Issue with SaaS connector - ISC Cloud Governance Connector

Hello All,

I’m seeing an unusual behavior when testing out the Identity Security Cloud Governance connector which was recently released.

I followed every configuration steps as per the documentation (Integrating SailPoint with Identity Security Cloud Governance)

However, only the test connection and entitlement aggregation works, but the account aggregation and provisioning fails.

Below are the error messages:

• For Aggregation

java.lang.RuntimeException - java.lang.IllegalStateException: [ConnectorError] 403 [Possible Suggestion] Ensure that configuration parameters is correct and service account is having required permissions. ERR_BAD_REQUEST, Request failed with status code 403, {"detailCode":"403 Forbidden","trackingId":"c0eeeb3c81fa49ce9bdbdf319007ded0","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."},{"locale":"und","localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it."}],"causes":[]} (requestId: bfeb667b092840569ef114d8ab667324) - java.lang.RuntimeException: java.lang.IllegalStateException: [ConnectorError] 403 [Possible Suggestion] Ensure that configuration parameters is correct and service account is having required permissions. ERR_BAD_REQUEST, Request failed with status code 403, {"detailCode":"403 Forbidden","trackingId":"c0eeeb3c81fa49ce9bdbdf319007ded0","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."},{"locale":"und","localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it."}],"causes":[]} (requestId: bfeb667b092840569ef114d8ab667324) at com.sailpoint.mantis.qpoc.message.AccountAggregation.iterateResourceObjects_aroundBody6(AccountAggregation.java:645) at com.sailpoint.mantis.qpoc.message.AccountAggregation$AjcClosure7.run(AccountAggregation.java:1) at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:179) at com.sailpoint.tracing.otel.TracedAspect.lambda$traceExecution$0(TracedAspect.java:38) at com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:170) at com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:143) at com.sailpoint.tracing.otel.TracedAspect.traceExecution(TracedAspect.java:40) at com.sailpoint.mantis.qpoc.message.AccountAggregation.iterateResourceObjects(AccountAggregation.java:578) at com.sailpoint.mantis.qpoc.message.AccountAggregation.handleMessage_aroundBody0(AccountAggregation.java:358) at com.sailpoint.mantis.qpoc.message.AccountAggregation$AjcClosure1.run(AccountAggregation.java:1) at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:179) at com.sailpoint.atlas.metrics.MessageMetricsAspect.meterMessageTimeAndExceptions(MessageMetricsAspect.java:65) at com.sailpoint.mantis.qpoc.message.AccountAggregation.handleMessage(AccountAggregation.java:339) at com.sailpoint.atlas.messaging.server.TypeMessageHandler.handleMessage(TypeMessageHandler.java:87) at com.sailpoint.mantis.qpoc.utility.QpocMessageHandler.handleMessage_aroundBody0(QpocMessageHandler.java:60) at com.sailpoint.mantis.qpoc.utility.QpocMessageHandler$AjcClosure1.run(QpocMessageHandler.java:1) at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:179) at com.sailpoint.atlas.metrics.MessageMetricsAspect.meterMessageTimeAndExceptions(MessageMetricsAspect.java:65) at com.sailpoint.mantis.qpoc.utility.QpocMessageHandler.handleMessage(QpocMessageHandler.java:52) at com.sailpoint.mantis.platform.message.ObjectConfigMessageHandler.handleMessage(ObjectConfigMessageHandler.java:33) at com.sailpoint.atlas.tracing.plugin.otel.TraceMessageHandler.lambda$handleMessage$0(TraceMessageHandler.java:60) at com.sailpoint.atlas.tracing.otel.Trace.trace(Trace.java:54) at com.sailpoint.atlas.tracing.plugin.otel.TraceMessageHandler.handleMessage(TraceMessageHandler.java:55) at com.sailpoint.atlas.message.DynamicMessageHandler$ChainedMessageHandlerAdapter.handleMessage(DynamicMessageHandler.java:44) at com.sailpoint.atlas.tracing.plugin.TracingMessageHandler.handleMessage(TracingMessageHandler.java:88) at com.sailpoint.atlas.message.DynamicMessageHandler$ChainedMessageHandlerAdapter.handleMessage(DynamicMessageHandler.java:44) at com.sailpoint.atlas.usage.plugin.UsageMessageHandler.handleMessage(UsageMessageHandler.java:36) at com.sailpoint.atlas.message.DynamicMessageHandler$ChainedMessageHandlerAdapter.handleMessage(DynamicMessageHandler.java:44) at com.sailpoint.atlas.message.DynamicMessageHandler.handleMessage(DynamicMessageHandler.java:34) at com.sailpoint.mantis.platform.message.SailPointContextMessageHandler.handleMessage(SailPointContextMessageHandler.java:55) at com.sailpoint.atlas.message.FailureNotificationHandler.handleMessage(FailureNotificationHandler.java:55) at com.sailpoint.atlas.message.RequestContextMessageHandler.handleMessage(RequestContextMessageHandler.java:72) at com.sailpoint.mantis.platform.message.ExceptionMessageHandler.handleMessage(ExceptionMessageHandler.java:49) at com.sailpoint.atlas.messaging.server.MessageProcessor.handleJobMessage(MessageProcessor.java:254) at com.sailpoint.atlas.messaging.server.MessageProcessor.handleMessage(MessageProcessor.java:136) at com.sailpoint.atlas.messaging.server.MessageProcessor.lambda$null$0(MessageProcessor.java:106) at com.sailpoint.atlas.messaging.server.MessageProcessor.withOrgLogging(MessageProcessor.java:173) at com.sailpoint.atlas.messaging.server.MessageProcessor.withReportingAndOrgLogging(MessageProcessor.java:163) at com.sailpoint.atlas.messaging.server.MessageProcessor.lambda$asyncHandleMessage$1(MessageProcessor.java:106) at com.sailpoint.atlas.messaging.server.impl.SourceRunnableImpl.run(SourceRunnableImpl.java:77) at com.sailpoint.atlas.messaging.server.impl.BufferedSourceQueue$IncrementingSourceRunnable.run(BufferedSourceQueue.java:181) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.lang.IllegalStateException: [ConnectorError] 403 [Possible Suggestion] Ensure that configuration parameters is correct and service account is having required permissions. ERR_BAD_REQUEST, Request failed with status code 403, {"detailCode":"403 Forbidden","trackingId":"c0eeeb3c81fa49ce9bdbdf319007ded0","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"The server understood the request but refuses to authorize it."},{"locale":"und","localeOrigin":"REQUEST","text":"The server understood the request but refuses to authorize it."}],"causes":[]} (requestId: bfeb667b092840569ef114d8ab667324) at com.sailpoint.connector.cloud.spconnect.SpConnectProxy$1.nextResponse_aroundBody0(SpConnectProxy.java:346) at com.sailpoint.connector.cloud.spconnect.SpConnectProxy$1$AjcClosure1.run(SpConnectProxy.java:1) at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:179) at com.sailpoint.tracing.otel.TracedAspect.lambda$traceExecution$0(TracedAspect.java:38) at com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:170) at com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:143) at com.sailpoint.tracing.otel.TracedAspect.traceExecution(TracedAspect.java:40) at com.sailpoint.connector.cloud.spconnect.SpConnectProxy$1.nextResponse(SpConnectProxy.java:335) at sailpoint.connector.cloud.CloudConnector$CloudBridgeIterator.buildDataBlockIterator(CloudConnector.java:1207) at sailpoint.connector.cloud.CloudConnector$CloudBridgeIterator.checkForMoreData(CloudConnector.java:1195) at sailpoint.connector.cloud.CloudConnector$CloudBridgeIterator.hasNext(CloudConnector.java:1121) at sailpoint.connector.ConnectorProxy$CustomizingIterator.peek(ConnectorProxy.java:771) at sailpoint.connector.ConnectorProxy$CustomizingIterator.hasNext(ConnectorProxy.java:798) at com.sailpoint.mantis.qpoc.message.AccountAggregation.iterateResourceObjects_aroundBody6(AccountAggregation.java:613) ... 45 more

