SCIM 2.0 Connector Account and Entitlement Aggregation Issue

sai_krishna_L · January 17, 2024, 7:42am

Hello Everyone,

I had started SCIM 2.0 Connector Integration, below are the steps I have performed on it:

Connection settings : Host URL , Basic Authentication has been provided.
Non-Complaint is enabled.
By default all the Schema Attribute has been populated after enabling the non-complaint settings.
In Aggregation settings the Account and group page size has been increased to 200.
**
Test connection is working fine.
**
In Account Schema section the schema has been discovered.
After performing the Account aggregation the status is “Success” with zero Accounts scanned.
Tested the “GetUsers” Endpoint in Postman I got the response of 87 accounts.

If anyone has come across this similar issue, please respond on this post.
Thanks in Advance.

Arshad · January 17, 2024, 8:23am

Can you mask the client values and share the full application JSON here?
Just to give it a look if something’s wrong in there.

sai_krishna_L · January 17, 2024, 8:40am

Hi @Arshad,

Here you go with the Source JSON:

{
    "description": "Vermilion Client Reporting_Services",
    "owner": {
        "type": "IDENTITY",
        "id": "masked",
        "name": "SaiKrishna L"
    },
    "cluster": {
        "type": "CLUSTER",
        "id": "masked",
        "name": "VA-dev"
    },
    "accountCorrelationConfig": {
        "type": "ACCOUNT_CORRELATION_CONFIG",
        "id": "masked",
        "name": "Vermilion Client Reporting_Services [source] Account Correlation"
    },
    "accountCorrelationRule": null,
    "managerCorrelationMapping": null,
    "managerCorrelationRule": null,
    "beforeProvisioningRule": null,
    "schemas": [
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "masked",
            "name": "account"
        },
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "masked",
            "name": "entitlements"
        },
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "masked",
            "name": "roles"
        },
        {
            "type": "CONNECTOR_SCHEMA",
            "id": "masked",
            "name": "group"
        }
    ],
    "passwordPolicies": null,
    "features": [
        "ENABLE",
        "PASSWORD",
        "PROVISIONING",
        "SYNC_PROVISIONING",
        "DISCOVER_SCHEMA"
    ],
    "type": "SCIM 2.0",
    "connector": "scim20-angularsc",
    "connectorClass": "sailpoint.connector.OpenConnectorAdapter",
    "connectorAttributes": {
        "load-by-sysclassloader": [
            "json.jar"
        ],
        "ServerTimeZone": null,
        "deltaAggregationEnabled": false,
        "iss": null,
        "pageSize": "100",
        "connectionType": "direct",
        "client_id": null,
        "dateEvalFormat": null,
        "password": "masked",
        "host": "https://vrscrperf.uk.fid-intl.com:8443/VRSAPI/scim/v2",
        "cloudExternalId": "61709",
        "client_secret": null,
        "oauthBearerToken": null,
        "sourceConnected": true,
        "groupFilter": "displayName sw \"Admin\"",
        "skipGrpUpdate": false,
        "private_key": null,
        "oauth2username": null,
        "formPath": null,
        "aud": null,
        "refresh_token": null,
        "cloudCacheUpdate": 1705479945230,
        "relaxConfiguration": true,
        "connectorName": "SCIM 2.0",
        "userFilter": null,
        "explicitAttributesRequest": false,
        "since": "2024-01-17T08:19:59.172336Z",
        "status": "SOURCE_STATE_HEALTHY",
        "supportsDeltaAgg": "true",
        "lastAggregationDate_group": "2024-01-17T07:08:11Z",
        "sub": null,
        "usePatch": false,
        "oauth2password": null,
        "oAuthJwtHeader": null,
        "connectorClass": "openconnector.connector.scim2.SCIM2Connector",
        "grant_type": null,
        "hasFullAggregationCompleted": true,
        "deltaAggregation": null,
        "authType": "Basic",
        "groupPageSize": "100",
        "token_url": null,
        "customTimeout": "1",
        "lastAggregationDate_account": "2024-01-17T08:25:43Z",
        "deleteThresholdPercentage": 10,
        "schemaPropertyMappings": null,
        "jsonPathMapping": {
            "entitlements": "entitlements[*].value",
            "addresses.home.secondary.formatted": "addresses[*][?(@.primary==false)][?(@.type=='home')].formatted",
            "domainCode": "Resources[*].domainCode",
            "phoneNumbers.pager.secondary.value": "phoneNumbers[*][?(@.primary==false)][?(@.type=='pager')].value",
            "phoneNumbers.other.primary.value": "phoneNumbers[*][?(@.type=='other')].value",
            "addresses.other.secondary.country": "addresses[*][?(@.primary==false)][?(@.type=='other')].country",
            "emails.other.secondary.value": "emails[*][?(@.primary==false)][?(@.type=='other')].value",
            "employeeNumber": "['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].employeeNumber",
            "division": "['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].division",
            "phoneNumbers.home.secondary.value": "phoneNumbers[*][?(@.primary==false)][?(@.type=='home')].value",
            "addresses.home.secondary.postalCode": "addresses[*][?(@.primary==false)][?(@.type=='home')].postalCode",
            "addresses.work.secondary.region": "addresses[*][?(@.primary==false)][?(@.type=='work')].region",
            "phoneNumbers.work.secondary.value": "phoneNumbers[*][?(@.primary==false)][?(@.type=='work')].value",
            "addresses.other.secondary.locality": "addresses[*][?(@.primary==false)][?(@.type=='other')].locality",
            "members": "Resources[*].members[*].value",
            "name.givenName": "name.givenName",
            "tenancies": "Resources[*].tenancies[*].value",
            "id": "Resources[*].id",
            "addresses.work.secondary.streetAddress": "addresses[*][?(@.primary==false)][?(@.type=='work')].streetAddress",
            "isAdministrator": "Resources[*].isAdministrator",
            "addresses.work.primary.postalCode": "addresses[*][?(@.primary==true)][?(@.type=='work')].postalCode",
            "addresses.home.primary.streetAddress": "addresses[*][?(@.primary==false)][?(@.type=='home')].streetAddress",
            "addresses.other.primary.postalCode": "addresses[*][?(@.primary==true)][?(@.type=='other')].postalCode",
            "addresses.home.secondary.country": "addresses[*][?(@.primary==false)][?(@.type=='home')].country",
