Troubleshooting

The following lists various scenarios where data is not populated in Delta Aggregation:

• Roles assigned to an account from API are not populated in delta aggregation.

  Sometimes applications that are removed from users are not aggregated in account delta aggregation.

  Resolution: Perform full account aggregation task.

• Sometimes groups that are deleted from the managed system are not captured in account delta aggregation.

  Resolution: Perform full group aggregation to refresh entitlements.

• For an account created with only the default group Everyone event system logs are not captured.

  Resolution: To see the default group assigned to account, perform a full account aggregation or create account with a different group so that in delta aggregation for account, both groups details (default and the other group) are aggregated.

• If the HELP_DESK_ADMIN role is removed from a user on the managed system, sometimes after delta aggregation groupTargetHelpDeskAdminRole is not removed.

• If groupTarget is removed from user HELP_DESK_ADMIN role, sometimes changes are not reflected after delta aggregation

  Resolution: Perform full account aggregation task.

• If APP_ADMIN role is removed from a user on the managed system, sometimes after delta aggregation applicationsManagedByRole is not removed.

• If applicationsManagedByRole is removed from user APP_ADMIN role, sometimes changes are not reflected after delta aggregation.

  Resolution: Perform full account aggregation task.

In IdentityIQ, managed account refresh action only affects the status of the account in IdentityIQ. Account Details are not changed and Status is one of the account attribute.

 Resolution: To get the correct account details and value of the Account status, execute account aggregation task.

By default, on Okta managed system the group 'Everyone' gets assigned to every account created. Create account would fail with following error message is displayed:

sailpoint.connector.ConnectorException: [ConnectorException] [Error details] Request execution failed. HTTP Error code: 501, Okta Error code: E0000060, errorSummary: Unsupported operation., errorCauses:[].

Resolution: While performing create account with Manage user access select the group type other than Everyone.

If the IdentityIQ for Okta is having huge number of user to group/user to application connection, the account preview functionality would not work as it takes more time to get data from Okta.

Resolution: To verify Okta accounts run the account aggregation task instead of Account Preview. For more information on best practices of Okta account aggregation, refer to Aggregation Best Practices.

While performing account aggregation the following warnings are displayed in the logs:

019-04-18 18:43:25,708 WARN Thread-743 openconnector.connector.okta.OktaConnector:5425 - API rate limit exceeded for endpoint, Retrying the failed request now

2019-04-18 18:43:25,709 WARN Thread-742 openconnector.connector.okta.OktaConnector:5425 - API rate limit exceeded for endpoint, Retrying the failed request now

Resolution: You may ignore the warning messages. But to improve Okta aggregation performance, increase Okta API rate limit.

While creating or updating primary Email address of Okta user, it updates Username (login) as same email address. Okta has a feature of self-service registration policy. When the SELF_SERVICE_REGISTRATION flag is enabled on Okta managed system, Okta enforces uniqueness for all primary email addresses and automatically uses that email address as the end user’s username (login) and primary email address.

Resolution: Disable the SELF_SERVICE_REGISTRATION flag on Okta managed system. For more information contact the Okta Customer Support.

• Exception during aggregation of Object Type account on Application Okta. Reason: [ InvalidConfigurationException ] [ Possible suggestions ] Ensure the resource mentioned in the Okta URL is correct. The URL resource is /api/v1/groups/<groupID>/users?limit=10000 [ Error details ] Request execution failed. HTTP Error code : 405, Okta Error code : E0000022, errorSummary : The endpoint does not support the provided HTTP method, errorCauses:[]

  Resolution: Due to the HTTP 405 response code from Okta instance, ensure that the Okta URL is correct and able to access the Okta resources.

  This issue is occurred due to the vanity Okta URL (customized). Verify with Okta team for correct settings and allow the API response.

• While performing account aggregation with OAuth 2.0 Authentication Type, aggregation fails with the following error message:

  openconnector.ConnectorException: [ ConnectorException ]

  [ Error details ] Request execution failed. HTTP Error code : 403, Okta Error code : E0000005, errorSummary : Invalid session, errorCauses:[].

  Resolution: If type_name and type_displayName attributes are configured in the account schema, then delete these attributes and perform the account aggregation.

