schemaId is null when attempting to discover schema SCIM 2.0

aharding · February 1, 2022, 6:58pm

Hello,

When attempting to discover the schema of a SCIM 2.0 application in 8.1p3 we are getting the following error:

Unable to discover the [account] schema for this application.[sailpoint.connector.ConnectorException: java.lang.NullPointerException: schemaId is null]

We are able to successfully test the connection. When using the same credentials in a normal SCIM app (not 2.0) the schema is discoverable. Below are the endpoint responses for ResourceTypes and Schemas. When comparing these responses with other successful SCIM 2.0 apps the differences I notice are groups is plural, pagination is not implemented, and the url is not v2.

ResourceTypes response:

{
    "totalResults": 2,
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:ListResponse"
    ],
    "Resources": [
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
            ],
            "id": "User",
            "name": "User",
            "endpoint": "/Users",
            "description": "User Account",
            "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
            "schemaExtensions": [
                {
                    "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
                    "required": true
                }
            ],
            "meta": {
                "location": "(removed from response)/services/scim/Users",
                "created": "",
                "lastModified": "",
                "version": "",
                "resourceType": "ResourceType"
            }
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
            ],
            "id": "Groups",
            "name": "Groups",
            "endpoint": "/Groups",
            "description": "Groups",
            "schema": "urn:ietf:params:scim:schemas:core:2.0:Groups",
            "meta": {
                "location": "(removed from response)/services/scim/Groups",
                "resourceType": "ResourceType"
            }
        }
    ]
}

Schemas response:

{
    "totalResults": 2,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "Resources": [
        {
            "id": "urn:ietf:params:scim:schemas:core:2.0:User",
            "name": "User",
            "description": "User Account",
            "attributes": [
               (removed from response)
            ],
            "meta": {
                "resourceType": "Schema",
                "created": "",
                "lastModified": "",
                "version": "",
                "location": "(removed from response)/services/scim/Users"
            }
        },
        {
            "id": "urn:ietf:params:scim:schemas:core:2.0:Groups",
            "name": "Groups",
            "description": "Groups",
            "attributes": [
                (removed from response)
            ],
            "meta": {
                "resourceType": "Schema",
                "created": "",
                "lastModified": "",
                "version": "",
                "location": "(removed from response)/services/scim/Groups"
            }
        }
    ]
}

adam_creaney · February 4, 2022, 2:55pm

Just to be clear: What SCIM endpoint are you attempting to reach? Is it a SCIM 1.1 compliant, or SCIM 2.0 compliant endpoint?

There were some stricter parsing updates made around 8.1p3 I believe, so if the SCIM server is off in anyway you may see these types of errors. We did introduce a method to flag your application as connected to a ‘non-compliant’ server in 8.1p4:

" * The SCIM 2.0 Connector now supports non-compliant SCIM 2.0 server."

Are you able to patch your development environment and see if selecting this flag on the application configuration solves the issue?

aharding · February 4, 2022, 3:31pm

This is a SCIM 2.0 endpoint currently in development. As you can see the responses are of type 2.0

"id": "urn:ietf:params:scim:schemas:core:2.0:User"

However, the urls being used do not contain /v2/ (as seen in location meta values) and I was wondering if that could be the issue. We can still test connection successfully and the error does not directly appear to be related to the url.

I am not able to patch this environment to 8.1p4 at this time.

adam_creaney · February 4, 2022, 3:39pm

Ah okay, so you have the ability to modify the SCIM server.

Can you provide the output of a call to /Users (scrubbed of any sensitive information) → Are you including the ‘meta’ information in each user record?

aharding · February 4, 2022, 4:43pm

Unfortunately I do not have the ability to modify the SCIM server myself or this debugging would be a lot easier.

Using PostMan to call the /Users endpoint gives me the following response:

{
    "statusCode": 200,
    "statusMessage": "OK",
    "body": {
        "schemas": [
            "urn:ietf:params:scim:api:messages:2.0:ListResponse"
        ],
        "totalResults": 1,
        "startIndex": 1,
        "itemsPerPage": 1,
        "Resources": [
            {
                "schemas": [
                    "urn:ietf:params:scim:schemas:core:2.0:User"
                ],
                "id": 1,
                "userName": "system",
                "Last_Name": "Administrator",
                "First_Name": "System",
                "meta": {
                    "resourceType": "User",
                    "created": "2019-09-03 17:49:29",
                    "lastModified": "2019-09-03 17:49:29",
                    "version": "1.0",
                    "location": "http://(removed from response)/services/scim/Users/1"
                }
            }
        ]
    }
}

adam_creaney · February 4, 2022, 7:28pm

Still looking at this…it is interesting that the /Schemas endpoint is the only one that returns a list of subobjects in Resources where each of the subobjects does not contain a ‘schemas’ attribute stating its type, like:

            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Schema"
            ],

There are also references in the call to the ResourceTypes for other Schemas (ResourceType, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) That don’t get returned when call the to GET /Schemas is made. Not sure if this is what is causing the parsing to break, but the SCIM connector is very sensitive to following the specification. This is why the option to add relaxed parsing was included in 8.1p4.

Who is providing the SCIM server that you are connecting to? If this is a business critical application, and you are not able to upgrade your IdentityIQ installation to a version that includes the possible fix - you should reach out to your CSM at SailPoint to see what your available options are in terms of short and long term fixes.

aharding · March 9, 2022, 4:29pm

I was able to resolve this issue by fixing the /ResourceTypes response. The schemas value for ListResponse was incorrectly formatted.

