Issue with SCIM 2.0 connector account creation provisioning policy for Atlassian Cloud integration

IdentityIQ (IIQ) IIQ Discussion and Questions
, , , , ,
1

Which IIQ version are you inquiring about?

IdentityIQ 8.4p2

Share all details about your problem, including any error messages you may have received.

I’m setting up a SCIM 2.0 connector app to create Atlassian accounts, however it’s throwing an error that one email address has to be marked as the primary. I can’t seem to figure out how to pass the initial email in the Account creation policy to resolve this error. I’ve tried the following already with no luck:

  1. setting the field name=“Emails” multi=“true” and returning a list of maps with a single hashMap ie. [{ value=“username.dev@org.ca”, type=“work”, primary=true}]

    1. a. type=“list”

    2. a type=“complex”

  2. setting the field name=“email.work.primary.value” type=“String” (no multi flag)

  3. setting up a custom xml rule via debug to generate a provisioning plan request to create the account with the ‘Emails’ attribute being passed as an array list of hashmaps ( [{ value=“exampleUsername.dev@org.ca”, type=“work”, primary=true}]) to the plan with op=“SET” instead of op=“ADD” which appears to be the operation by default for the plan created by the provisioning policy. I also tried just passing an empty list in the debug rule which did still resolve the operation from Add to Set on the master plan with the email list still passed from the provisioning policy plan.

It seems like the provisioning plan created by the custom xml java rule does have the XML list brackets, but the provisioning plan created by the the account creation provisioning policy tries to send it as a single map.

Example log:

identity project: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningProject PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningProject identity="obfuscatedIdentityName">
<ExpansionItems>
<ExpansionItem application="Atlassian Cloud Manage Users" cause="ProvisioningPolicy" name="userName" nativeIdentity="obfuscatedIdentityName" operation="Set" sourceInfo="Atlassian Cloud Manage Users" value="username.dev@org.ca"/>
<ExpansionItem application="Atlassian Cloud Manage Users" cause="ProvisioningPolicy" name="name.familyName" nativeIdentity="obfuscatedIdentityName" operation="Set" sourceInfo="Atlassian Cloud Manage Users" value="Doe"/>
<ExpansionItem application="Atlassian Cloud Manage Users" cause="ProvisioningPolicy" name="name.givenName" nativeIdentity="obfuscatedIdentityName" operation="Set" sourceInfo="Atlassian Cloud Manage Users" value="Jane"/>
<ExpansionItem application="Atlassian Cloud Manage Users" cause="ProvisioningPolicy" name="active" nativeIdentity="obfuscatedIdentityName" operation="Set" sourceInfo="Atlassian Cloud Manage Users">
<value>
<Boolean>true</Boolean>
</value>
</ExpansionItem>
</ExpansionItems>
<MasterPlan>
<ProvisioningPlan>
<AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="obfuscatedIdentityName" op="Create">
<AttributeRequest name="emails" op="Set">
<Value>
<List>
<Map>
<entry key="primary">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="type" value="work"/>
<entry key="value" value=username.dev@org.ca"/>
</Map>
</List>
</Value>
</AttributeRequest>
</AccountRequest>
</ProvisioningPlan>
</MasterPlan>
<ProvisioningPlan nativeIdentity="obfuscatedIdentityName" targetIntegration="Atlassian Cloud Manage Users" trackingId="7323d9a6316145c140bff25e343ec028">
<AccountRequest application="Atlassian Cloud Manage Users" nativeIdentity="obfuscatedIdentityName" op="Create">
<AttributeRequest name="emails" op="Set">
<Value>
<Map>
<entry key="primary">
<value>
<Boolean>true</Boolean>
</value>
</entry>
<entry key="type" value="work"/>
<entry key="value" value="username.dev@org.ca"/>
</Map>
</Value>
</AttributeRequest>
<AttributeRequest name="userName" op="Set" value="username.dev@org.ca"/>
<AttributeRequest name="name.familyName" op="Set" value="Doe"/>
<AttributeRequest name="name.givenName" op="Set" value="Jane"/>
<AttributeRequest name="active" op="Set">
<Value>
<Boolean>true</Boolean>
</Value>
</AttributeRequest>
<ProvisioningResult status="failed">
<Errors>
<Message key="java.io.IOException: {&quot;schemas&quot;:[&quot;urn:ietf:params:scim:api:messages:2.0:Error&quot;],&quot;status&quot;:&quot;400&quot;,&quot;detail&quot;:&quot;Invalid payload: One email address need to be marked as primary.&quot;}&#xA;" type="Error"/>
</Errors>
</ProvisioningResult>
</AccountRequest>
</ProvisioningPlan>

Any guidance for how to pass a single email as the primary to the SCIM 2.0 connector for account creations would be greatly appreciated!

2

actually I just got it working by setting the provisioning policy field as follows and removing the Emails attribute request from the debug rule provisioning plan

        <Field displayName="primary email value" name="emails.work.primary.value" type="string">
          <Script>
            <Source>
              import org.apache.logging.log4j.Logger;
              import org.apache.logging.log4j.LogManager;

              Logger log = LogManager.getLogger("ca.org.idam.AtlassianCloudManageUsersAccountCreationPolicy");
              String value = identity.getAttribute("username");
              String updatedValue = (value != null) ? value + ".dev" + "@org.ca" : value;
              log.debug("Atlassian Cloud Manage Users account creation policy get userName (email): " + updatedValue);
              return updatedValue;

            </Source>
          </Script>
        </Field>