Schema ID Null While previewing entitlements

IdentityIQ (IIQ) IIQ Discussion and Questions
1

I am working with SCIM 2.0, I am getting schemaiD null for entitlement preview. this is my response cor resourcetypes endpoint

{“schemas”: [“urn:ietf:params:scim:api:messages:2.0:ListResponse”], “itemsPerPage”: 2, “startIndex”: 1, “totalResults”:

2, “Resources”: [{“schemas”: [“urn:ietf:params:scim:schemas:core:2.0:ResourceType”], “id”: “User”, “name”: “User”,

“endpoint”: “/dataserverlogin”, “description”: “RFC 7643: System for Cross-domain Identity Management: Core Schema”, “schema”:

“urn:ietf:params:scim:schemas:core:2.0:User”, “schemaExtensions”: [{“schema”: “urn:xyz:dba:dataserverlogin”,

“required”: true}], “meta”: {“location”:

“/ResourceTypes/User”, “resourceType”: “ResourceType”}},

{“schemas”: [“urn:ietf:params:scim:schemas:core:2.0:ResourceType”], “id”: “Entitlement”, “name”: “Entitlement”,

“endpoint”: “/Entitlements”, “description”: “RFC 7643: System for Cross-domain Identity Management: Core Schema”, “schema”:

“urn:xyz:dba:entitlement”, “meta”: {“location”:

“/ResourceTypes/Entitlement”, “resourceType”:

“ResourceType”}}]}

2

Hi @htarlapa - welcome to the community!

So - when you click the ‘detect schema’ on the ‘Entitlement’ object type, does is succeed? And then you receive the null/exception when you click ‘Preview’ ?

For the SCIM endpoint you are using, what does the Schema definition look like for urn:xyz:dba:entitlement ?

4

Hello, when I do a detect it gets the attribute values in,

{“schemas”: [“urn:ietf:params:scim:api:messages:2.0:ListResponse”], “itemsPerPage”: 348, “startIndex”: 1,

“totalResults”: 348, “Resources”: [{“value”: “BFM-READ”, “display”: “Read access to BFM”, “enabled”: true, “id”:

“BFM-READ”},… etc

5

Hello, when I do a detect it gets the attribute values in,

{“schemas”: [“urn:ietf:params:scim:api:messages:2.0:ListResponse”], “itemsPerPage”: 348, “startIndex”: 1,

“totalResults”: 348, “Resources”: [{“value”: “BFM-READ”, “display”: “Read access to BFM”, “enabled”: true, “id”:

“BFM-READ”},… etc

6

Can you provide either a screenshot of your Entitlement object schema from the IIQ Application page, or a copy of the application XML with all sensitive information (usernames, passwords, auth details) completely removed?