Original:

"schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:ListResponse"
]

Fix:

"schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
]

gmlynarz · August 16, 2022, 1:29pm

Hi Alexander,

Today we wanted to integrate with SCIM 2 application and encountered the same problem- test connection works, schemaID is null after discover schema. We are using IdentityIQ 8.1p3, tomorrow we will try to test it on patch5. Meantime, could you please take a look at our postman responses? Maybe with your experience you’ll be able to find what is wrong sooner?

ResourceTypes response:

ResourceTypes: {
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 1,
    "itemsPerPage": 1,
    "startIndex": 1,
    "Resources": [
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
            ],
            "id": "User",
            "name": "User",
            "description": "",
            "endpoint": "http://scimServer.Service/api/hrm/scim/Users",
            "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
            "schemaExtensions": [
                {
                    "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
                    "required": true
                },
                {
                    "schema": "urn:ietf:params:scim:schemas:4net:1.0:Kartoteka",
                    "required": true
                }
            ]
        }
    ]
}

Schemas response:

Schemas : {
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 3,
    "itemsPerPage": 3,
    "startIndex": 1,
    "Resources": [
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Schema"
            ],
            "id": "urn:ietf:params:scim:schemas:core:2.0:User",
            "name": "User",
            "description": "",
            "attributes": [
                {
                    "name": "id",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "externalId",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": true,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "userName",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": true,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "server"
                },
                {
                    "subAttributes": [
                        {
                            "name": "givenName",
                            "type": "string",
                            "multiValued": false,
                            "description": null,
                            "required": true,
                            "caseExact": false,
                            "mutability": "readWrite",
                            "returned": "default",
                            "uniqueness": "none"
                        },
                        {
                            "name": "familyName",
                            "type": "string",
                            "multiValued": false,
                            "description": null,
                            "required": true,
                            "caseExact": false,
                            "mutability": "readWrite",
                            "returned": "default",
                            "uniqueness": "none"
                        }
                    ],
                    "name": "userName",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": true,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "userType",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "active",
                    "type": "boolean",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "title",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                }
            ]
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Schema"
            ],
            "id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
            "name": "EnterpriseUser",
            "description": "",
            "attributes": [
                {
                    "name": "employeeNumber",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "department",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "organization",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                }
            ]
        },
        {
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:Schema"
            ],
            "id": "urn:ietf:params:scim:schemas:4net:1.0:Kartoteka",
            "name": "Worker",
            "description": "",
            "attributes": [
                {
                    "name": "grupaZawodowa",
                    "type": "string",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "dataPrzyjecia",
                    "type": "datetime",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                },
                {
                    "name": "dataZwolnienia",
                    "type": "datetime",
                    "multiValued": false,
                    "description": null,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite",
                    "returned": "default",
                    "uniqueness": "none"
                }
            ]
        }
    ]
}

Discover Schema log, when the error occurs:
[TRACE] 2022-08-16 13:38:55.382 [http-nio-8080-exec-10] openconnector.connector.scim2.SCIM2Connector.traceMethodExit:108 - Exiting convertInputStreamToString: Arguments => org.apache.http.conn.EofSensorInputStream@482e74aa, Returns => {“schemas”:[“urn:ietf:params:scim:api:messages:2.0:ListResponse”],“totalResults”:1,“itemsPerPage”:1,“startIndex”:1,“Resources”:[{“schemas”:[“urn:ietf:params:scim:schemas:core:2.0:ResourceType”],“id”:“User”,“name”:“User”,“description”:“”,“endpoint”:“http://scimServer.Service/api/hrm/scim/Users",“schema”:“urn:ietf:params:scim:schemas:core:2.0:User”,“schemaExtensions”:[{“schema”:“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”,“required”:true},{“schema”:“urn:ietf:params:scim:schemas:4net:1.0:Kartoteka”,"required”:true}]}]}
[TRACE] 2022-08-16 13:38:55.389 [http-nio-8080-exec-10] openconnector.connector.scim2.SCIM2Connector.traceMethodEntry:97 - Entering isValidForRetry: Arguments => java.lang.IllegalArgumentException: schemaId is null

It basically prints ResourceTypes response and then there is SchemaId is null error

gmlynarz · August 19, 2022, 8:29am

Seems that every Resource within ResourceTypes should have metadata with resourceType:

"meta": {
        "resourceType": "ResourceType"
      }

Topic		Replies	Views
SCIM Connector Discover Schema Error IIQ Discussion and Questions webservice-connector , apis	3	603	June 29, 2023
Unable to pull Schema Preview for an application using SCIM2.0 connector IIQ Discussion and Questions rules , identityiq	9	298	January 9, 2024
NPE when creating Account using SCIM API Interface IIQ Discussion and Questions apis , identityiq	2	258	July 5, 2023
Netsparker SCIM 2.0 Integration Issue IdentityIQ (IIQ)	2	1204	July 28, 2022
Can't change the Group update request of the SCIM 2 Connector ISC Discussion and Questions identity-security-cloud , provisioning , entitlements	2	400	December 22, 2023

schemaId is null when attempting to discover schema SCIM 2.0

Related Topics