SCIM exception during aggregation of Roles

Which IIQ version are you inquiring about?

8.3P3

Please share any images or screenshots, if relevant.

Share all details about your problem, including any error messages you may have received.

Using SCIM2.0 connector. Defined a custom roles schema in /Schemas. Hitting Preview on Roles/ aggregation for roles is throwing a openconnector.ConnectorException: Resource doesn’t exist.

I do see sailpoint making a /Roles call to the SCIM server . SCIM server is returning the following response
{"totalResults":2,"itemsPerPage":100,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"schemas":["urn:ietf:params:scim:schemas:custom:2.0:Role"],"value":"role-1","display":"First Role","enabled":true},{"schemas":["urn:ietf:params:scim:schemas:custom:2.0:Role"],"value":"role-2","display":"Second Role","enabled":true}]}

The /Schemas endpoint has the Roles defined as below

{
         "id": "urn:ietf:params:scim:schemas:custom:2.0:Role",
         "name": "Role",
         "description": "Schema for Roles.",
         "attributes":          [
                        {
               "uniqueness": "server",
               "name": "value",
               "description": "Role identifier.",
               "mutability": "readWrite",
               "type": "string",
               "multiValued": false,
               "caseExact": false,
               "returned": "default",
               "required": true
            },
                        {
               "uniqueness": "none",
               "name": "display",
               "description": "Role display Name.",
               "mutability": "readWrite",
               "type": "string",
               "multiValued": false,
               "caseExact": false,
               "returned": "default",
               "required": false
            },
                        {
               "uniqueness": "none",
               "name": "type",
               "description": "A label indicating the role's function.",
               "mutability": "readWrite",
               "type": "string",
               "multiValued": false,
               "caseExact": false,
               "returned": "default",
               "required": false
            },
                        {
               "uniqueness": "none",
               "name": "enabled",
               "description": "A boolean type that indicates if the role is enabled and usable.",
               "mutability": "readWrite",
               "type": "boolean",
               "multiValued": false,
               "returned": "default",
               "required": false
            }
         ],
         "meta":          {
            "location": "xyz",
            "resourceType": "Schema"
         },
         "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"]
      }

SailPoint expects SCIM resource endpoints and schemas to conform to standard SCIM conventions, especially regarding:

  1. Schema URNs
  2. Endpoint registration
  3. Resource mappings

You’re using a custom schema:

json

CopyEdit

"schemas": ["urn:ietf:params:scim:schemas:custom:2.0:Role"]

However, SailPoint may not recognize this as a valid object type unless:

  • It’s explicitly declared in the application XML
  • The endpoint /Roles is correctly mapped to a SailPoint object type (like Role)
  • The objectType and schema references are properly configured

:hammer_and_wrench: Resolution Steps

1. :white_check_mark: Verify objectType is defined for Roles

In the application XML, ensure you have defined a custom objectType for Roles, like this:

xml

CopyEdit

<objectType>
  <entry key="Role">
    <value>
      <Map>
        <entry key="endpoint" value="/Roles"/>
        <entry key="nativeObjectType" value="urn:ietf:params:scim:schemas:custom:2.0:Role"/>
        <entry key="identityAttribute" value="value"/>
        <entry key="displayAttribute" value="display"/>
        <entry key="containerAttribute" value=""/>
        <entry key="includeInDiscovery" value="true"/>
      </Map>
    </value>
  </entry>
</objectType>

Make sure the following are correct:

  • endpoint matches the SCIM endpoint (/Roles)
  • nativeObjectType matches the schema URN returned by /Roles
  • identityAttribute and displayAttribute match attributes in your /Schemas definition (value and display)

2. Ensure the Schema Endpoint Returns Valid JSON

You shared this schema object:

json

CopyEdit

{
  "id": "urn:ietf:params:scim:schemas:custom:2.0:Role",
  "name": "Role",
  "description": "Schema for Roles.",
  "attributes": [...]
}

That’s fine, but make sure your /Schemas endpoint returns this as part of the array and it’s reachable without auth or with proper headers (like Authorization or Bearer token).


3. Use Supported Attribute Names

SailPoint requires:

  • value (or id) as the unique identifier
  • A display or name field
  • Optionally enabled (can be used as an attribute for filtering)

You’re fine here:

json

CopyEdit

{
  "value": "role-1",
  "display": "First Role",
  "enabled": true
}

If SailPoint throws issues with “value”, try aliasing valueid in the SCIM connector attribute mapping if needed.


4. Test with Postman/SCIM Tool

Verify:

  • /Roles returns 200 with SCIM response
  • /Schemas includes the exact urn:...Role schema
  • No trailing slash issues (like /Roles/ vs /Roles)
  • Response headers: Content-Type: application/scim+json or application/json

5. Restart/Reload Application in IIQ

After updating the object type in the app XML:

  • Reload the application definition
  • Run “Preview” under the Roles object type
  • If it still fails, check iiq.log or application debug logs for more specific SCIM errors

@uditsahntl01 Thank you for the detailed resolution steps. For 1. above we are struggling to find where to edit this XML. Do you have any additional details?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.