Hi everyone,
I’m working on a SOAP XML integration using the Web Services Connector in SailPoint Identity Security Cloud and I’m seeing an issue with Custom Authentication.
Scenario
I configured a Custom Authentication endpoint that calls a SOAP userLogin operation.
The response is very simple:
<return>eyJhbGciOiJSUzI1NiJ9....</return>
The authentication mapping is:
- Root Path:
//*[local-name()='return'] - Response Mapping:
customaccesstoken -> //*[local-name()='return']/text()
The token is then used in the other SOAP operations through:
<arg0>$application.customaccesstoken$</arg0>
Observed behavior
- Test Connection succeeds.
- Immediately after Test Connection, Account Aggregation works correctly.
- The generated token is valid for approximately 30 minutes.
- After the token expires, Account Aggregation and provisioning operations start failing with:
Invalid or expired login.
The interesting part is that the connector does not appear to execute the Custom Authentication endpoint again. Instead, it seems to reuse the cached authentication information.
From the VA logs I can see messages like:
Decrypting attribute custom_auth_token_info
but I do not see the authentication endpoint being executed again before the operation.
Additional information
The authentication response only returns the token:
<return>...</return>
It does not include any expiration information (expires_in, expiration timestamp, etc.).
What I tested
- Verified the XPath mapping.
- Verified the SOAP request and headers.
- Tested with a hardcoded valid token.
- Implemented a WebServiceBeforeOperationRule that generates a new token before each operation.
- The issue still appears to be related to how the connector handles the cached authentication.
Question
Is this the expected behavior of the Web Services Connector when using Custom Authentication?
Does the connector only renew the token when it knows the expiration time, or should it always execute the Custom Authentication endpoint before each operation?
Has anyone experienced a similar issue with SOAP/XML integrations where the authentication response does not include an expiration field?
Any guidance or best practices would be greatly appreciated.
