Netsparker SCIM 2.0 Integration Issue

Appreciate any assistance with Netsparker SCIM2.0 integration issue. Questions below …

1. Using PATCH to Add user to Netsparker groups but constantly getting null error from openconnector. Any idea how we can track down this null error?

2022-03-17T18:27:27,243 DEBUG http-nio-8080-exec-3 openconnector.connector.scim2.SCIM2Connector:1830 - SCIM 2.0 SSL protocol version used is null
2022-03-17T18:27:27,245 DEBUG http-nio-8080-exec-3 openconnector.connector.scim2.SCIM2Connector:1832 - SCIM 2.0 URL used is Ht tps://hostname/scim/v2
2022-03-17T18:27:27,267 DEBUG http-nio-8080-exec-3 openconnector.connector.scim2.SCIM2Connector:1116 - Response returned: { “schemas”: [ “urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig” ], “documentation”: “Ht tps://hostname/scim”, “patch”: { “supported”: true }, “bulk”: { “supported”: false }, “filter”: { “supported”: true, “maxResults”: 200 }, “changePassword”: { “supported”: true }, “sort”: { “supported”: true }, “etag”: { “supported”: false }, “authenticationSchemes”: [ { “type”: “httpbasic”, “name”: “HTTP Basic”, “description”: “Authentication scheme using the HTTP Basic Standard”, “specUri”: “http://www.rfc-editor.org/info/rfc2617”, “documentationUri”: “Ht tps://www.netsparker.com/support/api-settings/” } ], “meta”: { “resourceType”: “ServiceProviderConfig”, “location”: “Ht tps://hostname/scim/v2/serviceproviderconfig” }}
2022-03-17T18:27:27,267 DEBUG http-nio-8080-exec-3 openconnector.connector.scim2.SCIM2JsonReader:40 - SCIM2 endpoint object is type of ServiceProviderConfig, Resource type name is-ServiceProviderConfig
2022-03-17T18:27:27,267 DEBUG http-nio-8080-exec-3 openconnector.connector.scim2.SCIM2Connector:2254 - Checking for retry with error message java.lang.NullPointerException retry flag false
2022-03-17T18:27:27,267 ERROR http-nio-8080-exec-3 openconnector.connector.scim2.SCIM2Connector:586 - Error while updating account with id user1 exception :
java.lang.NullPointerException: null
at openconnector.connector.scim2.SCIM2Connector.lambda$patchObject$14(SCIM2Connector.java:674) ~[connector-bundle.jar:8.1p2 Build 925c5f5956-20201216-075905]
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) ~[?:?]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]

2. The API support PUT, so updated Application to usePatch = false to force PUT, this called the API but the group information was missing in JSON payload. If we formatted the JSON outside IIQ it will provision correctly but the SCIM2.0 connector is not constructing the correct JSON payload. There are some attribute that showing as readOnly unsure if this is related, I assume these are taken from schema required field. The before provisioning rule let you make changes to plan, but not to how JSON is done. How can this be done to include fields that are optional?

