SCIM API - GET ID - Success But No Targeted Attributed Shows

Hi all,

SCIM API GET ID Request:
https://10.22.61.87/identityiq/scim/v2/Users/0a163d5778ff19e28179ac5f719c54e2?attributes=employeeStatus,urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements,urn:ietf:params:scim:schemas:sailpoint:1.0:User:roles

Success but still no employeeStatus attribute/values shows. How can i fetch the employeeStatus value by fire scim api?

Hi @dausfadzlon - are you receiving the other attributes (manager, entitlements, roles) ?

‘employeeType’ is a not a standard schema attribute for the base SCIM 2.0 user, the enterprise user extension, or the SailPoint extension.

I have no idea if this will work, but worth a quick shot…

1. In debug mode - select object type 'Configuration'
2. Select the 'SCIMConfiguration' object
3. Find the 'SchemaPropertyMapping" XML entry for "<SchemaPropertyMapping urn="urn:ietf:params:scim:schemas:sailpoint:1.0:User">"
4. Paste "<AttributePropertyMapping name="employeeStatus" property="employeeStatus" queryClass="sailpoint.service.scim.GenericFilterModifier" setter="sailpoint.service.scim.UserPropertySetter"/>" as a subobject under the XML entry from step#3
5. Save the object

Now try your query again - if necessary add the query params "?attributes=urn:ietf:params:scim:schemas:sailpoint:1.0:User:employeeStatus"

Does this work?

1 Like

Hi Adam,

It works by adding the necessary attribute in the query but unfortunately, I need to fetch the user application status;(disable/locked). For my case, the applications are CBS and CAMS.

Attached ss of the key value for the user status application (key = “IIQLocked”). this is the status value i want to fetch using SCIM API query.

Ah I see - so if you search for a specific user with the SCIM API - you should get back simple account level details:

http://{{identityiqHost}}/{{identityiqAppName}}/scim/v2/Users?filter=userName eq "Adam.Kennedy"
OR
http://{{identityiqHost}}/{{identityiqAppName}}/scim/v2/Users/8a8080824df45873014df45bd97400c9 (final string should be the ID value of the user)

But that if you look at the reponse, it only contains the application and a link to another SCIM endpoint to pull the account details:

{
    "urn:ietf:params:scim:schemas:sailpoint:1.0:User": {
        "capabilities": [],
        "lastRefresh": "2021-09-23T15:39:52.850-05:00",
        "jobTitle": "Payroll Analyst II",
        "employeeId": "1b2c3a4e",
        "administrator": {},
        "employeeType": "Employee",
        "phone": "5124152339",
        "isManager": false,
        "location": "London",
        "accounts": [
            {
                "displayName": "[email protected]",
                "value": "0a0000017ba71589817c1372448c7e1a",
                "$ref": "http://<iiq_url>/identityiq/scim/v2/Accounts/0a0000017ba71589817c1372448c7e1a"
            },
            {
                "displayName": "Adam.Kennedy",
                "value": "8a8080824df45873014df45c164601d8",
                "$ref": "http://<iiq_url>/identityiq/scim/v2/Accounts/8a8080824df45873014df45c164601d8"
            },
            {
                "displayName": "AKENNE",
                "value": "8a8080824df45873014df45d012705ae",
                "$ref": "http://<iiq_url>/identityiq/scim/v2/Accounts/8a8080824df45873014df45d012705ae"
            },
            {
                "displayName": "Adam.Kennedy",
                "value": "8a8080824df45873014df45da06308b0",
                "$ref": "http://<iiq_url>/identityiq/scim/v2/Accounts/8a8080824df45873014df45da06308b0"
            }
        ],
        "riskScore": 100,
        "department": "Accounting",
        "region": "GB"
    },
    "emails": [
        {
            "type": "work",
            "value": "[email protected]",
            "primary": true
        }
    ],
    "displayName": "Adam Kennedy",
    "meta": {
        "created": "2015-06-14T18:16:09.717-05:00",
        "location": "http://<iiq_url>/identityiq/scim/v2/Users/8a8080824df45873014df45bd97400c9",
        "lastModified": "2021-09-28T17:01:56.678-05:00",
        "version": "W/\"1632866516678\"",
        "resourceType": "User"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:User",
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ],
    "name": {
        "formatted": "Adam Kennedy",
        "familyName": "Kennedy",
        "givenName": "Adam"
    },
    "active": true,
    "id": "8a8080824df45873014df45bd97400c9",
    "userName": "Adam.Kennedy",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "manager": {
            "displayName": "Douglas Flores",
            "value": "8a8080824df45873014df45bcfab008d",
            "$ref": "http://<iiq_url>/identityiq/scim/v2/Users/8a8080824df45873014df45bcfab008d"
        }
    }
}

