Web Services Connector (SOAP XML) - Custom Authentication token is not renewed after expiration

Hi everyone,

I’m working on a SOAP XML integration using the Web Services Connector in SailPoint Identity Security Cloud and I’m seeing an issue with Custom Authentication.

Scenario

I configured a Custom Authentication endpoint that calls a SOAP userLogin operation.

The response is very simple:

<return>eyJhbGciOiJSUzI1NiJ9....</return>

The authentication mapping is:

  • Root Path: //*[local-name()='return']
  • Response Mapping:
    • customaccesstoken -> //*[local-name()='return']/text()

The token is then used in the other SOAP operations through:

<arg0>$application.customaccesstoken$</arg0>

Observed behavior

  • Test Connection succeeds.
  • Immediately after Test Connection, Account Aggregation works correctly.
  • The generated token is valid for approximately 30 minutes.
  • After the token expires, Account Aggregation and provisioning operations start failing with:
Invalid or expired login.

The interesting part is that the connector does not appear to execute the Custom Authentication endpoint again. Instead, it seems to reuse the cached authentication information.

From the VA logs I can see messages like:

Decrypting attribute custom_auth_token_info

but I do not see the authentication endpoint being executed again before the operation.

Additional information

The authentication response only returns the token:

<return>...</return>

It does not include any expiration information (expires_in, expiration timestamp, etc.).

What I tested

  • Verified the XPath mapping.
  • Verified the SOAP request and headers.
  • Tested with a hardcoded valid token.
  • Implemented a WebServiceBeforeOperationRule that generates a new token before each operation.
  • The issue still appears to be related to how the connector handles the cached authentication.

Question

Is this the expected behavior of the Web Services Connector when using Custom Authentication?

Does the connector only renew the token when it knows the expiration time, or should it always execute the Custom Authentication endpoint before each operation?

Has anyone experienced a similar issue with SOAP/XML integrations where the authentication response does not include an expiration field?

Any guidance or best practices would be greatly appreciated.

Can you try adding the expired password error message in the Additional Settings page of the Web Services connector?

In addition to Matt’s suggestion you can also try adding a connector attribute oauth_force_authentication with a Boolean value of true which should force the authentication to happen every time the connector makes an API call. Right now it’s storing the original access token returned and then never updating it again.

Configured both Authentication Failed Error Messages and Expired Password Error Messages to match the error returned by the service, but this did not change the connector’s behavior. The token was still not renewed automatically after expiration.

Thank you very much for the suggestion!

I added the connector attribute oauth_force_authentication with the value true, and it solved the issue. The connector is now performing authentication before each request, and the integration has been running successfully without any token expiration problems.

Just out of curiosity, how did you find this connector attribute? I couldn’t find any reference to oauth_force_authentication in the SailPoint documentation, so I’m wondering if it’s an undocumented feature or if there’s any documentation available for it.

Thanks again for your help!

Haha yeah good question. I have a long history of SailPoint implementations. I think this used to be documented in the legacy IIQ product or I found it in some logging or something while troubleshooting the same issue. Not sure why it’s not documented :blush: