Troubleshooting
If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.
Test Connection Errors
org.apache.axis2.AxisFault: Transport error: 401 Error: HTTP/1.1 401 Unauthorized
This error can happen when the incorrect ClientID is entered in the source configuration.
Resolution – Correct the configuration details to resolve the issue.
Unable to verify the signature of the SAML assertion
Resolution – The Client ID and Private key values should be correctly provided. These values must be a part of the same OAuth2 Client Applications.
Unable to authenticate the client (Login failed - Invalid user)
Resolution – Ensure that the User ID value is correct.
Test Connection fails with the following error message:
"[ ConnectorException ] [ Error details ] Exception occurred while iterate operation, refer logs for more details. Server is DOWN or Connection parameters are incorrect."
Resolution – Verify the connection parameters and check with your network team for the firewall restrictions.
Timeout Errors
java.lang.RuntimeException: java.lang.InterruptedException: Timeout
Resolution – Use the IdentityNow REST API to add the aggregateTimeout
attribute.
POST <url>/api/source/update/<sourceID>
-
<url>
– The URL for the customer's IdentityNow instance -
<sourceID>
– The Source ID (number) obtained through the UI
In the body of the POST, use form-data as follows:
-
Key –
connector_aggregateTimeout
-
Value – Add as time in milliseconds
Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.
java.lang.RuntimeException - java.lang.RuntimeException: java.lang.InterruptedException: Timeout waiting for response to message 3 from client 84a5de19-2861-4ca5-a8a1-ed4481e43e60 after 180 seconds
Resolution – Increase the timeout value using IdentityNow REST API:
POST <url>/api/source/update/<sourceID>
-
<url>
– The URL for the customer's IdentityNow instance -
<sourceID>
– The Source ID (number) obtained through the UI
In the body of the POST, use form-data as follows:
-
Key –
connector_aggregateTimeout
-
Value – Add as time in milliseconds, for example you can use 1000.
The SuccessFactors connector displays the following error:
“sailpoint.connector.ConnectorException: java.net.SocketTimeoutException: Read timed out" and "Possible suggestions : \n additional entity value is missing or \n No associated Data Found”
Resolution – Correct the XPaths for additional attributes added in the connector configuration. The semantics or syntax may be incorrect. For more information, refer to Aggregation of Additional Schema Attributes Using SFAPI.
Aggregation Errors
Resolution – Your source permissions and additional picklist values are not completely aligned with recommended practices:
-
Ensure that the service account has all the Required Permissions.
-
The Picklist ID value is different than the default values used. To change this value, refer to the Exporting and Verifying the Picklist Values section.
-
Ensure the picklist values are correct or configured as mentioned in the Picklist Configuration section.
The picklist values may differ from the default values in the connector.
Resolution – Ensure that the picklist values are correct or configured as described in the Picklist Configuration.
User '[<userId>]' does not have permission to manage roles.
Resolution – Ensure that the Manage Role-Based Permission Access permission is assigned to the user. For more information, refer to Required Permissions.
Unable to create iterator sailpoint.connector.InsufficientPermissionException:
[ InsufficientPermissionException ] [ Possible suggestions ] Provide the required permissions for the user. [ Error details ] "error" : { "code" : "COE_GENERAL_FORBIDDEN", "message" :{ "lang" : "en-US", "value" : "[COE0020]User [UserId] attempted to access dynamic group module [permission] without proper access privilege." }
Resolution – Ensure that the Manage Role-Based Permission Access permission is assigned to the service account user when the Roles and Groups attributes are added to the account schema object. For more information, refer to Required Permissions.
Entity FOLocation is not found. Please check the entity in Admin Center > OData API Data Dictionary or contact your system administrator
Resolution – Perform the following:
-
In SuccessFactors, go to Admin Center and search for OData API Metadata Refresh And Export.
-
Select Refresh.
-
Wait for the task to be completed.
User [userId] attempted to access dynamic group module [permission] without proper access privilege.
and
User "[userId]" does not have permission to manage roles
Resolution – Ensure the Manage Role-Based Permission Access permission is correctly assigned.
