SCIM exception during aggregation of Roles

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3P3

Please share any images or screenshots, if relevant.

image
image975×449 152 KB

Share all details about your problem, including any error messages you may have received.

Using SCIM2.0 connector. Defined a custom roles schema in /Schemas. Hitting Preview on Roles/ aggregation for roles is throwing a openconnector.ConnectorException: Resource doesn’t exist.

I do see sailpoint making a /Roles call to the SCIM server . SCIM server is returning the following response
{"totalResults":2,"itemsPerPage":100,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"schemas":["urn:ietf:params:scim:schemas:custom:2.0:Role"],"value":"role-1","display":"First Role","enabled":true},{"schemas":["urn:ietf:params:scim:schemas:custom:2.0:Role"],"value":"role-2","display":"Second Role","enabled":true}]}

The /Schemas endpoint has the Roles defined as below

{
         "id": "urn:ietf:params:scim:schemas:custom:2.0:Role",
         "name": "Role",
         "description": "Schema for Roles.",
         "attributes":          [
                        {
               "uniqueness": "server",
               "name": "value",
               "description": "Role identifier.",
               "mutability": "readWrite",
               "type": "string",
               "multiValued": false,
               "caseExact": false,
               "returned": "default",
               "required": true
            },
                        {
               "uniqueness": "none",
               "name": "display",
               "description": "Role display Name.",
               "mutability": "readWrite",
               "type": "string",
               "multiValued": false,
               "caseExact": false,
               "returned": "default",
               "required": false
            },
                        {
               "uniqueness": "none",
               "name": "type",
               "description": "A label indicating the role's function.",
               "mutability": "readWrite",
               "type": "string",
               "multiValued": false,
               "caseExact": false,
               "returned": "default",
               "required": false
            },
                        {
               "uniqueness": "none",
               "name": "enabled",
               "description": "A boolean type that indicates if the role is enabled and usable.",
               "mutability": "readWrite",
               "type": "boolean",
               "multiValued": false,
               "returned": "default",
               "required": false
            }
         ],
         "meta":          {
            "location": "xyz",
            "resourceType": "Schema"
         },
         "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"]
      }
2

SailPoint expects SCIM resource endpoints and schemas to conform to standard SCIM conventions, especially regarding:

  1. Schema URNs
  2. Endpoint registration
  3. Resource mappings

You’re using a custom schema:

json

CopyEdit

"schemas": ["urn:ietf:params:scim:schemas:custom:2.0:Role"]

However, SailPoint may not recognize this as a valid object type unless:

  • It’s explicitly declared in the application XML
  • The endpoint /Roles is correctly mapped to a SailPoint object type (like Role)
  • The objectType and schema references are properly configured

:hammer_and_wrench: Resolution Steps

1. :white_check_mark: Verify objectType is defined for Roles

In the application XML, ensure you have defined a custom objectType for Roles, like this:

xml

CopyEdit

<objectType>
  <entry key="Role">
    <value>
      <Map>
        <entry key="endpoint" value="/Roles"/>
        <entry key="nativeObjectType" value="urn:ietf:params:scim:schemas:custom:2.0:Role"/>
        <entry key="identityAttribute" value="value"/>
        <entry key="displayAttribute" value="display"/>
        <entry key="containerAttribute" value=""/>
        <entry key="includeInDiscovery" value="true"/>
      </Map>
    </value>
  </entry>
</objectType>

Make sure the following are correct:

  • endpoint matches the SCIM endpoint (/Roles)
  • nativeObjectType matches the schema URN returned by /Roles
  • identityAttribute and displayAttribute match attributes in your /Schemas definition (value and display)

2. Ensure the Schema Endpoint Returns Valid JSON

You shared this schema object:

json

CopyEdit

{
  "id": "urn:ietf:params:scim:schemas:custom:2.0:Role",
  "name": "Role",
  "description": "Schema for Roles.",
  "attributes": [...]
}

That’s fine, but make sure your /Schemas endpoint returns this as part of the array and it’s reachable without auth or with proper headers (like Authorization or Bearer token).

3. Use Supported Attribute Names

SailPoint requires:

  • value (or id) as the unique identifier
  • A display or name field
  • Optionally enabled (can be used as an attribute for filtering)

You’re fine here:

json

CopyEdit

{
  "value": "role-1",
  "display": "First Role",
  "enabled": true
}

If SailPoint throws issues with “value”, try aliasing valueid in the SCIM connector attribute mapping if needed.

4. Test with Postman/SCIM Tool

Verify:

  • /Roles returns 200 with SCIM response
  • /Schemas includes the exact urn:...Role schema
  • No trailing slash issues (like /Roles/ vs /Roles)
  • Response headers: Content-Type: application/scim+json or application/json

5. Restart/Reload Application in IIQ

After updating the object type in the app XML:

  • Reload the application definition
  • Run “Preview” under the Roles object type
  • If it still fails, check iiq.log or application debug logs for more specific SCIM errors
3

@uditsahntl01 Thank you for the detailed resolution steps. For 1. above we are struggling to find where to edit this XML. Do you have any additional details?

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.