            "phoneNumbers.work.primary.value": "phoneNumbers[*][?(@.type=='work')].value",
            "addresses.work.secondary.locality": "addresses[*][?(@.primary==false)][?(@.type=='work')].locality",
            "costCenter": "['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].costCenter",
            "nickName": "nickName",
            "active": "Resources[*].active",
            "emails.other.primary.value": "emails[*][?(@.primary==true)][?(@.type=='other')].value",
            "name.familyName": "name.familyName",
            "addresses.other.secondary.postalCode": "addresses[*][?(@.primary==false)][?(@.type=='other')].postalCode",
            "manager.value": "['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].manager.value",
            "addresses.home.primary.region": "addresses[*][?(@.primary==true)][?(@.type=='home')].region",
            "addresses.other.secondary.streetAddress": "addresses[*][?(@.primary==false)][?(@.type=='other')].streetAddress",
            "addresses.work.primary.streetAddress": "addresses[*][?(@.primary==true)][?(@.type=='work')].streetAddress",
            "userType": "Resources[*].userType",
            "emails.work.primary.value": "emails[*][?(@.primary==true)][?(@.type=='work')].value",
            "addresses.other.primary.streetAddress": "addresses[*][?(@.primary==true)][?(@.type=='other')].streetAddress",
            "profileUrl": "profileUrl",
            "phoneNumbers.pager.primary.value": "phoneNumbers[*][?(@.type=='pager')].value",
            "preferredLanguage": "preferredLanguage",
            "addresses.home.secondary.region": "addresses[*][?(@.primary==false)][?(@.type=='home')].region",
            "roleDisplayName": "Resources[*].displayName",
            "displayName": "displayName",
            "roles": "roles[*].value",
            "addresses.work.primary.country": "addresses[*][?(@.primary==true)][?(@.type=='work')].country",
            "locale": "locale",
            "title": "title",
            "emails.home.secondary.value": "emails[*][?(@.primary==false)][?(@.type=='home')].value",
            "addresses.work.primary.locality": "addresses[*][?(@.primary==true)][?(@.type=='work')].locality",
            "emails": "Resources[*].emails[*].value",
            "addresses.other.primary.locality": "addresses[*][?(@.primary==true)][?(@.type=='other')].locality",
            "addresses.work.secondary.postalCode": "addresses[*][?(@.primary==false)][?(@.type=='work')].postalCode",
            "phoneNumbers.other.secondary.value": "phoneNumbers[*][?(@.primary==false)][?(@.type=='other')].value",
            "addresses.other.secondary.formatted": "addresses[*][?(@.primary==false)][?(@.type=='other')].formatted",
            "addresses.other.primary.country": "addresses[*][?(@.primary==true)][?(@.type=='other')].country",
            "name.honorificPrefix": "name.honorificPrefix",
            "name.honorificSuffix": "name.honorificSuffix",
            "addresses.home.primary.postalCode": "addresses[*][?(@.primary==true)][?(@.type=='home')].postalCode",
            "department": "['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].department",
            "phoneNumbers.home.primary.value": "phoneNumbers[*][?(@.type=='home')].value",
            "addresses.work.primary.formatted": "addresses[*][?(@.primary==true)][?(@.type=='work')].formatted",
            "addresses.work.primary.region": "addresses[*][?(@.primary==true)][?(@.type=='work')].region",
            "addresses.home.primary.country": "addresses[*][?(@.primary==true)][?(@.type=='home')].country",
            "name.formatted": "Resources[*].name.formatted",
            "members.value": "members[*].value",
            "externalId": "externalId",
            "groups": "groups[*].value",
            "addresses.home.primary.locality": "addresses[*][?(@.primary==true)][?(@.type=='home')].locality",
            "userName": "Resources[*].userName",
            "addresses.home.secondary.streetAddress": "addresses[*][?(@.primary==true)][?(@.type=='home')].streetAddress",
            "phoneNumbers.fax.secondary.value": "phoneNumbers[*][?(@.primary==false)][?(@.type=='fax')].value",
            "addresses.home.primary.formatted": "addresses[*][?(@.primary==true)][?(@.type=='home')].formatted",
            "emails.work.secondary.value": "emails[*][?(@.primary==false)][?(@.type=='work')].value",
            "phoneNumbers.mobile.primary.value": "phoneNumbers[*][?(@.type=='mobile')].value",
            "addresses.work.secondary.country": "addresses[*][?(@.primary==false)][?(@.type=='work')].country",
            "emails.home.primary.value": "emails[*][?(@.primary==true)][?(@.type=='home')].value",
            "phoneNumbers.fax.primary.value": "phoneNumbers[*][?(@.type=='fax')].value",
            "organization": "['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].organization",
            "addresses.other.primary.formatted": "addresses[*][?(@.primary==true)][?(@.type=='other')].formatted",
            "addresses.work.secondary.formatted": "addresses[*][?(@.primary==false)][?(@.type=='work')].formatted",
            "addresses.home.secondary.locality": "addresses[*][?(@.primary==false)][?(@.type=='home')].locality",
            "addresses.other.primary.region": "addresses[*][?(@.primary==true)][?(@.type=='other')].region",
            "phoneNumbers.mobile.secondary.value": "phoneNumbers[*][?(@.primary==false)][?(@.type=='mobile')].value",
            "addresses.other.secondary.region": "addresses[*][?(@.primary==false)][?(@.type=='other')].region"
        },
        "readOnlyAttrs": null,
        "templateApplication": "SCIM 2.0",
        "encrypted": "refresh_token,oauthTokenInfo,client_secret,oauthBearerToken,additional_payload,private_key, private_key_password,oauth2password",
        "healthy": true,
        "additional_payload": null,
        "private_key_password": null,
        "cloudDisplayName": "Vermilion Client Reporting_Services",
        "user": "SCIM_User",
        "beforeProvisioningRule": null
    },
    "deleteThreshold": 10,
    "authoritative": false,
    "healthy": true,
    "status": "SOURCE_STATE_HEALTHY",
    "since": "2024-01-17T08:19:59.172336Z",
    "connectorId": "scim20-angularsc",
    "connectorName": "SCIM 2.0",
    "connectionType": "direct",
    "connectorImplementationId": "scim20-angularsc",
    "managementWorkgroup": null,
    "id": "masked",
    "name": "Vermilion Client Reporting_Services",
    "created": "2024-01-15T10:33:38.566Z",
    "modified": "2024-01-17T08:25:45.345Z"
}