If the entities are not defined in the SuccessFactors managed system, then this error message displays:
Additional Entity Value is Missing or No associated Data Found
"Got exception while parsing the active list sailpoint.connector.ConnectorException: SFWebServiceFaultException Exception during aggregation. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: SFWebServiceFaultException java.lang.RuntimeException: sailpoint.connector.ConnectorException: SFWebServiceFaultException
Resolution – Ensure that defined and validated attributes are added to Include Compound Employee API Entities on the managed system. For more information, refer to
Note
After the update, make sure to remove these values from the Include Compound Employee API Entities field as this field should contain only the nodes defined on the managed system.
Authorization failed for REST: status code=404 Version of rest URL
Resolution – When specifying the target population to whom granted users have permission to access, exclude granted users from having the permission access to themselves. To do this, deselect the Exclude granted users from having the permission access to themselves checkbox.
Resolution – Update the supportsDeltaAgg
entry in the source using the IdentityNow REST API:
POST <url>/api/source/update/<sourceID>
-
<url>
– The URL for the customer's IdentityNow instance -
<sourceID>
– The Source ID (number) obtained through the UI
In the body of the POST, use form-data as follows:
-
Key –
supportsDeltaAggt
-
Value –
["true"]
Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.
During aggregation the connector displays the following error:
Caused by: java.util.UnknownFormatConversionException: Conversion = '1" during aggregation.
This issue occurs due to a picklist migration issue where two picklists with the same ID exists on both the MDF and Legacy sides (prior to the migration), but do not match. The migration keeps them separate and appends a suffix to their IDs.
Resolution – Complete the following:
-
Refer to the SAP documentation for more information on the causes of the error and the steps to resolve the issue.
-
Update the
picklistConfigMap
entry in the source XML using the IdentityNow REST APIs.Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.
Provisioning Errors
Important
SailPoint does not recommend provisioning attributes that are excluded from aggregation using the entity filters.
connector.InvalidConfigurationException: PickList Mapping is required field and cannot be blank.
Resolution – Ensure that the picklist is configured with the correct values.
IllegalStateException: No application attributes are configured for attribute synchronization
Resolution – Ensure that the identity attributes are synchronized with account attributes correctly.
The following error message displays during provisioning and GET operations:
sailpoint.connector.InvalidRequestException: No data exists for the provided user, please check nativeIdentity identityName(for e.g TestUser1)
Resolution – Perform the following:
-
Check the target population in the group that is assigned to the service account role.
-
Ensure that the Manage Role-Based Permission Access permission is assigned to service account user when the Roles and Groups attributes are added to the account schema object.
Resolution – Check if the permissions have been properly set for the service account. Remove any extra permissions that are not mentioned in Required Permissions.
SuccessFactors Username
provisioning fails with the following error message:
Error in provisioning the httpcode: 500 error messsage: DUPLICATE_USERNAME : Failed to add/update user
Resolution – SuccessFactors allows you to update the Username
attribute to a new and unique value, but not to a value that was previously assigned to it. For more information, refer to SAP Notes.
Other Errors
[ ConnectorException ] [ Possible suggestions ] Ensure configuration parameters are correct with a valid format, Ensure active network connectivity between Source and Target system. [ Error details ] java.lang.RuntimeException: Authorization failed for SOAP INVALID_SESSION error message- Invalid SFAPI session!
This error occurs when there is an issue with the SuccessFactors managed target system.
Resolution – One of the resolutions is to ensure that the Base Company URL is the API URL for the SuccessFactors managed target system, and not the WEB URL. For example:
-
Web URL –
https://salesdemo4.successfactors.com
-
API URL –
https://apisalesdemo4.successfactors.com
For example, receiving incorrect account statuses, not aggregating any accounts, or connection failures.
Resolution – Verify that there were no abnormalities, connection issues, or updates on the target system during the duration that you are seeing the inconsistent or abnormal behavior by checking with the SuccessFactors administrator and network team.