Have been referring below documentation, but couldnāt find the above info. Please share if thereās any more documentation providing the above details ?
Delete
I do not think Bulk is supported.
Whether the connector is supporting Replace or Update (Patch) depends on the configuration: see usePatch parameter (cf. Additional Settings)
Filtering is supported (cf Aggregation Settings to define filters and attribute list)
Thanks , Please also see additional queries below:
The Documentation below states that āCAUTION: SCIM 2.0 source doesnāt have the default Create Profile. However, SailPoint recommends that you work with Services to define a Create Profile specific to your companyās needs.ā
Does this means that only SailPoint Services can create the āCreate Profileā ?
Canāt we create the profile using APIs ?
**Group update from Create User Request:
**Refer additional settings documentation: Additional Settings
It states that " The SCIM 2.0 source now supports modification of groupsā information through the Users endpoint. Add the updateGroupsViaUsers attribute with true as a value to the source XML file using IdentityNow REST API (For example, ). "
Does this means that Identity Now can add or remove members within the create request, and /Groups need not be called seperately ?
Additionally, Please confirm if ETag and Version attributes are optional in the response send by SCIM API to Identity Now SCIM 2.0 Connector ? We do have have this clarity in the documentation.
As explained in the documentation, by default, to update group members, you use the /groups endpoint. Groups are also part of the User object. So if you want to update the groups of a user through the /Users endpoint, you can.
If these headers are not mention, it is probably because they are not used.
Yes, setting updateGroupsViaUsers to ātrueā will force the connector to create an update call to the /Users endpoint that contains the group membership that needs to be added or removed (patch operation I believe).
You donāt need to do additional configurations to update groups via the /Groups endpoint. By default, the connector send a patch operation that updates the /members/value attribute on the group with the users that need to be added/removed.
I do have a follow-up question that Iām still trying to get my head around. Perhaps someone knows the answers: how do I aggregate group memberships from the /groups-endpoint? In my case, our SCIM-server does not save group memberships on the user-object (so the groups-attribute on the user object is empty). The memberships are only stored on the groups-object. I donāt know if this is per SCIM-specification as I couldnāt find it in the specs. But I do know that SailPoint only aggregates the /Users-endpoint during an account aggregation, so how do I retrieve the group memberships? Perhaps @yannick_beot has the answer?
After implementing above steps, The logs generated become much more detailed and show logging level as Debug, but HTTP requests generated by SCIM 2.0 connector are simply not there. These are vital for us to troubleshoot issues and integrate faster with other systems, so that we can meet timelines in a fast paced environment.
Below are the current configurations done to grab HTTP requests:
Enabled Development Mode on SCIM2 Connector Updated log4j2.properties with below changes :
**Enabled Debug Mode** on ***openconnector.connector.scim2*** Connector
**Enabled Debug mode on openconnector.connector.scim2.SCIM2Connector**
Please can someone clarify few queries below Regarding Pagination on Identity now
SCIM 2.0 Connectorās Additional Settings Page:
Suppose āAccount Sizeā is specified to be 50, Does that mean that only max. 50 accounts will be accepted by IdentityNow during aggregation even if number of accounts returned by the downstream SCIM application are more than 50 ?
Alternatively, For a single aggregation request, Does the downstream SCIM application needs to break the aggregation result set into mutiple batches , where each batch size must match the Account Size ?
During user aggregation with Pagination, Does the Identity Now SCIM 2.0 connector expects the total Results value returned (for each page) to be always equal to the total users matching the search query OR it will be a reducing number indicating the remaining results of the search query.
e.g. If āAccount Sizeā is specified to be 50, and total number of search query results are 1000, then for the first page, the totalResults will be set to 1000, and for second page, it will be 950 and then 900 , 850 ā¦ for the subsequent pages, OR it will always be 1000 ?
Add entitlement: When i tried adding entitlement for an user, PUT /users is getting called but the required group is not been send as part of the PUT request.
ex: I am trying to add group_1 for an account abc, and abc is already part of group_2 and group_3. Below is how the put request looks like
āmembersā:[
{
āvalueā:āgroup_2ā,
},
{
āvalueā:āgroup_3ā,
}
],
I donāt see group_1 is coming as part of the request.
Can some one help why is it happening like this ? what would be wrong
Remove Entitlement: When i tried removing entitlement for an user, instead of PUT /Users getting called it is calling PUT /Groups. I already updated to use GroupsViaUsers as true, not sure why is it calling PUT /Groups instead of PUT /Users. Any thoughts or suggestions on this ?