Troubleshooting
If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.
Error: Could not insert: [sailpoint.object.ManagedAttribute] is received during entitlement aggregation
Entitlements having emojis in its name cause the issue during its insertion/processing in the database.
Resolution: Remove the emojis in the entitlements name on the managed system.
Error: Test connection failure with an error when the Manage Exchange Online checkbox is selected
The test connection fails and displays the following error:
Error returned from IQService. One or more errors occurred
Resolution: Complete the following:
Verify that all of the prerequisites for the Microsoft Exchange Online Mailbox attributes are in place. For more information, refer to Prerequisites.
Once you have verified the prerequisites have been met, run the following PowerShell command on the IQService machine to verify connectivity.
Connect-ExchangeOnline -UserPrincipalName <userPrincipalName>
Error: Test Connection fails
Test Connection fails with the following error message when Microsoft Entra ID application is checked for ‘SAML Bearer Assertion’ Grant Type:
OAuth2Exception [toString()=connector.common.oauth2.OAuth2Exception: Unable to generate access token. Response returned:
{"error":"invalid_grant","error_description":"AADSTS50008: The SAML token is invalid.\r\nTrace ID: a74df376-3ede-4c17-ba34-b352079e3300\r\nCorrelation ID: f8c370ec-4ef6-48a4-a393-0297a5ce3b20\r\nTimestamp: 2020-05-04 05:58:16Z","error_codes":[50008],"timestamp":"2020-05-04 05:58:16Z","trace_id":"a74df376-3ede-4c17-ba34-b352079e3300","correlation_id":"f8c370ec-4ef6-48a4-a393-0297a5ce3b20","error_uri":"https://login.microsoftonline.com/error?code=50008"}
]
Resolution: Verify if the time zone of ADFS machine is in synchronize with Azure time zone, that is, UTC. If not, change the ADFS machine time and re-start the ADFS services.
Error: Test Connection /Account Aggregation fails
Test Connection/ Account Aggregation fails with the following error message when Microsoft Entra ID application is checked for SAML Bearer Assertion Grant Type:
Error - invalid_grant: AADSTS5000811: Unable to verify token signature. The signing key identifier does not match any valid registered keys.
Resolution: Microsoft recommends to execute the following command from PowerShell running on ADFS server to manually renew token signing certificates:
Update-MSOLFederatedDomain –DomainName <domain>
Error: Provisioning of Exchange attribute fails
Provisioning of Exchange attribute fails if account aggregation is in progress. Exchange online module supports maximum three sessions per user hence limiting the parallel operations in execution.
Resolution: Connector uses all the three sessions while performing aggregation. Hence to improve the aggregation performance no other operation must be performed using the configured user.
Error: Account Aggregation fails
When new attributes are added in account schema, Get Object / Account Aggregation fails with the following error message:
Error - 501 This operation target is not yet supported
Resolution: Microsoft Graph API supports some of the following attributes only for retrieving single user:
-
aboutMe -
birthday -
hireDate -
interests -
mySite -
pastProjects -
preferredName -
responsibilities -
schools -
skills -
mailboxSettings
The addition of these attributes while retrieving collection of users leads to aggregation failure. Verify if the newly added attributes are in the list of these attributes and remove them from the schema.
Error: Unexpected errors
An unexpected 'PrimitiveValue' node was found when reading from the JSON reader. A 'StartArray' node was expected.
Or
Invalid value for the Property
Resolution: Ensure that the data type of the attribute is added correctly to the provisioning policy. For more information, refer to the Microsoft Documentation.
Note
For update account operation, the businessPhones attribute accepts only single value with the data type as String collection.
Error: Delta Aggregation with the userFilters scope fails with aggregation timeout
Resolution: Many users could be out of the defined userFilter scope. Add the returnNullROAfter attribute using Identity Security Cloud API. Value is number of the out of scope users, the default value is 50.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Error: The Microsoft Entra ID connector fetches the account after the create request. Because of the cloud environment, there could be some delay to correctly reflect the account, and so the request may fail.