• For Provisioning

[ConnectorError] invalid output format:  Schema validation error in path: [/: {"attributes":{"Gove... did not match any of the specified OneOf schemas] (requestId: c64bd9816d394941859690913a63bdd7)

Note : I’ve not changed any account schema/create account/account schema/entitlement type configurations and leveraged the OOTB connector as is. And all the required permission on the service account are granted as well.

However, I’ve observed that the below functionality for “SaaS Management” is disabled under my system settings. Not sure if this could be one of the reasons.

image877×716 19.1 KB

Or this could be an error with the connector itself.

Would really appreciate any inputs/thoughts from the folks who would’ve worked with this connector.

Thanks,
Arshad.

Looks like you’re getting a 403 Forbidden error. That usually happens when you are using a PAT that has insufficient user level or scopes, or you are attempting to use client credentials instead of PAT.

@colin_mckibben Initially, that’s what I though so could been the reason. But all the scopes mentioned in the document has been assigned to the client credentials I generated:

image1147×802 16.1 KB

Does the identity for which you created the PAT and are using in the config have any ‘admin’ level privileges in addition to the scopes? I believe that is also a must, although I haven’t personally tried to ‘descope’ it as much as possible for me.

In my config, to test the connector, I just have an identity that is ORG_ADMIN and assinged the ‘sp:scopes:all’ scope, which does work.

@sauvee Are you specifically asking me to create PAT from the preferences on my identity and then re-test? Currently I’ve created client credentials from API management under global settings.

I have the ORG_ADMIN for my identity and created the client credentials from the “Global > Security Settings > API Management” myself with all the required scopes above. I also tried to add sp:scopes:all but that didn’t work either.

Hi @Arshad ,

This connector work for me (aggregation, user level provisioning, …).

Try to regenerate PAT token with only ‘sp:scopes:all’.

After that you can update the permissions according the documentation.

Thanks for the response @baoussounda
Let me try this with PAT and keep you posted.

This worked @baoussounda. Thanks for the quick suggestion. Both aggregation and provisioning works with PAT.
However, I don’t see a specific reason why it would fail with the client credentials generated from API management.(That too only specific operations like aggregation and provisioning failing but test connection and entitlement aggregation working fine)
@colin_mckibben maybe if you have any insights as well on this please let do us know.

@Arshad “However, I don’t see a specific reason why it would fail with the client credentials generated from API management” ==>

There are some api that needs user context so the client credential generated from api management not work for those api. I don’t have the exact list for those api.

As example when you want to create application, you can only specify the name and description and the owner set by default based on PAT used. For this case token generated from api management not work.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.