughAPI",
    "description": "TestOktaSaasThroughAPI",
    "connector": "oktasaas",
    "owner":
    {
        "id": "2c9180866653956401665ebf3bf83509",
        "name": "owner.name",
        "type": "IDENTITY"
    }
}

This will return as an API response a fuller representation of the source configuration, including spConnectorInstanceId, which is a unique entry in the connectorAttributes map and is required for the connectivity layer to find the right source-connector pair.

What is still missing for this source to run a test connection, though, is the cluster configuration, which is still needed even though this is a SaaS connector because there is an internal “proxy” cluster that gets assigned to the SaaS connector when you provide authentication information. Thus, a second PATCH call is needed:

[
  {
    "op": "add",
    "path": "/connectorAttributes/authttype",
    "value": "API Token"
  },
	{
    "op": "add",
    "path": "/connectorAttributes/host",
    "value": "https://<tenant>.okta.com"
  },
	{
    "op": "add",
    "path": "/connectorAttributes/apiToken",
    "value": "<token>"
  }
]

You’ll notice that the response now includes a valid cluster object with an instance of the sp_connect_proxy_cluster:

"cluster": {
	"type": "CLUSTER",
	"id": "2c91808780f6c51601812af862a63c07",
	"name": "sp_connect_proxy_cluster"
}

At this point, your source should be in a valid state to run a test connection.

3 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.