SCIM 2.0 Connector Provisioning Account Issue

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I have Created the Provisioning policy for Create Account in SCIM 2.0 Connector, After Submitting a request I found in the account activity it is partially succeeded, with the following error message.

**Error : openconnector.InvalidRequestException: [ InvalidRequestException ] **
**** [ Possible suggestions ] Please check if provided payload has valid attributes **
**** [ Error details ] Error while performing operation : Create Account Error code : 400 {“detail”:“Required ‘IMMUTABLE’ attribute ‘urn:scim:schemas:extension:FactSet:VRS:1.0:User:domainCode’ must be set on object creation”,“schemas”:[“urn:ietf:params:scim:api:messages:2.0:Error”],“status”:400,“errors”:{“fieldErrors”:{“domainCode”:[“Required ‘IMMUTABLE’ attribute ‘urn:scim:schemas:extension:FactSet:VRS:1.0:User:domainCode’ must be set on object creation”]}}}

Status :
Incomplete: Only some account activity was successful

Please let me know if anyone came across this issue.

Kind regards,
Sai Krishna L

2

It looks like IMMUTABLE or domainCode attribute is required so you have to include it in the provisioning policy for create operation.

3

Thanks @kjakubiak,

I have added the domainCode, I am getting the below error.

Error: openconnector.InvalidRequestException: [ InvalidRequestException ] [ Possible suggestions ] Please check if provided payload has valid attributes [ Error details ] Error while performing operation : Add Entitlement Error code : 400 {“detail”:“Unable to update role, provided user id 116 is not in the tenant”,“schemas”:[“urn:ietf:params:scim:api:messages:2.0:Error”],“status”:400}

Kind Regards,
Sai Krishna L

4

That error is explaining actualy what is the problem Unable to update role, provided user id 116 is not in the tenant

5

When I was checking this Provisioning request it was approved but the role is not mapped to the user.
In the API endpoint for /Groups I could see the user id value, but not sure some configurations needs to be changed. Any suggestions would be helpful.

Kind Regards,
Sai Krishna L

6

@sai_krishna_L - Can you tell me more about the target system you are integrating here. Also, if there exists any SCIM API reference for that Target system would be helpful to further troubleshoot the issue.

7

Hi @officialamitguptaa,

The target System is vermilion which is SCIM 2.0 Complaint, I am able to get the response for the below API’s :

https://TargetHostname/scim/v2/Users → Fetch all users
https://TargetHostname/scim/v2/Users → create users using post method
https://TargetHostname/scim/v2/Groups → Fetch all the Groups
https://TargetHostname/scim/v2/Groups → create the groups using Post method.

Above endpoints are tested via postman and working as expected. All the endpoints are not public to use.

I did complete doing the Account and Entitlement aggregation with success status, but after creating the provisioning policy with required attributes for creating an account in the target system. I could see the below error in Add Entitlement Event failed.

[“openconnector.ObjectNotFoundException: {"detail":"Unable to get resource, provided user id 142 is not in the tenant","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":404}”]

I have added the Tenant in the Json Path and the Account schema too.
Hope this help for you.

Kind Regards,
Sai Krishna L

8

@sai_krishna_L - If my guess is correct then you are trying to integrate FactSet with Sailpoint. In that case as per the documentation of FactSet SCIM Api below are the mandatory details you need to pass when you create a user .

image
image862×974 90 KB

You get the first Error -
**Error : openconnector.InvalidRequestException: [ InvalidRequestException ] **
**** [ Possible suggestions ] Please check if provided payload has valid attributes **
**** [ Error details ] Error while performing operation : Create Account Error code : 400 {“detail”:“Required ‘IMMUTABLE’ attribute ‘urn:scim:schemas:extension:FactSet:VRS:1.0:User:domainCode’ must be set on object creation”,“schemas”:[“urn:ietf:params:scim:api:messages:2.0:Error”],“status”:400,“errors”:{“fieldErrors”:{“domainCode”:[“Required ‘IMMUTABLE’ attribute ‘urn:scim:schemas:extension:FactSet:VRS:1.0:User:domainCode’ must be set on object creation”]}}}

The Reason is You didn’t passed the domainCode attribute while creating the user account. Since this is mandatory attribute for VRS users, you hit the above error.

The second error might be related to the first one, as I can see the tenancies is also a mandatory attribute for creating a VRS user, Check If you are creating a user with all the mandatory attributes.

For more information, refer the SCIM doc attached.
VRS_API_Developers_Manual_and_Reference_2022_02_SCIM.pdf (561.7 KB)
Procure-To-Pay-SCIM.pdf (794.3 KB)

Mark it as solved, if it helps.

9

Hi @officialamitguptaa,

Your right but we use the different hostname for the lower Environment.

For your Reference the Create policy attributes are listed below:

[
    {
        "name": "Vermilion Client Reporting_Services",
        "description": "SCIM 2.0 NEW CREATE Policy",
        "usageType": "CREATE",
        "fields": [
            {
                "name": "userName",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "uid"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "emails.work.primary.value",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "email"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "name.formatted",
                "transform": {
                    "type": "identityAttribute",
                    "attributes": {
                        "name": "displayName"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "tenant",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "MASTER"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "domainCode",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "hidden value"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            },
            {
                "name": "schemas",
                "transform": {
                    "type": "static",
                    "attributes": {
                        "value": "urn:scim:schemas:extension:FactSet:VRS:1.0:User"
                    }
                },
                "attributes": {},
                "isRequired": false,
                "type": "string",
                "isMultiValued": false
            }
        ]
    }
	]

Kind regards,
Sai Krishna L

10

@sai_krishna_L -
I can see the isAdministrator is a mandatory attribute, But you are not passing in the provisioning policy.

You can refer the below JSON sample -

{
    "schemas":
    [
        "urn:scim:schemas:extension:FactSet:VRS:1.0:User"
    ],
    "id": "641",
    "userName": "SCIM_TEST",
    "name":
    {
        "formatted": "New User"
    },
    "userType": "0",
    "active": true,
    "authenticatedUserName": "",
    "tenant": "MASTER",
    "emails":
    [
        {
            "value": "[email protected]",
            "type": "work",
            "primary": true
        }
    ],
    "phoneNumbers":
    [
        {
            "value": "123",
            "type": "work",
            "primary": true
        }
    ],
    "photos":
    [
        {
            "value": " https://api.factset.com/profilepicpath"
        }
    ],
    "domainCode": "API-FactSet",
    "isAdministrator": false,
    "meta":
    {
        "resourceType": "VRSUser",
        "created": "2022-01-25T11:41:28.047Z",
        "lastModified": "2022-01-25T11:41:28.047Z",
        "location": " https://api.factset.com/scim/v2/Users/641"
    }
}

Below are the mandatory attributes -

  • schemas
  • name
  • email
  • username
  • location
  • domainCode
  • tenancies
  • isAdministrator

Hope this helps.

1 Like
11

Thanks for the response @officialamitguptaa .
Now I am able to create the account with change in tenant information. Earlier I was using Master later I got to know it’s a different tenant.

1 Like
12

Perfect! Please mark it as solved.

13

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.