WebService connector Multi-Role Aggregation Issue with Keycloak Endpoint Returning Top-Level Array

adhiyans · December 23, 2025, 10:41am

Environment:

SailPoint IdentityIQ 8.2 (Webservices connector)
Keycloak REST API for user roles (/role-mappings/realm)
Account Scehma Attribute in IIQ: groups (Managed, Entitlement, Multi-valued, String)
List Path: $
JSONPath: $.name

Observed Behavior:
Single role user: Works perfectly. groups contains the role name.
Multi-role user: groups is null. Preview shows no roles.

Investigation / Findings:

Keycloak returns a raw top-level JSON array of roles, e.g.:
[
{“id”:“uuid1”, “name”:“roleA”},
{“id”:“uuid2”, “name”:“roleB”}
]
WS v2 cannot handle top-level arrays for multi-valued aggregation:
Single-element arrays are parsed correctly.
Multi-element arrays are discarded → attribute becomes null.
Attempts to fix via Schema Customization Rule or Post-Processing Rule do not work, because:
Rules execute after parsing.
By that point, the attribute is already null.
We tried the following in Post-Processing Rule - it didn’t work:

import connector.common.JsonUtil;
import java.util.List;
import java.util.Map;
import java.util.ArrayList;
import java.util.HashMap;

List groups = new ArrayList();

try {
// rawResponseObject is the raw JSON string
String jsonString = (String) rawResponseObject;

log.error("Raw JSON string: " + jsonString);

// Parse it into List of Maps
List jsonList = JsonUtil.toList(jsonString);

if (jsonList != null) {
for (Object item : jsonList) {
if (item instanceof Map) {
Map obj = (Map) item;
String name = (String) obj.get(“name”);
if (name != null ) {
groups.add(name);
}
}
}
}
} catch (Exception e) {
log.error("Error parsing JSON or extracting names: " + e.toString());
}

Map result = new HashMap();
result.put(“groups”, groups);

log.error("------final object--------- " + result);

return result;

Attempts to use Response Mapping Transform also fail in our environment because the option is not available.
Key Limitation:
WS v2 connector in IIQ cannot parse raw top-level JSON arrays with multiple elements for multi-valued attributes.
Question to Community:
Is there any way to aggregate multiple roles from a raw top-level array in WS v2 without changing the source or using an external proxy?
Are there any hidden WS v2 settings, experimental parsing options, or workarounds we might have missed?

Chathurya · December 23, 2025, 11:05am

Hi @adhiyans ,

Can you try setting the JSONPath as groups[*].name and changing the type to group in schema.

adhiyans · December 23, 2025, 11:54am

Hi @Chathurya : I appreciate your response. I was able to resolve the issue by referring to a similar case reported on this platform. WebService connector does not aggregate multi valued attributes on 2nd call

Topic		Replies	Views
Web Services Connector - Entitlement Aggregation IIQ Discussion and Questions apis , aggregation , identityiq	16	212	November 6, 2025
Response mapping for entitlements/groups/roles in the Web service connector ISC Discussion and Questions aggregation , identity-security-cloud	7	99	December 3, 2024
WebService connector does not aggregate multi valued attributes on 2nd call IdentityIQ (IIQ)	1	1281	June 14, 2022
WebService connector does not aggregate multi valued attributes on 2nd call ISC Discussion and Questions	7	1874	July 19, 2023
Response Mapping's Attribute Path when JSON response is an array of strings? ISC Discussion and Questions webservice-connector , identity-security-cloud	5	151	August 28, 2025

WebService connector Multi-Role Aggregation Issue with Keycloak Endpoint Returning Top-Level Array

Environment:

Related topics