2022-03-18T11:42:54,769 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2Connector:857 - Map Before Updating : {phoneNumbers.mobile.primary.value=null, phoneNumbers.mobile.primary.display=null, timezone=GMT Standard Time, displayName=James Bond, active=true, disabled=false, id=user1, userName=user1}
2022-03-18T11:42:54,770 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2Connector:919 - Map After Updating : {phoneNumbers.mobile.primary.value=null, phoneNumbers.mobile.primary.display=null, timezone=GMT Standard Time, displayName=James Bond, active=true, disabled=false, groups=[group1], id=user1, userName=user1}
2022-03-18T11:42:54,770 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2Connector:742 - Exclude request attributes List: null
2022-03-18T11:42:54,771 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:68 - Attribute is not readOnly :userName
2022-03-18T11:42:54,772 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:68 - Attribute is not readOnly :Name
2022-03-18T11:42:54,772 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:71 - Attribute is readOnly :timezone
2022-03-18T11:42:54,773 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:71 - Attribute is readOnly :active
2022-03-18T11:42:54,773 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:71 - Attribute is readOnly :password
2022-03-18T11:42:54,773 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:68 - Attribute is not readOnly :emails
2022-03-18T11:42:54,773 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:68 - Attribute is not readOnly :phoneNumbers
2022-03-18T11:42:54,775 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2MultiValuedPropertyGetter:72 - SCIM atribute : phoneNumbers with SCIM value : [{display=null, type=mobile, value=null, primary=true}]
2022-03-18T11:42:54,776 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:68 - Attribute is not readOnly :displayName
2022-03-18T11:42:54,776 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:71 - Attribute is readOnly :groups
2022-03-18T11:42:54,776 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2ConnectorMapper:68 - Attribute is not readOnly :id
2022-03-18T11:42:54,782 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2Connector:766 - JSON Prepared is : {“displayName”:“James Bond”,“meta”:{“resourceType”:“User”},“schemas”:[“urn:ietf:params:scim:schemas:core:2.0:User”],“id”:“user1”,“userName”:“user1”,“phoneNumbers”:[{“display”:“null”,“type”:“mobile”,“value”:“null”,“primary”:true}]}
2022-03-18T11:42:54,782 DEBUG http-nio-8080-exec-10 openconnector.connector.scim2.SCIM2Connector:721 - Update Object Put operation URL: Ht tps://hostname/scim/v2/Users/user1

Schema Property Mapping

  <entry key="schemaPropertyMappings">
    <value>
      <List>
        <SchemaPropertyMapping urn="urn:ietf:params:scim:schemas:core:2.0:User">
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="userName" property="userName" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          <AttributePropertyMapping name="Name">
            <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="formatted" property="Name.formatted" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
            <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="familyName" property="Name.familyName" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
            <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="givenName" property="Name.givenName" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          </AttributePropertyMapping>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="timezone" property="timezone" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="active" property="active" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="password" property="password" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2MultiValuedPropertyGetter" name="emails" setter="openconnector.connector.scim2.SCIM2MultiValuedPropertySetter">
            <AttributePropertyMapping name="value" property="value"/>
            <AttributePropertyMapping name="display" property="display"/>
            <AttributePropertyMapping name="type" property="type"/>
            <AttributePropertyMapping name="primary" property="primary"/>
          </AttributePropertyMapping>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2MultiValuedPropertyGetter" name="phoneNumbers" setter="openconnector.connector.scim2.SCIM2MultiValuedPropertySetter">
            <AttributePropertyMapping name="value" property="value"/>
            <AttributePropertyMapping name="display" property="display"/>
            <AttributePropertyMapping name="type" property="type"/>
            <AttributePropertyMapping name="primary" property="primary"/>
          </AttributePropertyMapping>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="displayName" property="displayName" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2MultiValuedPropertyGetter" name="groups" property="groups" setter="openconnector.connector.scim2.SCIM2PropertySetter">
            <AttributePropertyMapping name="value" property="value"/>
            <AttributePropertyMapping name="display" property="display"/>
          </AttributePropertyMapping>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="id" property="id" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
        </SchemaPropertyMapping>
        <SchemaPropertyMapping urn="urn:ietf:params:scim:schemas:core:2.0:Group">
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="displayName" property="displayName" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2MultiValuedPropertyGetter" name="members" property="members" setter="openconnector.connector.scim2.SCIM2PropertySetter">
            <AttributePropertyMapping name="value" property="value"/>
            <AttributePropertyMapping name="display" property="display"/>
          </AttributePropertyMapping>
          <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="id" property="id" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
        </SchemaPropertyMapping>
      </List>
    </value>
  </entry>

Good evening - have you confirmed that all the attributes that are being filtered out of the provisioning JSON are those that are marked as ‘readOnly’ ?

The SCIM 2.0 connector may be filtering out these attributes if the SCIM Server is telling us that they are non-modifiable.

As far as the PUT vs PATCH is concerned, the SailPoint SCIM 2.0 connector should be honoring what is represented by the SCIM servers /ServiceProviderConfig endpoint - if it says PATCH is supported we will attempt PATCH operations.

I tried to use the above schemaPropertyMappings but am not getting user’s givenName, familyName or the groups for that matter. Did you have any luck with this integration using SCIM2?
Thanks.
Pasha