So if you were interested in the attributes on Adam.Kennedy’s one of those accounts, you’d then need to make another GET call to

"http://<iiq_url>/identityiq/scim/v2/Accounts/0a0000017ba71589817c1372448c7e1a"

which will return account specific attributes

{
    "lastRefresh": "2021-09-28T17:02:05.132-05:00",
    "displayName": "Adam.Kennedy",
    "active": true,
    "manuallyCorrelated": false,
    "urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:Active Directory:account": {
        "msNPCallingStationID": [],
        "mail": "[email protected]",
        "manager": "CN=Douglas Flores,OU=London,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
        "sAMAccountName": "Adam.Kennedy",
        "msNPAllowDialin": "Not Set",
        "displayName": "Adam Kennedy",
        "givenName": "Adam",
        "objectClass": [
            "top",
            "person",
            "organizationalPerson",
            "user"
        ],
        "distinguishedName": "CN=Adam Kennedy,OU=London,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
        "employeeID": "1b2c3a4e",
        "cn": "Adam Kennedy",
        "facsimileTelephoneNumber": [],
        "carLicense": [],
        "accountFlags": [
            "Normal User Account"
        ],
        "objectguid": "{cef43cca-efc9-45ff-b5f2-989cbe1eef09}",
        "primaryGroupID": "513",
        "objectSid": "S-1-5-21-2981491572-779881612-3979282638-3249",
        "memberOf": [
            "CN=InvntryAnalysis,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
            "CN=All_Users,OU=Groups,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"
        ],
        "sn": "Kennedy",
        "department": "Accounting",
        "msDS-PrincipalName": "SERI\\Adam.Kennedy",
        "userAccountControl": "512",
        "userPrincipalName": "[email protected]",
        "msRADIUSFramedRoute": []
    },
    "uuid": "{cef43cca-efc9-45ff-b5f2-989cbe1eef09}",
    "nativeIdentity": "CN=Adam Kennedy,OU=London,OU=Europe,OU=Demo,DC=seri,DC=sailpointdemo,DC=com",
    "privileged": false,
    "inactive": false,
    "application": {
        "displayName": "Active Directory",
        "value": "8a8080824df44d48014df45440d502cf",
        "$ref": "http://<iiq_url>/identityiq/scim/v2/Applications/8a8080824df44d48014df45440d502cf"
    },
    "identity": {
        "displayName": "Adam Kennedy",
        "userName": "Adam.Kennedy",
        "value": "8a8080824df45873014df45bd97400c9",
        "$ref": "http://<iiq_url>/identityiq/scim/v2/Users/8a8080824df45873014df45bd97400c9"
    },
    "service": false,
    "meta": {
        "created": "2015-06-14T18:16:25.286-05:00",
        "location": "http://<iiq_url>/identityiq/scim/v2/Accounts/8a8080824df45873014df45c164601d8",
        "lastModified": "2021-09-28T17:02:05.132-05:00",
        "version": "W/\"1632866525132\"",
        "resourceType": "Account"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:Account",
        "urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:Active Directory:account"
    ],
    "hasEntitlements": true,
    "id": "8a8080824df45873014df45c164601d8",
    "locked": false
}

I’ll keep looking to see if there is a simpler way, but this might help you make progress.

1 Like