Configuration Parameters

For the Web Services source you can configure the values of the following attributes using the SailPoint REST API. For the usage of the SailPoint REST APIs for the following attributes and keys, refer to:

During aggregation if an exception is displayed from WebServiceBeforeOperationRule or WebServiceAfterOperationRule, then aggregation continues and completes successfully.

Set the value of the following flag to true to terminate the aggregation by displaying an error message:

throwBeforeAfterRuleException

Use the throwBeforeAfterRuleException attribute key.

The default value is false.

This flag can be set only for Account and entitlement aggregation.

The default value of the throwBeforeAfterRuleException flag is set to false.

Note
This flag is not applicable for child endpoints.

During Provisioning, GetObject, or Test Connection operations, if an exception is thrown by the Before Operation Rule, then the operation fails.

To ignore the exception in the log file and proceed with provisioning, set the value of throwProvBeforeRuleException to false.

The throwProvBeforeRuleException flag can be set for all operations except Account and Entitlement aggregation.

During Provisioning, GetObject, or Test Connection operations, if an exception is thrown by the After Operation Rule, then the operation fails.

To ignore the exception in the log file and proceed with provisioning, set the throwProvAfterRuleException attribute key with false as a value.

The throwProvAfterRuleException flag can be set for all operations except Account and Entitlement aggregation.

Default value – false

To enable the functionality of sending entitlements with create account in a single request to the managed system, set the value of createAccountWithEntReq parameter to true as follows:

By default, the Web Services source creates an account for a Create Account operation and then adds the entitlements one by one.

For example, if there are three entitlements (Role, Group, Profile), the source will execute three requests and three API calls are sent.

Adding the createAccountWithEntReq attribute will merge all the entitlement requests in a single API call.

Use the createAccountWithEntReq attribute key true as a value.

If enableHasMore is set to true as follows then the termination of aggregation would depend on the value of hasMore attribute:

Use the enableHasMore attribute key with true as a value.

The hasMore attribute is the Boolean attribute which is to be set in the transientValues map in the Before/After Operation Rule. Unless the value of hasMore attribute is false aggregation isn't terminated.

If enableHasMore is set to false as follows, then the aggregation terminates if the number of accounts returned is zero:

Use the enableHasMore attribute key with false as a value.

If an API endpoint does not send expected error codes to flag failure conditions, you can manually configure error codes. The following code example lists possible HTTP error codes/ messages an API endpoint might return, which can then result in the failure of operations.

Note
These errors don't prompt the connector to retry After Operation Rule errors or Before Operation Rule errors.

Use the possibleHttpErrors attribute with ["errorCodes","errorMessages"] as the value.

Copy 
<entry key="possibleHttpErrors">
 <value>
  <Map>
   <entry key="errorCodes">
    <value>
     <List>
      <Integer>401</Integer>
     </List>
    </value>
   </entry>
   <entry key="errorMessages">
    <value>
     <List>
      <String>Unauthorized</String>
     </List>
    </value>
   </entry>
  </Map>
 </value>
</entry>

Occasionally, the Web Services Connector returns the httpstatuscode as 200 but the response payload may contain errors. In this case, ideally the connector must fail the request or an OAuth token generation must try to regenerate the token.

These possible HTTP Error codes and messages can also be configured to specify invalid or expiry token errors. In this case connector

regenerates and saves the token for OAuth 2.0 authentication, then it retries the operation with the newly generated access token.

Note
This flag is not applicable for child endpoints.

To use the Web Service as a Pass-through Authentication, set the isGetObjectRequiredForPTA attribute key to true.

When set to true, it executes Get Object operation to verify if the entered userName (Considered as Identity attribute) is present on the managed system or not.

When set to false then it skips Get Object operation and Pass-through Authentication operation must have response mapping with account object schema attributes.

For more information, refer to Pass Through Authentication.

Based on the error message list, the source decides whether to display the objectNotFoundErrorMsg error.

For example, you can create the an entry for objectNotFoundErrorMsg with a custom error message to identify multiple exceptions (there can be multiple) by setting the objectNotFoundErrorMsg attribute key with ["404: Not Found", "404"] as the value.

Based on the error message list, the source decides whether to display the authenticationFailedErrorMsg error.

For example, you can create the following entry for authenticationFailedErrorMsg with custom error messages to identify exceptions (there can be multiple):

  • Keyconnector_authenticationFailedErrorMsg

  • Value["Authentication Failed"]

Based on the error message list, the source decides whether to throw expiredPasswordErrorMsg error.

For example, you can create the following entry for expiredPasswordErrorMsg with a custom error message to identify exceptions (there can be multiple) by setting the expiredPasswordErrorMsg attribute key with ["Password Expired"] as a value.

If the response contains a string matched with expiredPasswordErrorMsg, then it redirects the user from the login page to the Change Password page.

Note
If you use OAuth 2.0 authentication and you have the error messages for expired password correctly set, the connector tries to refresh the access token after the first failed connection attempt if the authentication endpoint supports it.

To enable single requests for change password and update operations, use the updateAttrWithChangePassword attribute key with true as a value.

If the value of the updateAttrWithChangePassword attribute is true in the application and the plan contains no attribute request name as "password" (change password), then the specific Update Operation Type endpoint is invoked.

Setting the value of for attribute to true does not include requests for add/ remove entitlements. These requests are executed independently.

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

By default, the Web Services source supports cookies.

Cookies can be disabled by adding the disableCookies attribute key with true as a value.

Not applicable for the authentication API call operation.

Add or remove multiple entitlements such as Role, Permissions, or Profile.

To send multiple entitlement requests in a single request to the managed system, set the value of addRemoveEntInSingleReq parameter to true as shown below:

Copy 
<entry key="addRemoveEntInSingleReq">
    <value>
        <Boolean>true</Boolean>
    </value>
</entry>

If addRemoveEntInSingleReq is set to true, then the payload for entitlements must also be set as shown below:

Copy 
{"
group_id" : $plan.groups$,
"permission":$plan.permission$,
"roles": $plan.roles$
}

The Web Services connector now supports the skipGetObjectInCreate attribute (Boolean) to skip the getObject call if it is present during the Create provisioning operation.

This attribute marks whether an object as deleted or not during delta aggregation. To set the value of deleteStatus, set the value as follows:

<entry key="deleteStatus" value="deleted=true"/>