Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

The account aggregation may fail due to insufficient permissions or if required services are not turned on.

Resolution – To test a GET user (read) using an Admin SDK Directory API from a browser, use the following URL, but replace <userEmail> and <accessToken> values:

Copy 
https://www.googleapis.com/admin/directory/v1/users/<userEmail>?access_token=<accessToken>

The group aggregation fails due to insufficient permissions or if required services are not turned on.

Resolution – To test a GET group (read) using an Admin SDK Directory API from a browser, use the following URL, but replace the <groupEmail> and <accessToken> values:

Copy 
https://www.googleapis.com/admin/directory/v1/groups/<groupEmail>?access_token=<accessToken>

To test a GET group (read) using the Google Groups Settings API (Read Group Details – Y) from a browser, use the following URL but replace the <groupEmail> and <accessToken> values:

Copy 
https://www.googleapis.com/groups/v1/groups/<groupEmail>?access_token=<accessToken>

During aggregation, error messages appear for some corrupt objects.

Resolution – Corrupt objects can be skipped at the time of aggregation by setting the isContinueOnError attribute to true. By default, the value of isContinueOnError attribute is false.

This value can be set to true in the application XML as follows:

<entry key="isContinueOnError" value="true"/>

The Internal Server and Service Unavailable error messages are sent by the Google Server.

Resolution – To retry the request, use the maxReadRetryCount attribute. The retry count is set to 5 by default. Retry is performed using the standard Exponential Backoff strategy. Increase the retry count by adding the following entry to the application XML and set the desired value:

<entry key="maxReadRetryCount" value="10"/>

The SocketTimeoutException error message appears.

Resolution – Increase the timeout interval by adding the maxReadTimeout attribute to the application Debug. By default the value of maxReadTimeout attribute is 180 seconds. To increase the timeout, add the following entry to the Application XML and set the desired value:

<entry key="maxReadTimeout" value="240"/>

Provisioning (Create Account) fails with the following error message:

Resource Not Found: domain

Resolution – Verify the domain name of the primary email is the domain name of email ID. It must be a valid domain and must be accessible for the service account provided in the application configuration.

While updating the accounts from the Integration Console, attributes having list values are not deleted from the account.

Resolution – When you delete the attributes from the Integration Console, you must consider that those attributes are present in the Google Workspace managed system for that account.

If you are setting the "primary=false" in the provisioning plan, then Google Workspace does not consider that attribute. So, while deleting any attribute the "primary" attribute type must not be present in the plan.

For example:

Copy 
<AttributeRequest name="phones" op="Add">
   <Value>
       <List>
         <String>{"value":"345678","customType":"", "type":"custom","primary":"false"}</String>
   </Value>
</AttributeRequest>
<AttributeRequest name="phones" op="Remove">
   <Value>
     <List>
         <String>{"value":"345678","customType":"", "type":"custom"}</String>
   </Value>
</AttributeRequest>

In some attributes like IMS, some required attributes appear as empty values if those attributes are not passed. Add those attribute values as empty in the delete plan.

For example:

<AttributeRequest name="ims" op="Add">
   <Value>
     <List>
          <String>{"im":"test1@dev.sailpoint.com","type":"work"}</String>
     </List>
   </Value>
</AttributeRequest>
<AttributeRequest name="ims" op="Remove">
   <Value>
      <List>
          <String>{"im":"test1@dev.sailpoint.com","type":"work", "customProtocol":""}</String>
     </List>
   </Value>
</AttributeRequest>

One of the following error messages may occur during role provisioning:

  • Message:

    openconnector.ConnectorException: Exception occurred.

    Error message - Required parameter: [resource.privileges[0].service_id]

    Resolution – Ensure that the serviceId is correct.

  • Message:

    openconnector.ConnectorException: Exception occurred.

    Error message - Invalid Role privileges

    Resolution – Ensure that the privilegeName is correct.

  • Message:

    openconnector.ConnectorException: Exception occurred.

    Error message - Unexpected character * at position *.

    Resolution – Ensure that the value of rolePrivileges is in JSON format.

Delete operation fails with the following error message:

openconnector.ConnectorException: Exception occurred.

Error message - Role assignment exists: RolesDeleteRequest.resource_id

Resolution – Ensure that the role does not have any users still assigned to it.

Provisioning Role operation fails with the following error message:

openconnector.ConnectorException: Exception occurred.

Error message - Operation not allowed

Resolution – Ensure that the selected role is not a system role.

Delta aggregation fails with the following error message:

HTTP not ended OK. Response Code - 403 Error – Forbidden

This error message occurs if any out of scope user is found in any group (on the managed system) during delta aggregation.

Resolution – Add the following optional configuration parameter in the application Debug page:

<entry key="excludedDomains">
   <value>
        <List>
           <String>university.edu</String>
        </List>
    </value>
</entry>

Note
This configuration is only valid for delta aggregation.

For example, if you add an external domain user: "test@university.edu" into their groups in Google Workspace, then adding the above configuration filters such users from getting processed, which avoids the unnecessary delta aggregation failures.

Due to incorrect time setting on the IdentityIQ machine, the Test Connection fails with the following error message:

Invalid JWT: Token must be a short-lived token (60 minutes)

Resolution – Correct the time set on the machine and try the Test Connection again. Test the code on the machines with different timezones.

The following errors are encountered:

error code 412 "User creation is not complete"

error code 404 "Object not found"

Resolution – Add the createAccountTimelag attribute in the connector. This attribute introduces a delay (default 0 seconds) after the Account Create operation so that the subsequent operations such as assigning groups, aliases, and GET Object will not encounter errors.

Add the createAccountTimelag attribute with a value of 20 seconds in the application Debug page.

Resolution – Ensure that the domain name of the primary email of the user being created contains the correct domain name across which a set of credentials are created. Also ensure the domain name is configured the same as the domain in the application XML configuration.

Resolution: In delta aggregation, you get the changed user details using the audit change event API and then fire a single API per changed user, consuming more aggregation time in return. In case of a huge number of changed users during delta aggregation, there is a degradation in the delta aggregation time. Hence in such a case, it is recommended to run full aggregation instead of delta aggregation.

For example, if full aggregation takes 4 hours to complete and delta (with 4-6k users) takes the same time or even more, then Full Aggregation makes sense. Whereas, if changes are less in number and take only 30 minutes to complete, then Delta Aggregation is useful.

Note
It is recommended to use Delta Aggregation judiciously based on your use case.

Account aggregation fails with the following error message:

ObjectNotFoundException ] [ Error details ] Service Account iteration failed. Error: 404 null : Requested entity was not found.

Resolution: By adding the serviceAccountAggWithAssetInventory attribute in the source, API calls to aggregate service accounts are executed through the Asset Inventory API instead of the service account List API (which tries to fetch the Service Accounts from the deleted projects/folders as well) , which is the default behaviour. The downside of this is that the service account description and disabled attributes are not provided by Asset Inventory API.

Add the following to the application Debug page:

<entry key="serviceAccountAggWithAssetInventory" value="true"/>

Copy 
curl --location --request PATCH 'https://<orgName>.api.cloud.sailpoint.com/v3/sources/{source ID}' \
--header 'Content-Type: application/json-patch+json' \
--header 'Authorization: Bearer tokenValue' \
--data-raw '[
 {
 "op": "add",
 "path": "/connectorAttributes/serviceAccountAggWithAssetInventory",
 "value": true
 }
]'