Webservice connector: Add entitlement operation results in 400

Hello Yannick,
I am trying to figure out the error 400 but in my case I am sending in the Body this json:
{
“id”: “$plan.id$”,
“name”: “$plan.name$”
}

Where id refers to the role Id and name referes to the role name.

If I send the payload hardcoded then I am able to add the role.

{
“id”: “002d1cbb-e1df-481e-bff7-8c140c1b633f”,
“name”: “quotation_edit”
}

I created an entitlement type named roles and the attributes are id as the Entitlement ID and name as the Entitlement Name.

What am I doing wrong? Any thoughts?
Thanks, Andrea.

Hello @AndreaQueiroz50
It does not work like this.
I’m assuming that you have defined “role” as an entitlement attribute in your account schema. You will get the “id” or the “name” of the role in the plan depending on how you configured your “role” schema, the way you fetch entitlement information, etc.
It means the payload should be:

{
  "id": "$plan.role$"
}

or

{
  "name": "$plan.role$"
}
1 Like

Hello @yannick_beot
thanks for your response. Yes I have defined roles as an entitlement type with the attributes id and name. And in the account schema, I have defined roles attribute with the type roles. I have 2 account aggregation methods, the 1st one get the users and the 2nd one get the roles. In the 2nd aggregation method I use this response mapping for roles schema attribute;
clientMappings.xabp-api.mappings.[*].id

In my scenario I need to send both id and name in the body because I am sending this to Keycloak API endpoint that add the entitlement. So, the Keycloak API is expecting something like this:

{
“id”: “002d1cbb-e1df-481e-bff7-8c140c1b633f”,
“name”: “quotation_edit”
}

Only id or only name don´t work for the Add Entitlement method.

Thanks a lot, Andrea.

Hello Andrea, I wanted to mention an issue we found with the Web Service Connector. Hopefully this will help you test to see if you have the issue too.

We have a webservice connection to a source to pull information into IdentityNow. We have it set up and working fine. The issue is that updated data in the source will not be updated in IdentityNow (after an aggregation). We are also unable to update the information using the download and upload csv from the UI. We have a Case open. I would encourage you to consider if the data you will be working with will need to be updated or refreshed. If so, you may want to open a case or consider another connector.

IdentityNow provisioning model by design just gives “identityattribute or nativeIdentity” for entitlement in provisioning plan. You have 3 options to get name in end point.

  1. Write before provisioning rule, add name in attribute request by fetching it from entitlement model. idn rule util has method for this if I am not wrong. Use it in $plan.name$ mapping after that.
  2. Write before operation rule , call end system api to get name(if there is any api which gives name by using id of entitlement), construct whole body in rule.
  3. Use chaining and achieve same result which rule is doing in option 2.

Hello Chris,
thanks for your response but it sounds that my scenario is different here. I am using Identity Now integrated with Keycloak API (3rd party) through Web Services direct connection. I am able for example to create a role and associate an user with this role within Keycloak and aggregate this user, this role and the association user-role from Keycloak to Identity Now.
My problem is regarding to the Identity Now feature Request access through an Identity Now Access Profile, that uses the Add Entitlement method. Keycloak is expecting to receive both role id and name from Identity Now to add the role to the user. And in the Identity Now side, according to my last tentatives and clarification from @yannick_beot I cannot send both id and name in the payload. I should send or the id or the name.
BR, Andrea.

1 Like

Hi Chirag Patel,
I would like to try the option Write before provisioning rule to get the role name. But do you think that I will get to have id and name built in the body to be sent to Keycloak API with this approach? Do you have some documentation to guide me on this implementation?
Thanks a lot.
BR. Andrea.

yeah if you add name in attribute request along with id it would work. If you want more cleaner approach then add name under arguments and then read it in before operation rule.
If you have not developed rule before then it would not be easy and I would suggest working with someone who already has this expertise.

I would have gone with chaining of end point option if it would have been my choice. Using ui config over rule always pays off in longer term.

Hello Chirag,
I have not developed rule before for WebServices connection type. I did once for Database JDBC connection type. I will try :grinning:
Thanks a lot for your help.
BR. Andrea.

I solved it.
If in the webservice connector schema there is a mapping of “group” to group / entitlement information, use
“id”:“$plan.group$”
in the JSON body template.
If it is found it gets replaced by the native identity of the entitlement / group.
In Before Operation Rule:

  1. Parse JSON Body from requestEndPoint, extract id
  2. lookup more information with this id
  3. add that to JSON Body
  4. replace JSON Body
  5. if necessary add it in requestFullUrl
  6. return both via requestEndPoint.

It took my a while for that and support was not able to understand problem / propose the solution.
Frerk

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.