Resolution: Add the createAccountTimelag attribute, using the Identity Security Cloud REST API, to create a delay (in seconds) that will occur after the create request and before the connector fetches the account. The time can be modified as needed. The value could be number of the seconds, the default value is 20 seconds.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Error: Full Account Aggregation taking a long time to complete
In cases where the entitlement attributes (like groups, roles, and servicePrincipals) are present in the account schema, add the following entry in the max-thread-account-membership with a value of 6, 8, or 10 in accordance with your requirements. The default value is 4.
Note
This entry is not valid/used during delta aggregation.
For example:
key: max-thread-account-membership
value: 8
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Error: Full account aggregation is taking a long time and is pulling in unwanted schema attributes
Resolution: Remove the unwanted attributes from schema using the Identity Security Cloud REST APIs.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
-
Use the following API to get the account schema:
curl --location 'https://<tenanturl>.api.cloud.sailpoint.com/v3/sources/<sourceID>/schemas/<schemaID>' \ --header 'Authorization: Bearer eyJhbGc'
For example,
curl --location'https://tenanturl.api.cloud.sailpoint.com/v3/sources/2fb65f6328cf/schemas/f2bdf68e851' \ --header 'Authorization: Bearer eyJhbGc' -
Get the response from the above API and remove the unwanted attributes and set the body in the following PUT API:
PUT API Reference
Copycurl --location --request PUT 'https://tenanturl.api.cloud.sailpoint.com/v3/sources/2fb65f6328cf43a2a95b49cdeb0778dd/schemas/f2bdf68fec764156b58ba41520cbe851' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer acbdEFG123' \
--data-raw '{
"id": "f2bdf68fec",
"nativeObjectType": "User",
"identityAttribute": "distinguishedName",
"displayAttribute": "sAMAccountName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "businessCategory",
"type": "STRING",
"schema": null,
"description": "business category",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "carLicense",
"type": "STRING",
"schema": null,
"description": "vehicle license or registration plate",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "cn",
"type": "STRING",
"schema": null,
"description": "common name(s) for which the entity is known by",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "departmentNumber",
"type": "STRING",
"schema": null,
"description": "identifies a department within an organization",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "destinationIndicator",
"type": "STRING",
"schema": null,
"description": "destination indicator",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "displayName",
"type": "STRING",
"schema": null,
"description": "preferred name to be used when displaying entries",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "distinguishedName",
"type": "STRING",
"schema": null,
"description": "distinguished name for which the entity is known by",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "employeeNumber",
"type": "STRING",
"schema": null,
"description": "numerically identifies an employee within an organization",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "employeeType",
"type": "STRING",
"schema": null,
"description": "type of employment for a person",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "facsimileTelephoneNumber",
"type": "STRING",
"schema": null,
"description": "Facsimile (Fax) Telephone Number",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "givenName",
"type": "STRING",
"schema": null,
"description": "first name(s) for which the entity is known by",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "homePhone",
"type": "STRING",
"schema": null,
"description": "home telephone number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "homePostalAddress",
"type": "STRING",
"schema": null,
"description": "home postal address",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "initials",
"type": "STRING",
"schema": null,
"description": "initials of some or all of names, but not the surname(s).",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "internationaliSDNNumber",
"type": "STRING",
"schema": null,
"description": "international ISDN number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "l",
"type": "STRING",
"schema": null,
"description": "city",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "mail",
"type": "STRING",
"schema": null,
"description": "RFC822 Mailbox",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "manager",
"type": "STRING",
"schema": null,
"description": "DN of manager",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "mobile",
"type": "STRING",
"schema": null,
"description": "mobile telephone number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "o",
"type": "STRING",
"schema": null,
"description": "organization this object belongs to",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ou",
"type": "STRING",
"schema": null,
"description": "organizational unit this object belongs to",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "pager",
"type": "STRING",
"schema": null,
"description": "pager telephone number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "physicalDeliveryOfficeName",
