Salesforce Connector Errors

Identity Security Cloud (ISC) ISC Discussion and Questions
1

We set up the Salesforce connector and it was working for a month in Prod and several months in Sandbox.

After march 3/1/2023 the Prod connector started having issues and on 3/2/2023 the Sandbox connector had issues.

Getting the issue during refresh and attribute syncs. Salesforce support didn’t see issues and the errors started happening after hours on 3/1/2023. Any solutions?

[“[ ConnectorException ] \n [ Error details ] INVALID_FIELD: \nselect Id ,UserRole.Id, ContactId from User where Id\u003d\u00270057b000003TT6dAAG\u0027\n ^\nERROR at Row:1:Column:25\nNo such column \u0027ContactId\u0027 on entity \u0027User\u0027. If you are attempting to use a custom field, be sure to append the \u0027__c\u0027 after the custom field name. Please reference your WSDL or the describe call for the appropriate names.connector.sdk.webservices.exception.WebServicesSdkException: \u003c?xml version\u003d"1.0" encoding\u003d"UTF-8"?\u003e\u003csoapenv:Envelope xmlns:soapenv\u003d"http://schemas.xmlsoap.org/soap/envelope/\” xmlns:sf\u003d"urn:fault.partner.soap.sforce.com" xmlns:xsi\u003d"http://www.w3.org/2001/XMLSchema-instance\“\u003e\u003csoapenv:Body\u003e\u003csoapenv:Fault\u003e\u003cfaultcode\u003esf:INVALID_FIELD\u003c/faultcode\u003e\u003cfaultstring\u003eINVALID_FIELD: \nselect Id ,UserRole.Id, ContactId from User where Id\u003d\u0026apos;0057b000003TT6dAAG\u0026apos;\n ^\nERROR at Row:1:Column:25\nNo such column \u0026apos;ContactId\u0026apos; on entity \u0026apos;User\u0026apos;. If you are attempting to use a custom field, be sure to append the \u0026apos;__c\u0026apos; after the custom field name. Please reference your WSDL or the describe call for the appropriate names.\u003c/faultstring\u003e\u003cdetail\u003e\u003csf:InvalidFieldFault xsi:type\u003d"sf:InvalidFieldFault"\u003e\u003csf:exceptionCode\u003eINVALID_FIELD\u003c/sf:exceptionCode\u003e\u003csf:exceptionMessage\u003e\nselect Id ,UserRole.Id, ContactId from User where Id\u003d\u0026apos;0057b000003TT6dAAG\u0026apos;\n ^\nERROR at Row:1:Column:25\nNo such column \u0026apos;ContactId\u0026apos; on entity \u0026apos;User\u0026apos;. If you are attempting to use a custom field, be sure to append the \u0026apos;__c\u0026apos; after the custom field name. Please reference your WSDL or the describe call for the appropriate names.\u003c/sf:exceptionMessage\u003e\u003csf:row\u003e1\u003c/sf:row\u003e\u003csf:column\u003e25\u003c/sf:column\u003e\u003c/sf:InvalidFieldFault\u003e\u003c/detail\u003e\u003c/soapenv:Fault\u003e\u003c/soapenv:Body\u003e\u003c/soapenv:Envelope\u003e”]

1 Like
2

We noticed this with disable account events too. Same error and started 03/01/2023.

3

Thanks for reporting this. I have submitted a bug report to the connector team to look into this.

2 Likes
4

Thanks Colin, and nice job at Dev Days!. Thanks for you your team putting that on.

I have an open case with support too trying to escalate this.

User SailAway also getting same error.

I also duplicated this error with a new and separate Salesforce instance. Support still not ruling it a product issue.

5

I am getting the same error when trying to assign an Entitlement via A role.

6

Root Cause Analysis for issue: CS0207200 | Salesforce Connector Errors

Start Time: 03/01/2023

End Time: Ongoing-pending SailPoint to resolve connector issue.

Status: Ongoing-pending SailPoint to resolve connector issue .

Impacted Instances: Salesforce connector.

Impacted Services: Provisioning.

Overview: A SailPoint update to the Salesforce connector’s SQL Query is now selecting ContactId as part of the SQL statement. This is causing provisioning errors for customers that are not using the default Salesforce System Administrator Profile with their connector account. This profile undermines least privilege, and support has been made aware of the lack of granular permissions for both basic and oath2 authentication configurations within their documentation. On 3/15, while troubleshooting CS0207200 with LFG, SailPoint support finally acknowledged that they did make a change to the SQL on their connector after evidence from our Salesforce Streaming API logs was presented to them indicating ContactId was never apart of the SQL Query until 3/1.

Error:

["[ConnectorException]

[Error details] INVALID_FIELD:

select Id ,UserRole.Id, ContactId from User where Id=‘’

Root Cause: A SailPoint update to the Salesforce connector’s SQL Query is now selecting ContactId as part of the SQL statement. This is causing provisioning errors for customers practicing least privilege for their connector account within their Salesforce instances.

Next Steps and Preventative Actions: SailPoint support suggests fixing this by adding permissions to the Contact object in Salesforce even though this error was never a requirement until 3/1, but they are justifying it now based of their current documentation and change to the connector’s SQL Query. Support mentioned they will work to enhance and provide granular permission requirements for their documentation. They also mentioned they are not actively looking to resolve the root cause on the connector. Customers will be forced to apply this new permission requirement.