Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Resolution: If the Non-Compliant checkbox is enabled the connector will reach the following endpoints only from the SCIM server:

/Users - For Test Connection, Preview, Aggregation, and Provisioning.

/Groups - For Aggregation and Provisioning.

The following endpoints are not required if Non-Compliant is enabled:

/Schemas

/ResourceTypes

/ServiceProviderConfigs

The schema that gets discovered when enabling the Non-Compliant setting is the default schema the connector provides Out-Of-the-Box (OOB).

If any new attribute needs to be added, you must add it in the schema along with its valid JSON path in the JSON path attribute Mapping.

During aggregation the following error message displays:

ResourceObject is returned with null identity error

Resolution : Verify if the identity attribute is in the schema attribute else add the appropriate schema attribute name as identity attribute.

Messages:

org.json.JSONException: SSL peer shut down incorrectly

Remote host terminated the handshake

Resolution : Configure following in the application via the REST API:

  1. Set the SSL_PROTOCOL_VERSION to TLSv1.2 or TLSv1.3 to reflect your SSL version.

  2. Set the trustAllCert attribute to true.

  3. Set the allowAllHosts attribute to true.

Resolution :  If the entitlement aggregation process doesn't aggregate groups then verify the following:

  • Check if the SCIM server has the {host} /Group endpoint available with the group's data.

  • If the group endpoint is not available, then groups can be aggregated using the /User endpoint. However, the group data should be in the /User endpoint’s response.

    The following RFC is shows the Representation of Users with group information. This has to be implemented in SCIM server.

    RFC 7643: System for Cross-domain Identity Management: Core Schema - Refer to the Full User Representation section.

Resolution: Ensure to enable the provisionMultivaluedRFCCompatible parameter to support the correct JSON for provisioning multivalued schema attributes. Add the following attribute using REST API for updating the source in Identity Security Cloud and then, try modifying the system to date of a user:

key=provisionMultivaluedRFCCompatible

value=true

Note
provisionMultivaluedRFCCompatible is a boolean attribute.

The create account operation fails even though the recommended attribute mappings are used in the Account Policy.

Resolution – Ensure that the managed system is enabled to set the account attributes used by the Account Policy, then try the Create account operation again.

You try to add a new attribute to Compliant Settings from the SCIM server endpoint schema to the account schema, but aggregation processes don't fetch the attribute value, and/or provisioning processes don't send the attribute to the managed system.

Resolution – Perform a Discover Source operation, and then run an unoptimized account aggregation.

Additional attributes added for Group objects are not included in entitlement aggregation.

Resolution:

  • Complaint – Add the required attributes to the group object schema and run an entitlement aggregation process.

  • Non-Complaint – Add the required attributes to the group object schema, and also properly map their respective JSON paths in the source, then run an entitlement aggregation process.