"type": "STRING",
"schema": null,
"description": "Physical Delivery Office Name",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "postOfficeBox",
"type": "STRING",
"schema": null,
"description": "Post Office Box",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "postalAddress",
"type": "STRING",
"schema": null,
"description": "postal address",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "postalCode",
"type": "STRING",
"schema": null,
"description": "postal code",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "preferredDeliveryMethod",
"type": "STRING",
"schema": null,
"description": "preferred delivery method",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "preferredLanguage",
"type": "STRING",
"schema": null,
"description": "preferred written or spoken language for a person",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "registeredAddress",
"type": "STRING",
"schema": null,
"description": "registered postal address",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "roomNumber",
"type": "STRING",
"schema": null,
"description": "room number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "secretary",
"type": "STRING",
"schema": null,
"description": "DN of secretary",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "seeAlso",
"type": "STRING",
"schema": null,
"description": "DN of related object",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "sn",
"type": "STRING",
"schema": null,
"description": "last (family) name(s) for which the entity is known by",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "st",
"type": "STRING",
"schema": null,
"description": "state or province which this object resides in",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "street",
"type": "STRING",
"schema": null,
"description": "street address of this object",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "telephoneNumber",
"type": "STRING",
"schema": null,
"description": "Telephone Number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "teletexTerminalIdentifier",
"type": "STRING",
"schema": null,
"description": "Teletex Terminal Identifier",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "telexNumber",
"type": "STRING",
"schema": null,
"description": "Telex Number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "title",
"type": "STRING",
"schema": null,
"description": "title associated with the entity",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "uid",
"type": "STRING",
"schema": null,
"description": "user identifier",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "objectClass",
"type": "STRING",
"schema": null,
"description": "object classes of the entity",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "memberOf",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "361378963168",
"name": "group"
},
"description": "Group Membership",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "objectSid",
"type": "STRING",
"schema": null,
"description": "Windows Security Identifier",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "objectguid",
"type": "STRING",
"schema": null,
"description": "Object globally unique identifier ",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "sAMAccountName",
"type": "STRING",
"schema": null,
"description": "sAMAccountName",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "primaryGroupID",
"type": "STRING",
"schema": null,
"description": "RID of users primary group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "primaryGroupDN",
"type": "STRING",
"schema": null,
"description": "DN of users primary group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "accountFlags",
"type": "STRING",
"schema": null,
"description": "List of the flags enabled on an account",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "department",
"type": "STRING",
"schema": null,
"description": "User'\''s department",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msNPCallingStationID",
"type": "STRING",
"schema": null,
"description": "CallingStationID",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msRADIUSFramedRoute",
"type": "STRING",
"schema": null,
"description": "Static Routes for Dial-In connection",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msNPAllowDialin",
"type": "STRING",
"schema": null,
"description": "Is dial-in allowed",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msRADIUSCallbackNumber",
"type": "STRING",
"schema": null,
"description": "Callback Number",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msRADIUSFramedIPAddress",
"type": "STRING",
"schema": null,
"description": "Define Static IP Address",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "mailNickname",
"type": "STRING",
"schema": null,
"description": "Exchange Alias",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "homeMDB",
"type": "STRING",
"schema": null,
"description": "Exchange Database",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msExchHideFromAddressLists",
"type": "STRING",
"schema": null,
"description": "Hide from Exchange address lists",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msRTCSIP-UserEnabled",
"type": "BOOLEAN",
"schema": null,
"description": "User enabled for Lync Server",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "SipAddress",
