Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Entitlements having emojis in its name cause the issue during its insertion/processing in the database.

Resolution: Remove the emojis in the entitlements name on the managed system.

The test connection fails and displays the following error:

Error returned from IQService. One or more errors occurred

Resolution: Complete the following:

  1. Verify that all of the prerequisites for the Microsoft Exchange Online Mailbox attributes are in place. For more information, see Prerequisites.

  2. Once you have verified the prerequisites have been met, run the following PowerShell command on the IQService machine to verify connectivity.

    Connect-ExchangeOnline -UserPrincipalName <userPrincipalName>

Test Connection fails with the following error message when Azure Active Directory application is checked for ‘SAML Bearer Assertion’ Grant Type:

OAuth2Exception [toString()=connector.common.oauth2.OAuth2Exception: Unable to generate access token. Response returned:

{"error":"invalid_grant","error_description":"AADSTS50008: The SAML token is invalid.\r\nTrace ID: a74df376-3ede-4c17-ba34-b352079e3300\r\nCorrelation ID: f8c370ec-4ef6-48a4-a393-0297a5ce3b20\r\nTimestamp: 2020-05-04 05:58:16Z","error_codes":[50008],"timestamp":"2020-05-04 05:58:16Z","trace_id":"a74df376-3ede-4c17-ba34-b352079e3300","correlation_id":"f8c370ec-4ef6-48a4-a393-0297a5ce3b20","error_uri":"https://login.microsoftonline.com/error?code=50008"}

]

Resolution: Verify if the time zone of ADFS machine is in synchronize with Azure time zone, that is, UTC. If not, change the ADFS machine time and re-start the ADFS services.

Test Connection/ Account Aggregation fails with the following error message when Azure Active Directory application is checked for SAML Bearer Assertion Grant Type:

Error - invalid_grant: AADSTS5000811: Unable to verify token signature. The signing key identifier does not match any valid registered keys.

Resolution: Microsoft recommends to execute the following command from PowerShell running on ADFS server to manually renew token signing certificates:

Update-MSOLFederatedDomain –DomainName <domain>

Provisioning of Exchange attribute fails if account aggregation is in progress. Exchange online module supports maximum three sessions per user hence limiting the parallel operations in execution.

Resolution: Connector uses all the three sessions while performing aggregation. Hence to improve the aggregation performance no other operation must be performed using the configured user.

When new attributes are added in account schema, Get Object / Account Aggregation fails with the following error message:

Error - 501 This operation target is not yet supported

Resolution: Microsoft Graph API supports some of the following attributes only for retrieving single user:

Attributes: aboutMe, birthday, hireDate, interests, mySite, pastProjects, preferredName, responsibilities, schools, skills, mailboxSettings

Addition of such attributes while retrieving collection of users leads to aggregation failure. Hence verify if the newly added attributes are in the list of these attributes and remove them from the schema.

An unexpected 'PrimitiveValue' node was found when reading from the JSON reader. A 'StartArray' node was expected.

Or

Invalid value for the Property

Resolution: Ensure that the data type of the attribute is added correctly to the provisioning policy. For more information, see Microsoft Documentation.

Note
For update account operation, the businessPhones attribute accepts only single value with the data type as String collection.

Resolution: Many users could be out of the defined userFilter scope. Add the returnNullROAfter attribute using IdentityNow API. Value is number of the out of scope users, the default value is 50.

Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.

Resolution: Add the createAccountTimelag attribute, using the IdentityNow REST API, to create a delay (in seconds) that will occur after the create request and before the connector fetches the account. The time can be modified as needed. The value could be number of the seconds, the default value is 20 seconds.

Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.

In cases where the entitlement attributes (like groups, roles, and servicePrincipals) are present in the account schema, add the following entry in the source XML using the IdentityNow REST APIs max-thread-account-membership with a value of 6, 8, or 10 in accordance with your requirements. The default value is 4.

Note
This entry is not valid/used during delta aggregation.

For example:

POST https://{orgName}.api.identitynow.com/cc/api/source/update/{source ID}

In the body of the POST, use the form-data as follows:

  • Key: max-thread-account-membership

  • Value: 8

Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.