Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Test Connection Errors

org.apache.axis2.AxisFault: Transport error: 401 Error: HTTP/1.1 401 Unauthorized

This error can happen when the incorrect ClientID is entered in the source configuration.

Resolution – Correct the configuration details to resolve the issue.

Unable to verify the signature of the SAML assertion

Resolution – The Client ID and Private key values should be correctly provided. These values must be a part of the same OAuth2 Client Applications.

Unable to authenticate the client (Login failed - Invalid user)

Resolution – Ensure that the User ID value is correct.

A test connection fails with the following message:

Unable to authenticate the client (Login failed - login from IP address <ip_address> is prohibited. You can set an API login exception to allow login from this IP address)

The SuccessFactors source may have restrictions to the IP addresses used to access the APIs required to support connector functions. They may also be blocking the Virtual Appliance's IP address (external IP address).

Resolution – Allow the necessary IP addresses per the following SAP knowledge base articles:

Note
The linked documents are not maintained by SailPoint and are subject to change without notice.

Test Connection fails with the following error message:

"[ ConnectorException ] [ Error details ] Exception occurred while iterate operation, refer logs for more details. Server is DOWN or Connection parameters are incorrect."

Resolution – Verify the connection parameters and check with your network team for the firewall restrictions.

Timeout Errors

java.lang.RuntimeException: java.lang.InterruptedException: Timeout

Resolution – Use the REST API to add the aggregateTimeout attribute.

POST <url>/api/source/update/<sourceID>

  • <url> – The URL for the customer's Identity Security Cloud instance

  • <sourceID> – The Source ID (number) obtained through the UI

In the body of the POST, use form-data as follows:

  • Keyconnector_aggregateTimeout

  • Value – Add as time in milliseconds

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

java.lang.RuntimeException - java.lang.RuntimeException: java.lang.InterruptedException: Timeout waiting for response to message 3 from client 84a5de19-2861-4ca5-a8a1-ed4481e43e60 after 180 seconds

Resolution – Increase the timeout value using the REST API:

POST <url>/api/source/update/<sourceID>

  • <url> – The URL for the customer's Identity Security Cloud instance

  • <sourceID> – The Source ID (number) obtained through the UI

In the body of the POST, use form-data as follows:

  • Keyconnector_aggregateTimeout

  • Value – Add as time in milliseconds, for example you can use 1000.

The SuccessFactors connector displays the following error:

“sailpoint.connector.ConnectorException: java.net.SocketTimeoutException: Read timed out" and "Possible suggestions : \n additional entity value is missing or \n No associated Data Found”

Resolution – Correct the XPaths for additional attributes added in the connector configuration. The semantics or syntax may be incorrect. For more information, refer to Aggregation of Additional Schema Attributes Using SFAPI.

Aggregation Errors

Resolution – Your source permissions and additional picklist values are not completely aligned with recommended practices:

The picklist values may differ from the default values in the connector.

Resolution – Ensure that the picklist values are correct or configured as described in the Picklist Configuration.

User '[<userId>]' does not have permission to manage roles.

Resolution – Ensure that the Manage Role-Based Permission Access permission is assigned to the user. For more information, refer to Required Permissions.

Unable to create iterator sailpoint.connector.InsufficientPermissionException:

[ InsufficientPermissionException ] [ Possible suggestions ] Provide the required permissions for the user. [ Error details ] "error" : { "code" : "COE_GENERAL_FORBIDDEN", "message" :{ "lang" : "en-US", "value" : "[COE0020]User [UserId] attempted to access dynamic group module [permission] without proper access privilege." }

Resolution – Ensure that the Manage Role-Based Permission Access permission is assigned to the service account user when the Roles and Groups attributes are added to the account schema object. For more information, refer to Required Permissions.

Entity FOLocation is not found. Please check the entity in Admin Center &gt; OData API Data Dictionary or contact your system administrator

Resolution – Perform the following:

  1. In SuccessFactors, go to Admin Center and search for OData API Metadata Refresh And Export.

  2. Select Refresh.

  3. Wait for the task to be completed.

User [userId] attempted to access dynamic group module [permission] without proper access privilege.

and

User "[userId]" does not have permission to manage roles

Resolution – Ensure the Manage Role-Based Permission Access permission is correctly assigned.

