Troubleshooting

Resolution: If the Non-Compliant check box is enabled the connector will reach the following endpoints only from the SCIM server:

/Users - For Test Connection, Preview, Aggregation, and Provisioning.

/Groups - For Aggregation and Provisioning.

The following endpoints are not required if Non-Compliant is enabled:

/Schemas

/ResourceTypes

/ServiceProviderConfigs

The schema that gets discovered when enabling the Non-Compliant setting is the default schema the connector provides Out-Of-the-Box (OOB).

If any new attribute needs to be added, you must add it in the schema along with its valid JSON path in the JSON path attribute Mapping.

During create account operation, the create account task action status remains in pending state.

Resolution : Perform the following:

1. Add active attribute in your Create Account Provisioning Policy.

2. Perform create account operation.

3. Run Perform Identity Request Maintenance task.

During aggregation the following error message displays:

ResourceObject is returned with null identity error

Resolution : Verify if the identity attribute is in the schema attribute else add the appropriate schema attribute name as identity attribute.

Messages:

org.json.JSONException: SSL peer shut down incorrectly

Remote host terminated the handshake

Resolution : Add the following entry keys to the application Debug page. Substitute <version> with either TLSv1.2 or TLSv1.3 to reflect your SSL version.

<entry key="SSL_PROTOCOL_VERSION" value="<version>"/>
<entry key="skipGrpUpdate" value="true"/>
<entry key="skipGrpUpdate" value="true"/>

Resolution : Add the expected error in List of retryable errors of the application debug page as follows:

<entry key="retryableErrors">
 <value>
  <List>
   <String>Unauthorized</String>
  </List>
 </value>
</entry>

Resolution – Increase the default connection timeout by adding the customTimeout attribute to the application XML file as follows:

<entry key="customTimeout" value = "60"/>

Resolution :  Add the following in the application xml file to remove the javax.mail-1.6.1.jar file from the ConnectorClassloader classpath and resolve the conflict issue of classloading:

<entry key="load-by-sysclassloader">
  <value>
   <List>
    <String>javax.mail-1.6.1.jar</String>
   </List>
   </value>
</entry>

Resolution :  If the entitlement aggregation process doesn't aggregate groups then verify the following:

• Check if the SCIM server has the {host} /Group endpoint available with the group's data.

• If the group endpoint is not available, then groups can be aggregated using the /User endpoint. However, the group data should be in the /User endpoint’s response.

  The following RFC is shows the Representation of Users with group information. This has to be implemented in SCIM server.

  RFC 7643: System for Cross-domain Identity Management: Core Schema - Refer to the Full User Representation section.

Resolution: Ensure to enable the provisionMultivaluedRFCCompatible parameter to support the correct JSON for provisioning multivalued schema attributes. Add the following in the application XML of the Debug page to enable this parameter:

<entry key="provisionMultivaluedRFCCompatible">   
    <value>        
        <Boolean>true</Boolean>    
    </value>
</entry>

Note
provisionMultivaluedRFCCompatible is a boolean attribute.

You try to add a new attribute to Compliant Settings from the SCIM server endpoint schema to the account schema, but aggregation processes don't fetch the attribute value, and/or provisioning processes don't send the attribute to the managed system.

Resolution – Perform a Discover Source operation, and then run an unoptimized account aggregation.