Additional Configuration Parameters

Add the following attributes in the application Debug page:

During aggregation if an exception is displayed from WebServiceBeforeOperationRule or WebServiceAfterOperationRule, then aggregation continues and completes successfully.

Set the value of the following flag to true to terminate the aggregation by displaying an error message:

throwBeforeAfterRuleException

This flag can be set only for Account and Group aggregation (multiple group aggregation if any).

The default value of the throwBeforeAfterRuleException flag is set to false.

Note

  • This flag is not applicable for child endpoints.

  • The connector does not retry these errors based on the errors configured in the possibleHttpErrors attribute.

During Provisioning, GetObject, or Test Connection operations, if an exception is thrown by the Before Operation Rule, then the operation fails.

To ignore the exception in the log file and proceed with provisioning, set the value of throwProvBeforeRuleException to false as follows:

Copy 
<entry key="throwProvBeforeRuleException">   
  <value> 
     <Boolean>true</Boolean> 
  </value> 
</entry> 

The default value of the throwProvBeforeRuleException flag is true for new Web Services application and false for existing applications (before upgrading to IdentityIQ version 8.0 Patch 5 and later). The throwProvBeforeRuleException flag can be set for all operations except Account and Groupaggregation.

Note
The connector does not retry these errors based on the errors configured in the possibleHttpErrors attribute.

During Provisioning, GetObject, or Test Connection operations, if an exception is thrown by the After Operation Rule, then the operation fails.

To ignore the exception in the log file and proceed with provisioning, set the value of throwProvBeforeRuleException to false as follows:

Copy 
<entry key="throwProvAfterRuleException">
  <value>
     <Boolean>true</Boolean>
  </value>
</entry>

The default value of throwProvAfterRuleException flag is set to true for new Web Services application and false for existing application (before upgrading to IdentityIQ version 8.0 Patch 5 and above). The throwProvAfterRuleException flag can be set for all operations except Account and Group aggregation.

Note
The connector does not retry these errors based on the errors configured in the possibleHttpErrors attribute.

Default value – false

To enable the functionality of sending entitlements with create account in a single request to the managed system, set the value of createAccountWithEntReq parameter to true as follows:

Copy 
<entry key="createAccountWithEntReq">   
  <value> 
    <Boolean>true</Boolean> 
  </value> 
</entry> 

If enableHasMore is set to true as follows then the termination of aggregation would depend on the value of hasMore attribute:

<entry key="enableHasMore" value="true"/>

The hasMore attribute is the Boolean attribute which is to be set in the transientValues map in the Before/After Operation Rule. Unless the value of hasMore attribute is false aggregation isn't terminated.

If enableHasMore is set to false as follows, then the aggregation terminates if the number of accounts returned is zero:

<entry key="enableHasMore" value="false"/>

To utilize the Lock/Unlock feature, add the lockStatus attribute in the application Debug page as provided in the following example:

<entry key="lockStatus" value="status=inactive"/>

In the above example, status is an account schema attribute that indicates if the account is locked or not. The value (inactive) helps the Web Services Connector to distinguish between the lock or unlock account.

The Web Services Connector does not support provisioning of lock account.

If an API endpoint does not send expected error codes to flag failure conditions, you can manually configure error codes. The following code example lists possible HTTP error codes/ messages an API endpoint might return, which can then result in the failure of operations.

Note
These errors don't prompt the connector to retry After Operation Rule errors or Before Operation Rule errors.

Copy 
<entry key="possibleHttpErrors">
 <value>
  <Map>
   <entry key="errorCodes">
    <value>
     <List>
      <Integer>401</Integer>
     </List>
    </value>
   </entry>
   <entry key="errorMessages">
    <value>
     <List>
      <String>Unauthorized</String>
     </List>
    </value>
   </entry>
  </Map>
 </value>
</entry>

Occasionally, the Web Services Connector returns the httpstatuscode as 200 but the response payload may contain errors. In this case, ideally the connector must fail the request or an OAuth token generation must try to regenerate the token.

