Webservice VA connector account creation

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi Team,

I’ve created webservice VA connector. Account Aggregation and entitlement aggregation is working fine. but when we do request based account provision the account is getting created, but with “???”. We are using Account name and Account ID as same. Below is the payload we are passing in create account operation. userName → Account ID and Account Name. In account tab native identity is displayed not the name. After running full aggregation, the name is getting populated. I’ve added single account aggregation and try to run single account aggregation via account tab, it ended up with error. I have done response mapping in Create account http operation userName → userName. Any inputs, what am I missing

{
    "user": [
        {
            "firstName": "$plan.First Name$",
            "lastName": "$plan.Last Name$",
            "userName": "$plan.Username$",
            "email": "$plan.Email Address$",
            "functionalRole": "Account Admin",
            "securityRole": "$plan.SecurityRole$",
            "defaultMenu": "Payment Batches",
            "loginType": "SSO",
            "languageId": "en"
        }
    ]
}
2

Hi @Shonnegowda ,
Could you please confirm if you are sending all the necessary values in create account policy? Also please double check the the values “$plan.First Name$ “,”$plan.Last Name$” if those are correct

3

@Shonnegowda SailPoint connector internally runs a single account aggregation post account creation, so please follow the below steps:

Step1: First make sure your single account aggregation is working fine. You are seeing ??? because the newly account created is not getting correlated to your account ID.

Step2: Make sure your response mapping is correct in create http operation. Assuming you are getting the username in response of account creation.

Following are two additional resources which you can go through as it really depends on the API response after account creation.

Webservice Connector - Create Account Operation - Empty Response - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

You may also look into below:
Create Account returns id(nativeIdentity in the schema), it is not getting mapped - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

4

Hi @Shonnegowda ,
What is the account Id and Account name attribute ? Is it an ID which is generated on the end application or something like which returns in the response after creating the user ?
If this is the case in the create account operation , in the response mapping , map the account Id attribute with the response attribute . Make sure you are mapping the right attribute from the response.

{
"id": 99999990,
"username": "Anand Kumar",
"firstName": "Anand",
"lastName": "Kumar",
password": "$2a$10$aOuTUF9UXrszZNa01VmjleP34yxE14ygb8rjs330y4w7EUmdHLg7y",
"email": "Anand . Kumar@abc. com"
"statusid": 10
}

Response Information

image
image1211×481 13.7 KB

The following is an example of create user response and the mapping information.

Here in the below image , id is the account Id and Account name , which are mapped in create account operation.

image
image1200×491 16.4 KB

Thanks !

5

The account ID and account name is populated from SailPoint only, not via application. I did the response mapping in create account already as below. additionally I’ve added the create user response from postman.

image
image905×199 3.81 KB

image
image1247×493 13.5 KB

{
“traceId”: “b2cfb71e-f461-4ec3-8c08-e46bcedf19e8”,
“result”: {
“status”: “success”,
“message”: "All users are created successfully. ",
“statusCode”: “6001”
},
“user”: [
{
“title”: null,
“firstName”: “David”,
“lastName”: “Dahm”,
“userName”: “DEDAHM”,
“phoneNumberExtension”: null,
“phoneNumber”: null,
“email”: “[email protected]”,
“alternateEmail”: null,
“timeZone”: “America/Chicago”,
“functionalRole”: “Account Admin”,
“supervisorName”: null,
“securityRole”: “AR Display”,
“auditSecurityRoleType”: null,
“departmentName”: null,
“amountFormat”: null,
“active”: true,
“locked”: false,
“languageId”: “en”,
“location”: null,
“country”: null,
“defaultMenu”: “CAA - Cash Application - Payment Batches”,
“emailSubscription”: false,
“scheduledEmailsubscription”: false,
“dateFormat”: null,
“userType”: “InternalUser”,
“loginType”: “SSO”,
“lastLoggedTime”: null,
“dataSecurityGroupName”: null,
“createUser”: “IAM API”,
“createTime”: “2024-09-10T12:14:13Z”,
“updateUser”: “IAM API”,
“updateTime”: null,
“customer”: null,
“newUserName”: null,
“userUniquenessLevel”: “GLOBAL”,
“defaultAccount”: null,
“accountName”: null,
“default”: false,
“validRequest”: true
}
],
“error”:
}

6

@Shonnegowda try below:

Root Path:

$.user.[*]

Response Mapping:

userName
7

@Shonnegowda in create operation try to map the response of the value if it comes up in the response

8

yes response mapping done already, still facing the issue

9

Still the same issue

10

Try:
Root Path:

$.user[*]

Response Mapping
Attribute Path userName OR $.userName

11

I’ve observed even full aggregation is not updating the account name. Looks like only account created in sailpoint with ??? not in target application. I’ve checked the user in postman using the account ID, I got failure message as below

{
“traceId”: “2149d237-ed60-4719-964a-484aa3779f15”,
“result”: {
“status”: “failure”,
“message”: "No User found with the username ",
“statusCode”: “6003”
},
“user”: null,
“error”: [
{
“index”: 1,
“errorMessage”: "No User found with the username ",
“errorCode”: “5007”
}
]
}

12

It seems there was an issue with the provisioning process in this instance.

While the UI errors may be general, I recommend checking the VA logs for specific details regarding the failure.

Please ensure that any rules associated with the provisioning are still attached. If the creation operation didn’t return an error, Sailpoint assumed the account was created successfully.

However, I recall you mentioned that full account aggregation was able to fetch the username. Are there any other observations or details that might be helpful in troubleshooting this issue?

13

It seems there might be an issue with the payload during the create operation. Despite receiving a 2xx response code, ISC interprets it as a success. However, during single account aggregation, the account cannot be found, leading to error(so it is showing ???).

To resolve this, consider the following steps:

  1. Verify the payload using postman(Create account directly in target system).
  2. Check the logs/plan to ensure the values being passed from ISC.
  3. Double Check provision policy.
14

@sidharth_tarlapally I do see account in SailPoint with ???, but even after full or single account aggregation it’s not getting corrected.

I’ve checked the logs, but username attribute is not getting populated in provisioning plan.

We’re using AccountID and AccountName both as userName application attribute, which is directly mapped to identity attribute in Create policy. I do see that value is picked up for the native Identity, but not in the actual application attribute userName. We’re using the same application attribute for correlation as well

15

@gourab The same payload in postman is working fine. I’ve checked the logs the missing attribute in Sailpoint as per logs is one attribute Username.

We’re using AccountID and AccountName both as userName application attribute, which is directly mapped to identity attribute in Create policy. I do see that value is picked up for the native Identity, but not for the actual application attribute userName. We’re using the same application attribute for correlation as well

16

@Shonnegowda Definitely it’s a problem with response you are getting and the mapping you have in your operations.

  1. Account Aggregation - make sure your response mapping are correct as per the API response (get all accounts)
  2. Single Account Aggregation - make sure your response mapping are correct as per the API response (get single account)
  3. Create Account - make sure your response mapping are correct as per the API response (Create account response)

Note make sure your root path is correct for all of these operation.

It would be easy to assist if we could see your postman response and the mapping you have done for all of these operation.