Arshad · January 17, 2024, 9:12am

At a quick glance, I see that the “jsonPathMapping” has so many complex filters on each schema attribute.

Ideally in postman you would just make an API call to the endpoint and you’ll be able to fetch the entire json response. However in IDN, the request goes to the endpoint but the aggregation of accounts to IDN would completely depend on the json path mapping defined.

I would suggest you to unit test each json path mapping defined on your application schema attributes using a json path evaluator tool and see if you’re able to fetch each attribute correctly and see how it goes.

sai_krishna_L · January 17, 2024, 9:36am

I had performed the unit testing as well on the endpoints and compared with “jsonPathMapping”
it looks fine for me.
But not sure even in CCG logs I can see this message “Retryable error list null”.

sai_krishna_L · January 17, 2024, 11:47am

Hi Everyone,

Does anybody have the inputs on how to fix the above issue.

Thank you for the help in advance.

sai_krishna_L · January 18, 2024, 4:39am

Hi @yannick_beot,

Can you please have a look at the Aggregation issue for the above problem statement.

Kind Regards,
Sai Krishna L

sai_krishna_L · January 19, 2024, 5:54am

Hello Everyone,

If anyone came across the same issue with SCIM 2.0 Account and entitlement aggregation, please let me know if any leads are available.

Kind Regards,
Sai Krishna L

nandiniks · January 19, 2024, 7:09am

We had similar issue while using SCIM 2.0 and we ended up using the webservices finally.
May be you can try once with webservice connector.

LangL · February 1, 2024, 3:12am

We got the same issue when using the connector of CyberArk Privilege Cloud: CyberArk Privilege Cloud Shared Services. Hope to get solution from SailPoint soon.

system · April 1, 2024, 3:13am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SCIM 2.0 - SaaS Conector ISC Discussion and Questions aggregation	1	636	July 19, 2023
SCIM 2.0 entitlement aggregation issue ISC Discussion and Questions identity-security-cloud	6	123	September 7, 2024
IdentityNow SCIM connector create account query ISC Discussion and Questions scim-connector , identity-security-cloud	10	128	January 29, 2025
Unable to pull Schema Preview for an application using SCIM2.0 connector IIQ Discussion and Questions rules , identityiq	9	437	January 9, 2024
IDN and cyberark integration ISC Discussion and Questions	1	1420	July 19, 2023

SCIM 2.0 Connector Account and Entitlement Aggregation Issue

Related topics