Unable to map response attributes from Scim v2 API (scim/v2/Accounts)

nrishabh · February 14, 2025, 12:48pm

Which IIQ version are you inquiring about?

8.4

Hi,

We get the following response after hitting scim/v2/Accounts and want to map the listed attributes (firstName, lastName, displayName, userName).

{
  "totalResults": 2,
  "startIndex": 1,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "Resources": [
    {
      "urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:TSA_MGMT_SailPoint:account": {
        "firstName": "Test",
        "lastName": "User1",
        "displayName": "Test User1",
        "userName": "9AB7F74E3BF4C2B5",
        "managerName": [
          "Test Manager"
        ]
      },
      "lastRefresh": "2025-02-12T10:25:23.354Z",
      "displayName": "Test User1",
      "active": true,
      "manuallyCorrelated": false,
      "nativeIdentity": "9AB7F74E3BF4C2B5",
      "application": {
        "displayName": "TSA_MGMT_SailPoint",
        "value": "0acc21c9944b18528194512aaa040e54",
        "$ref": "http://localhost:8080/identityiq/scim/v2/Applications/0acc21c9944b18528194512aaa040e54"
      },
      "identity": {
        "displayName": "Test User1",
        "userName": "Test User1",
        "value": "0acc21c994ad118c8194b1c3ce16087b",
        "$ref": "http://localhost:8080/identityiq/scim/v2/Users/0acc21c994ad118c8194b1c3ce16087b"
      },
      "meta": {
        "created": "2025-02-05T14:22:12.826Z",
        "location": "http://localhost:8080/identityiq/scim/v2/Accounts/0acc21c994cc1dc98194d67d715a1dd9",
        "lastModified": "2025-02-05T14:22:12.853Z",
        "version": "W/\"1738765332853\"",
        "resourceType": "Account"
      },
      "hasEntitlements": false,
      "id": "0acc21c994cc1dc98194d67d715a1dd9",
      "locked": false,
      "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:TSA_MGMT_SailPoint:account",
        "urn:ietf:params:scim:schemas:sailpoint:1.0:Account"
      ]
    }

We have configured the Root Path as $Resources[*].

For the attribute path for firstName, we have tried the following combinations but none of them seem to populate the first name under the preview for connector schemas, as seen in the screenshot below:

[urn:ietf:params:scim:schemas1.0:Application:Schema:TSA_MGMT_SailPoint:account].firstName
[“urn:ietf:params:scim:schemas1.0:Application:Schema:TSA_MGMT_SailPoint:account”].firstName
urn:ietf:params:scim:schemas1.0:Application:Schema:TSA_MGMT_SailPoint:account.firstName
“urn:ietf:params:scim:schemas1.0:Application:Schema:TSA_MGMT_SailPoint:account”.firstName

j_place · February 14, 2025, 1:26pm

The SCIM API for Accounts doesn’t return familyname or givenname. You may be wanting the User API get-users | SailPoint Developer Community ?

nrishabh · February 14, 2025, 2:03pm

Hi Jeremy, thanks for your reply. I accidentally shared the incorrect response from get-accounts. I have updated the post with the actual response. We are using get-accounts because we want to filter users by a particular application as seen above. The issue isn’t with the response but the fact that the attribute mapping is not happening. We have a separate application that uses get-users and the response is mapped correctly.

j_place · February 14, 2025, 2:37pm

Thanks @rishabh Can you try:

['urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:TSA_MGMT_SailPoint:account'].firstName

This is all to do with escaping the ‘.’ in ‘1.0’.

nrishabh · February 14, 2025, 3:20pm

Hey @j_place that doesn’t seem to work either. Just for some context, when trying to map displayName, we aren’t able to populate the field using any of the display name values in that response either. Could it be a Root path issue?

j_place · February 14, 2025, 3:26pm

Oh yes, just saw that. Needs a dot between $ and Resources, ie $.Resources[*], although you shouldn’t need that setting as it’s SCIM compliant.

nrishabh · February 14, 2025, 3:57pm

We are using the dot but still no luck

j_place · February 14, 2025, 5:01pm

Hi @nrishabh - Have you enabled the Non-Compliant Server option?

nrishabh · February 26, 2025, 2:58pm

Hi @j_place for our implentation we cannot set Non-compliant server. Is there any other way to get a mapping under the URN schema

j_place · February 26, 2025, 3:58pm

Hi @nrishabh - I think the urn based schema could be a distraction. Where did you enter the /Accounts path configuration?

nrishabh · March 12, 2025, 4:27pm

Hi @j_place the base URL under the application is set to another instance of IIQ and the context URL for the aggregation operation within this application is /identityiq/scim/v2/Accounts?filter=application.displayName%20eq%20"ApplicationName" such that the origin application is sending a get-accounts request to the other IIQ instance to retrieve accounts that fall under the “ApplicationName” parameter.