"type": "STRING",
"schema": null,
"description": "Lync sipAddress",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "RegistrarPool",
"type": "STRING",
"schema": null,
"description": "Lync Registrar pool",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "LyncPinSet",
"type": "STRING",
"schema": null,
"description": "Lync user pin set status",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "LyncPinLockedOut",
"type": "STRING",
"schema": null,
"description": "Lync user pin lock status",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "pwdLastSet",
"type": "STRING",
"schema": null,
"description": "Time of last password reset",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msDS-PrincipalName",
"type": "STRING",
"schema": null,
"description": "Name of the entity in the format \"NetBIOS domain name\\sAMAccountName\"",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "userPrincipalName",
"type": "STRING",
"schema": null,
"description": "The unique name of the entity within the domain, in the format \"name@domain\"",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "externalEmailAddress",
"type": "STRING",
"schema": null,
"description": "External email address of Mail User",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "dNSHostName",
"type": "STRING",
"schema": null,
"description": "Fully Qualified Domain Name for the Service Account",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msDS-ManagedPasswordInterval",
"type": "STRING",
"schema": null,
"description": "Password change interval in days for the Managed Service Account",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msDS-SupportedEncryptionTypes",
"type": "STRING",
"schema": null,
"description": "Supported Encryption Types for the Managed Service Account",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msDS-GroupMSAMembership",
"type": "STRING",
"schema": null,
"description": "Principals allowed to use Group Managed Service Account",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msDS-AllowedToActOnBehalfOfOtherIdentity",
"type": "STRING",
"schema": null,
"description": "Principals that can act on the behalf of Group Managed Service Account",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "servicePrincipalName",
"type": "STRING",
"schema": null,
"description": "Service principal names for the Service Account",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "objectType",
"type": "STRING",
"schema": null,
"description": "Type of Active Directory object",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "shadowAccountDN",
"type": "STRING",
"schema": null,
"description": "DistinguishedName of the Linked Mailbox shadow account",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "shadowAccountGuid",
"type": "STRING",
"schema": null,
"description": "ObjectGuid of the Linked Mailbox shadow account",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "msExchRecipientTypeDetails",
"type": "STRING",
"schema": null,
"description": "Type of the Microsoft Exchange recipient object",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "memberOfSharedMailbox",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "dd43485",
"name": "sharedMailbox"
},
"description": "List of Shared Mailboxes to which user has permissions",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
}
],
"id": "f2bdf68f",
"name": "account",
"created": "2023-10-09T17:22:35.174Z",
"modified": "2023-10-09T17:22:35.174Z"
}'
Error: Unable to convert a JSON string since the dictionary that was converted from the string contains duplicated keys for 'ImmutableId' and 'immutableId'
This error occurs when there is a duplication of attribute immutableID in the ResourceObject(RO).
Resolution: Add the entry skipProcessLegacyIdentifiers in the source XML using Identity Security Cloud REST API and set the value as true. By default this value is false.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Error: When Manage Exchange Online is enabled, the account aggregation process sometimes gets stuck and stays that way for days.
Since there is no timeout limit set for the IQService's response, the current setting defaults to 0. This means it will wait indefinitely if IQService doesn't respond.
Resolution: Add the following entry to the source XML using PATCH:
[ { "op": "add", "path": "/connectorAttributes/IQServiceResponseTimeout", "value": "7200" } ]
The value is in seconds and depends on how long IQService takes to fetch the sharedMailbox AND/OR EXO attributes.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Error: SharedMailbox displays alphanumeric values instead of a user-friendly display name
Resolution: If SharedMailbox displays Globally Unique Identifier (GUID) value instead of a readable DisplayName, add the useDisplayNameForSharedMailbox entry to the true.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
[
{
"op": "add",
"path": "/connectorAttributes/useDisplayNameForSharedMailbox",
"value": true
}
]When managing users and Service Principal Names (SPNs) as accounts under a single source, if the displayName attribute of the Account Schema is set to UserPrincipalName, you may encounter numeric values for SPN accounts instead of readable names.
Resolution: To display the correct SPN displayName, ensure that the mapSPNDisplayNameToUPN entry is set to true in the source XML configuration.