sailpoint.connector.ObjectNotFoundException in Azure Active Directory group creation

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hi Team,

We are using IIQ 8.4p2. While provisioning Azure AD groups using Azure Active Directory connector we are getting sailpoint.connector.ObjectNotFoundException frequently. However, the group is created in Azure Active Directory. We have created simple rule to create provisioning plan and execute the provisioning plan using Provisioner

Provisioner provisioner = new Provisioner(context);
ProvisioningProject project = provisioner.compile(plan);
provisioner.execute();

We think the issue is caused due to delay in group creating and verifying the creation by IIQ.

Is there any way to resolve the issue so that we don’t get this error?

Thanks in advance,

Amit Kumar De

2

@adamitde7

Please share your complete plan.

Thanks,

Sivaprakash.

3

Hi @adamitde7 , welcome to Sailpoint developer forum.

from error message, it seems that Group name or type is configuration is not matching with target system.

You can check Schema configuration for groups and verify with target system (Azure AD)

4

@adamitde7 Could you please share the plan xml? And are you trying to create a group or provision a group to the user?

5

<ProvisioningPlan targetIntegration="Entra ID Dev" trackingId="2aea47b5108e48cbb5b0e1016739692c"> <ObjectRequest application="Entra ID Dev" nativeIdentity="9dca3afa-9916-4349-acc8-3a49c59db7d3" op="Create" type="group"> <AttributeRequest name="displayName" op="Set" value="Group-For-Testing10"/> <AttributeRequest name="mailNickname" op="Set" value="test10"/> <AttributeRequest name="description" op="Set" value="Description for test 10"/> <AttributeRequest name="teamsEnabled" op="Set"> <Value> <Boolean></Boolean> </Value> </AttributeRequest> <AttributeRequest name="securityEnabled" op="Set"> <Value> <Boolean>true</Boolean> </Value> </AttributeRequest> <AttributeRequest name="groupTypes" op="Set" value="Security"/> <ProvisioningResult status="failed"> <Errors> <Message key="sailpoint.connector.ConnectorException: Exception occurred. Error message - " type="Error"/> </Errors> </ProvisioningResult> </ObjectRequest> </ProvisioningPlan>

This is the plan and I am creating the groups

6

@adamitde7 This is a compiled plan and looks good to me. Could you please also share the initial plan? and application xml for review.

7

@adamitde7

Use the code below:

Change the attribute request as per your requirement

/***
	 * 
	 * @param plan
	 * @param groupCN
	 * @return
	 */
	private WorkflowLaunch launchLCMProv(ProvisioningPlan plan, String groupCN) {
		// TODO Auto-generated method stub
		logger.error("Exiting method launchLCMProv");
		String satus = null;
		WorkflowLaunch launch = null;
		
		try {
			if(null != plan) {
				String workflowName = "Entitlement Update";
				WorkflowLaunch wfLaunch = new WorkflowLaunch();
				Workflow workflow = context.getObjectByName(Workflow.class, workflowName);
				if(null != workflow) {
					wfLaunch.setWorkflowName(workflow.getName());
					wfLaunch.setWorkflowRef(workflow.getName());
					Workflower workflower = new Workflower();
					Map launchArgsMap = new HashMap();
					launchArgsMap.put("plan", plan);
					launchArgsMap.put("forgroundProvisioning", "true");
					launchArgsMap.put("approvalScheme", "none");
					launchArgsMap.put("notificationScheme", "none");
					launchArgsMap.put("noTriggers", "true");
					launchArgsMap.put("trace", "true");
					wfLaunch.setVariables(launchArgsMap);
					launch = workflower.launch(wfLaunch);
					
					context.decache(workflow);
				}
			}else {
				logger.error("Plan is null");
			}
		}catch(Exception excp) {
			
		}
		
		logger.error("Exiting method launchLCMProv");
		return launch;
	}

/***
	 * 
	 * @param groupCN(DN of the group Name)
	 * @param dedicatedGroupDN (DN-groupName)
	 * @param launcher
	 * @param appName
	 * @param roleName
	 * @return
	 */
	public Object createGroupPlan(String groupCN, String dedicatedGroupDN, String launcher, String appName, String roleName) {
		logger.info("Entering method createGroupPlan");
		boolean isCreateGrpSuccess = false;
		
		try {
			ProvisioningPlan plan = new ProvisioningPlan();
			ObjectRequest objReq = new ObjectRequest();
			
			objReq.setApplication(appName);
			objReq.setType("group");
			objReq.setOp(ProvisioningPlan.ObjectOperation.Create);
			objReq.setNativeIdentity(groupCN);
			objReq.add(new ProvisioningPlan.AttributeRequest("distinguishedName", ProvisioningPlan.Operation.Set, groupCN));
			objReq.add(new ProvisioningPlan.AttributeRequest("sAMAccountName", ProvisioningPlan.Operation.Set, getSamAccountName(groupCN)));
			objReq.add(new ProvisioningPlan.AttributeRequest("description", ProvisioningPlan.Operation.Set, "Created by IIQ"));
			objReq.add(new ProvisioningPlan.AttributeRequest("msDS-PrincipalName", ProvisioningPlan.Operation.Set, appName.toUpperCase()+"\\"+getSamAccountName(groupCN)));
			
			plan.add(objReq);
			WorkflowLaunch wfLaunch = launchLCMProv(plan, groupCN);
			
			boolean isSuccess = getErrorMessageFromWorkflow(wfLaunch, groupCN, launcher, roleName);
			if(!isSuccess) {
				logger.error("Error while creating the group");
			}else {
				isCreateGrpSuccess = true;
			}
			
		}catch(Exception exception) {
			logger.error("Exception occured "+ exception.getMessage());
			isCreateGrpSuccess = false;
			throw exception;
		}
		
		
		logger.info("Exiting method createGroupPlan");
		return isCreateGrpSuccess;
	}
9

Hi @adamitde7 there is a setting “createGroupTimelag” you could add to your application configuration. It should be a number of seconds; you might try it with 120 and see if that helps.

1 Like
10

Hi @msingh900 ,

Set groupTypes values (Security, Office 365) in the AttributeRequest, as it is a mandatory field when creating SailPoint groups for the Azure connector.

Thanks,

PVR.

11
true Security

This is the plan.