If the entities are not defined in the SuccessFactors managed system, then this error message displays:

Additional Entity Value is Missing or No associated Data Found

"Got exception while parsing the active list sailpoint.connector.ConnectorException: SFWebServiceFaultException Exception during aggregation. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: SFWebServiceFaultException java.lang.RuntimeException: sailpoint.connector.ConnectorException: SFWebServiceFaultException

Resolution – Ensure that defined and validated attributes are added to Include Compound Employee API Entities on the managed system. For more information, refer to Include Compound Employee API Entities.

Note
After the update, make sure to remove these values from the Include Compound Employee API Entities field as this field should contain only the nodes defined on the managed system.

Authorization failed for REST: status code=404 Version of rest URL

Resolution – When specifying the target population to whom granted users have permission to access, exclude granted users from having the permission access to themselves. To do this, deselect the Exclude granted users from having the permission access to themselves checkbox.

Resolution – Update the supportsDeltaAgg entry in the source using the REST API:

POST <url>/api/source/update/<sourceID>

  • <url> – The URL for the customer's Identity Security Cloud instance

  • <sourceID> – The Source ID (number) obtained through the UI

In the body of the POST, use form-data as follows:

  • KeysupportsDeltaAggt

  • Value["true"]

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

During aggregation the connector displays the following error:

Caused by: java.util.UnknownFormatConversionException: Conversion = '1" during aggregation.

This issue occurs due to a picklist migration issue where two picklists with the same ID exists on both the MDF and Legacy sides (prior to the migration), but do not match. The migration keeps them separate and appends a suffix to their IDs.

Resolution – Complete the following:

Aggregation fails on an authoritative source with the following error message:

sailpoint.connector.ConnectorException: class java.util.ArrayList cannot be cast to class java.lang.String (java.util.ArrayList and java.lang.String are in module java.base of loader 'bootstrap'

Resolution – Verify that any of the schema attributes included in the aggregation are properly set to multi-valued or single-valued on the end system. If any are incorrectly set, correct them before performing the aggregation process.

Resolution – Follow the steps below to exclude External Users with an e or d status from aggregation:

Note
External Users can be accounts from the Onboarding Module with a status of e or d.

  1. Add the following to the source XML via REST API:

    Copy 
    <entry key="excludePendingHires">
      <value>
         <Boolean>false</Boolean>
      </value>
    </entry>

    Note
    For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

  2. Restart the virtual appliance.

  3. Run an aggregation to check if external users are properly excluded from aggregation.

Provisioning Errors

Important
SailPoint does not recommend provisioning attributes that are excluded from aggregation using the entity filters.

connector.InvalidConfigurationException: PickList Mapping is required field and cannot be blank.

Resolution – Ensure that the picklist is configured with the correct values.

IllegalStateException: No application attributes are configured for attribute synchronization

Resolution – Ensure that the identity attributes are synchronized with account attributes correctly.

The following error message displays during provisioning and GET operations:

sailpoint.connector.InvalidRequestException: No data exists for the provided user, please check nativeIdentity identityName(for e.g TestUser1)

Resolution – Perform the following:

  1. Check the target population in the group that is assigned to the service account role.

  2. Ensure that the Manage Role-Based Permission Access permission is assigned to service account user when the Roles and Groups attributes are added to the account schema object.

Resolution – Check if the permissions have been properly set for the service account. Remove any extra permissions that are not mentioned in Required Permissions.

SuccessFactors Username provisioning fails with the following error message:

Error in provisioning the httpcode: 500 error messsage: DUPLICATE_USERNAME : Failed to add/update user

Resolution – SuccessFactors allows you to update the Username attribute to a new and unique value, but not to a value that was previously assigned to it. For more information, refer to SAP Notes.

Other Errors

[ ConnectorException ] [ Possible suggestions ] Ensure configuration parameters are correct with a valid format, Ensure active network connectivity between Source and Target system. [ Error details ] java.lang.RuntimeException: Authorization failed for SOAP INVALID_SESSION error message- Invalid SFAPI session!

This error occurs when there is an issue with the SuccessFactors managed target system.

Resolution – One of the resolutions is to ensure that the Base Company URL is the API URL for the SuccessFactors managed target system, and not the WEB URL. For example:

  • Web URL – https://salesdemo4.successfactors.com

  • API URL – https://apisalesdemo4.successfactors.com

For example, receiving incorrect account statuses, not aggregating any accounts, or connection failures.

Resolution – Verify that there were no abnormalities, connection issues, or updates on the target system during the duration that you are seeing the inconsistent or abnormal behavior by checking with the SuccessFactors administrator and network team.