Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Resolution: Use the HTTP PATCH method to enable the useApprolesExtension attribute in the source xml with the value = true. Retry account aggregation.

Resolution: The application roles might not be fetched in the group aggregation if the connection between the Oracle EPM Cloud system and Sailpoint is slow. Following attributes can be added in the application debug page to retry and to read the Application roles.

Key=retryWaitTime Value=30

Key=maxRetryCount Value=3

The retryWaitTime is in seconds, and the default value is 5 seconds.

maxRetryCount default value is 3.

Resolution: Oracle EPM cloud connector aggregates active users only because user can only be disabled from IDCS system. Once it is disabled, the link from EPM is disappeared.

Exception in JWT token generation : {"error":"invalid_grant","error_description":"Invalid user assertion: Token has invalid issue time.","ecid":"Iq^nO1ten10000000"}

Resolution: The issue arises if the VAs in the cluster have different times, or if the timezone of Oracle differs from the VA. Check the time of each VA by using sudo timedatectl on the VA. If any VAs have different times, then your infrastructure team must fix the time on the machine. Additionally, ensure the VA timezone and Oracle timezone is the same.

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"You are not allowed to perform any actions on this page.","status":"401","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.common.accessDenied"}}

Resolution: Ensure the service user created has logged in at least once to the target EPM Cloud Service before using it for SailPoint integration.

Illegal base64 character 20

Resolution: Ensure the certificate or private key entered is a single string without any new line characters.

Exception in JWT token generation : java.net.UnknownHostException: <service_url>: nodename nor servname provided, or not known

Resolution: Enter the valid IDCS/System URL to authenticate the required resources.

Exception in JWT token generation : {"error":"invalid_client","error_description":"Client authentication failed.","ecid":"L^PYG08YA20000000"}

Resolution: Ensure the entered Client ID and Client Secret are correct and refer to the correct client application that is created in IDCS for SailPoint integration.

[ ConnectorException ] [ Error details ] JWT Assertion creation failed. Could not parse certificate: java.io.IOException: Empty input

Resolution: Ensure the entered certificate is correct or copied correctly before entering it into the field.

Last unit does not have enough valid bits

Resolution: Ensure the entered certificate is correct or copied correctly before entering it into the field.

Input byte array has wrong 4-byte ending unit

Resolution: Ensure the entered private key is correct or copied correctly before entering it into the field.

[ ConnectorException ] [ Error details ] JWT Assertion creation failed. java.security.InvalidKeyException: IOException : DerInputStream.getLength(): lengthTag=55, too big.

Resolution: Ensure the entered private key is correct or copied correctly before entering it into the field.

Exception while fetching groups assigned to users

Resolution: Ensure the entered EPM System URL is correct.

User 'id' does not have an EPM account or it has been removed

Resolution: Ensure the user has a direct predefined role or at least one IDCS Group assigned to the user.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN"> <HTML> <HEAD> <TITLE>Error 404--Not Found</TITLE> </HEAD> <BODY bgcolor="white"> <FONT FACE=Helvetica><BR CLEAR=all> <TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all> <FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 404--Not Found</H2> </FONT></TD></TR> </TABLE> <TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:</H3> </FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.5 404 Not Found</H4> </FONT><P><FONT FACE="Courier New">The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.</p><p>If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.</FONT></P> </FONT></TD></TR> </TABLE> </BODY> </HTML>

Resolution: Ensure there is not a forward slash '/' at the end of the base URL in the source configuration page.

["Request to remove all assigned IDCS entitlements of the user was rejected","because this will result in deleting the user. \u0027Delete\u0027 the user to achieve the same behaviour."]

Resolution: Ensure there is at least one predefined role or IDCS group present when removing entitlements.