  Note
  Aggregation of type_name and type_displayName is only supported for API Token Authentication Type.

• Exception during aggregation of Object Type account on Application Okta. Reason: Unable to create iterator sailpoint.connector.InsufficientPermissionException: [InsufficientPermissionException]

  [Possible suggestions] Furnish appropriate permission to the Okta API token owner.

  [Error details] Insufficient privileges detected. HTTP Error code: 401, Okta Error code: E0000015, errorSummary: You do not have permission to access the feature you are requesting

  Resolution:

  • Ensure that correct permission/roles are assigned to the API Owner (the user whose api token is getting used in Okta application). The API Owner must have SUPER ADMIN roles assigned to him for aggregation.

    Note
    To aggregate Okta roles, SUPER_ADMIN role is required.

  • The List Users with Search parameter supports pagination (to a maximum of 50000 results).

  • For aggregation with Okta's List Users with Search feature, ensure that the following entry key is added in the application xml file:

    <entry key="ListUsersWithSearch" value="true"/>

    Note
    The List Users with Search parameter is moved to General Availability (GA). This operation supports pagination (to a maximum of 50000 results).

While performing test connection, it fails with following errors:

• [ InvalidRequestException ] [ Error details ] Request execution failed. HTTP Error code : 400, Okta Error code : invalid_client, errorSummary : Invalid value for 'client_id' parameter., errorCauses:[].

  Resolution: Ensure that Issuer is correct and same as the Client ID of service application as created in Okta.

• [ ConnectorException ] [ Error details ] Request execution failed. HTTP Error code : 401, Okta Error code : invalid_client, errorSummary : The subject claim for client_assertion is not a valid client_id., errorCauses:[].

  Resolution: Ensure that Subject is correct and same as the Client ID of service application as created in Okta.

• [ ConnectorException ] [ Error details ] Request execution failed. HTTP Error code : 401, Okta Error code : invalid_client, errorSummary : The audience claim for client_assertion must be the endpoint invoked for the request., errorCauses:[].

  Resolution: Ensure that the URL provided in Audience is correct for authorization.

While performing any operation with OAuth 2.0 Authentication Type, it fails with the following error message:

[ ConnectorException ] [ Error details ] Request execution failed. HTTP Error code : 403, Okta Error code : , errorSummary : , errorCauses:[].

Resolution: Ensure that appropriate scopes are provided to the Okta service application and the same are provided in the Scope configuration parameter.

The following error message is displayed while modifying the account attribute during the Enable operation:

Request execution failed. HTTP Error code : 409, Okta Error code : E0000112, errorSummary : Cannot update this user because they are still being activated. Please try again in a few minutes., errorCauses:[].

Resolution: Add the following entry to the application XML using the application Debug page:

<entry key="WaitTimeAfterEnable" value="20000"/>

When performing a test connection it fails and the following error is displyed:

Exception: sailpoint.connector.ConnectionFailedException: [ ConnectionFailedException ] [ Possible suggestions ] a) Make sure Okta instance is reachable. b) Make sure there is a smooth connectivity between Identity Server and Okta instance. [ Error details ] Failed to connect to the Okta instance.

When there is a firewall between IdentityIQ and the Okta tenant, or IdentityIQ is installed on a Linux system, the firewall or a network issue is causing the connection to be blocked.

Resolution: Verify if there are any firewall rules present in your environment that are blocking the Okta URL, FQDN, or IP address. If the rules are blocking this communication, unblock them.

Aggregation is failing and the following error is displayed:

Insufficient privileges detected. HTTP Error code : 403, Okta Error code : E0000006, errorSummary : You do not have permission to perform the requested action, errorCauses:[].

Resolution: One of the possible reasons for this error is that a new built-in group was added (Okta administrator group) to the Okta system. To fix this error, remove the applications attribute from the group schema if it is not required.

The Okta source supports the aggregation of custom roles that are assigned directly to the accounts only.

Resolution: Before aggregation, ensure that custom roles for the users and groups are assigned directly.

For example, let us assume that for the user John, John Test Role is a custom role. The John Test Role added for the user John is a direct assignment.

But, if John Test Role is added to the Custom_Group, and Custom_Group is then assigned to the user John. Then, the John Test Role will not be a direct assignment for the user John.