7
<?xml version='1.0' encoding='UTF-8'?> true Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Each User MUST include a non-empty userName value. This identifier MUST be unique across the service provider's entire set of Users. A string represent the database login A list of server information the login has information for A string represent the value of the entitlement A string represent the display value (human understandable version) of the entitlement A string represent the database login
8 
**<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Application PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Application connector="sailpoint.connector.OpenConnectorAdapter" created="1636989015615" featuresString="DISCOVER_SCHEMA, PROVISIONING, SYNC_PROVISIONING, ENABLE, PASSWORD" icon="internetIcon" id="2d0c752c7d181cff817d2426163f0f86" modified="1642694973660" name="DEV DB" profileClass="spadmin" type="SCIM 2.0">
  <Attributes>
    <Map>
      <entry key="ServerTimeZone"/>
      <entry key="accept"/>
      <entry key="afterProvisioningRule"/>
      <entry key="authType" value="basic"/>
      <entry key="beforeProvisioningRule"/>
      <entry key="compositeDefinition"/>
      <entry key="connectorClass" value="openconnector.connector.scim2.SCIM2Connector"/>
      <entry key="contentType" value="/v2/Schemas/urn:abcd:dba:dataserverlogin"/>
      <entry key="customTimeout"/>
      <entry key="disableTerm">
        <value>
          <Boolean></Boolean>
        </value>
      </entry>
      <entry key="encrypted" value="client_secret,oauthBearerToken,oauthTokenInfo,refresh_token"/>
      <entry key="entitlementFilter"/>
      <entry key="explicitAttributesRequest">
        <value>
          <Boolean></Boolean>
        </value>
      </entry>
      <entry key="groupFilter"/>
      <entry key="host" value=""/>
      <entry key="isCertified">
        <value>
          <Boolean>true</Boolean>
        </value>
      </entry>
      <entry key="nativeChangeDetectionAttributeScope" value="entitlements"/>
      <entry key="nativeChangeDetectionAttributes"/>
      <entry key="nativeChangeDetectionEnabled">
        <value>
          <Boolean></Boolean>
        </value>
      </entry>
      <entry key="nativeChangeDetectionOperations"/>
      <entry key="password" value=""/>
      <entry key="roleFilter"/>
      <entry key="schemaPropertyMappings">
        <value>
          <List>
            <SchemaPropertyMapping urn="urn:ietf:params:scim:schemas:core:2.0:User">
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="userName" property="userName" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="id" property="id" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
            </SchemaPropertyMapping>
            <SchemaPropertyMapping urn="urn:abcd:dba:dataserverlogin">
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="login" property="login" setter="openconnector.connector.scim2.SCIM2ExtendedPropertySetter"/>
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2ExtendedPropertyGetter" name="servers" property="servers" setter="openconnector.connector.scim2.SCIM2ExtendedPropertySetter">
                <AttributePropertyMapping name="servername" property="servername"/>
                <AttributePropertyMapping name="suid" property="suid"/>
                <AttributePropertyMapping name="passworddate" property="passworddate"/>
                <AttributePropertyMapping name="status" property="status"/>
              </AttributePropertyMapping>
            </SchemaPropertyMapping>
            <SchemaPropertyMapping urn="urn:abcd:dba:entitlement">
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="value" property="value" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="display" property="display" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="enabled" property="enabled" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
              <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="id" property="id" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
            </SchemaPropertyMapping>
          </List>
        </value>
      </entry>
      <entry key="sensitive">
        <value>
          <Boolean></Boolean>
        </value>
      </entry>
      <entry key="skipGrpUpdate" value="false"/>
      <entry key="sysDescriptions">
        <value>
          <Map>
            <entry key="en_US"/>
          </Map>
        </value>
      </entry>
      <entry key="templateApplication" value="SCIM 2.0"/>
      <entry key="timeLimitedAccess">
        <value>
          <Boolean></Boolean>
        </value>
      </entry>
      <entry key="user" value="svcsaild"/>
      <entry key="userFilter"/>
    </Map>
  </Attributes>
  <Owner>
    <Reference class="sailpoint.object.Identity" id="ad8cf5ac69303d4e0169303d828b0105" name="spadmin"/>
  </Owner>
  <Schemas>
    <Schema created="1641824643132" displayAttribute="userName" id="2d0c752d7e291e46817e445fe83b2abe" identityAttribute="id" instanceAttribute="" modified="1642694973660" nativeObjectType="User" objectType="account">
      <AttributeDefinition name="userName" type="string">
        <Description>Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Each User MUST include a non-empty userName value. This identifier MUST be unique across the service provider's entire set of Users.</Description>
      </AttributeDefinition>
      <AttributeDefinition name="id" type="string">
        <Description></Description>
      </AttributeDefinition>
      <AttributeDefinition name="login" type="string">
        <Description>A string represent the database login</Description>
      </AttributeDefinition>
      <AttributeDefinition multi="true" name="servers" type="string">
        <Description>A list of server information the login has information for</Description>
      </AttributeDefinition>
    </Schema>
    <Schema aggregationType="group" created="1642694973473" descriptionAttribute="" displayAttribute="" id="2d0c752c7e441134817e784018213bdb" identityAttribute="id" instanceAttribute="" nativeObjectType="Entitlement" objectType="entitlements">
      <AttributeDefinition name="value" type="string">
        <Description>A string represent the value of the entitlement</Description>
      </AttributeDefinition>
      <AttributeDefinition name="display" type="string">
        <Description>A string represent the display value (human understandable version) of the entitlement</Description>
      </AttributeDefinition>
      <AttributeDefinition name="enabled" type="boolean">
        <Description>A string represent the database login</Description>
      </AttributeDefinition>
      <AttributeDefinition name="id" type="string">
        <Description></Description>
      </AttributeDefinition>
    </Schema>
    <Schema aggregationType="group" created="1636989015615" descriptionAttribute="" displayAttribute="displayName" id="2d0c752c7d181cff817d2426163f0f8a" identityAttribute="id" instanceAttribute="" modified="1642694973660" nativeObjectType="Role" objectType="roles"/>
    <Schema created="1636989015615" descriptionAttribute="" displayAttribute="displayName" id="2d0c752c7d181cff817d2426163f0f8b" identityAttribute="id" instanceAttribute="" modified="1642694973660" nativeObjectType="Group" objectType="group"/>
  </Schemas>
  <ApplicationScorecard created="1636989015615" id="2d0c752c7d181cff817d2426163f0f87" modified="1642694973660"/>
</Application>**
9

Out of curiosity - what happens if you change the ‘objectType’ of your group schema from ‘entitlements’ to ‘group’ like this:

    <Schema aggregationType="group" created="1642694973473" descriptionAttribute="" displayAttribute="" id="2d0c752c7e441134817e784018213bdb" identityAttribute="id" instanceAttribute="" nativeObjectType="Entitlement" objectType="group">
      <AttributeDefinition name="value" type="string">
        <Description>A string represent the value of the entitlement</Description>
      </AttributeDefinition>
      <AttributeDefinition name="display" type="string">
        <Description>A string represent the display value (human understandable version) of the entitlement</Description>
      </AttributeDefinition>
      <AttributeDefinition name="enabled" type="boolean">
        <Description>A string represent the database login</Description>
      </AttributeDefinition>
      <AttributeDefinition name="id" type="string">
        <Description></Description>
      </AttributeDefinition>
    </Schema>
10

The system has encountered a serious error while processing your request. See your system administrator. this error

11

The system has encountered a serious error while processing your request. See your system administrator. this error

12

Hello Adam any update?

13

Hi @htarlapa - can you check in debug object browser for the ‘SyslogEvent’ that corresponds with this ‘System has encountered a serious error while processing your request’ error window? That will hopefully give us a larger stack trace of what happened.

14

It doesn’t throw the error now but, the preview is empty.