These possible HTTP Error codes and messages can also be configured to specify invalid or expiry token errors. In this case connector

regenerates and saves the token for OAuth 2.0 authentication, then it retries the operation with the newly generated access token.

Note
This flag is not applicable for child endpoints.

To use the Web Service as a Pass-through Authentication, set the value of isGetObjectRequiredForPTA to true as follows:

Copy 
<entry key="isGetObjectRequiredForPTA">   
  <value>
    <Boolean>true</Boolean> 
  </value> 
</entry>

For new Web Services application created, the default value for isGetObjectRequiredForPTA is true.

When set to true, it executes Get Object operation to verify if the entered userName (Considered as Identity attribute) is present on the managed system or not.

When set to false then it skips Get Object operation and Pass-through Authentication operation must have response mapping with account object schema attributes.

For more information, refer to Pass Through Authentication.

Based on the error message list, the connector decides whether to display the objectNotFoundErrorMsg error.

For example, you can create the following entry for objectNotFoundErrorMsg with a custom error message to identify exceptions (there can be multiple):

Copy 
<entry key="objectNotFoundErrorMsg"> 
 <value> 
   <List> 
     <String>404: Not Found</String> 
     <String>404</String> 
   </List> 
 </value> 
</entry> 

Based on the error message list, the application decides whether to display the authenticationFailedErrorMsg error.

For example, you can create the following entry for authenticationFailedErrorMsg with custom error messages to identify exceptions (there can be multiple):

Copy 
<entry key="authenticationFailedErrorMsg"> 
 <value> 
   <List> 
     <String>Authentication Failed</String> 
    </List> 
 </value> 
</entry> 

Based on the error message list, the application decides whether to throw expiredPasswordErrorMsg error.

For example, you can create the following entry for expiredPasswordErrorMsg with a custom error message to identify exceptions (there can be multiple):

Copy 
<entry key="expiredPasswordErrorMsg"> 
 <value> 
   <List> 
     <String>Password Expired</String> 
    </List> 
 </value> 
</entry> 

If the response contains a string matched with expiredPasswordErrorMsg, then it redirects the user from the login page to the Change Password page.

Note
If you use OAuth 2.0 authentication and you have the error messages for expired password correctly set, the connector tries to refresh the access token after the first failed connection attempt if the authentication endpoint supports it.

To enable single requests for change password and update operations, add the updateAttrWithChangePassword attribute as follows and set the value to true:

<entry key="updateAttrWithChangePassword" value="true"/>

If the value of the updateAttrWithChangePassword attribute is true in the application and the plan contains no attribute request name as "password" (change password), then the specific Update Operation Type endpoint is invoked.

Setting the value of for attribute to true does not include requests for add/ remove entitlements. These requests are executed independently.

By default, the Web Services application supports cookies.

Cookies can be disabled by adding the disableCookies attribute as follows and set the value to true:

<entry key="disableCookies" value="true"/>

Not applicable for the authentication API call operation.

Add or remove multiple entitlements such as Role, Permissions, or Profile.

To send multiple entitlement requests in a single request to the managed system, set the value of addRemoveEntInSingleReq parameter to true as shown below:

Copy 
<entry key="addRemoveEntInSingleReq">
    <value>
        <Boolean>true</Boolean>
    </value>
</entry>

If addRemoveEntInSingleReq is set to true, then the payload for entitlements must also be set as shown below:

Copy 
{"
group_id" : $plan.groups$,
"permission":$plan.permission$,
"roles": $plan.roles$
}

The Web Services connector now supports the skipGetObjectInCreate attribute (Boolean) to skip the getObject call if it is present during the Create provisioning operation.

This attribute marks whether an object as deleted or not during delta aggregation. To set the value of deleteStatus, set the value as follows:

<entry key="deleteStatus" value="deleted=true"/>