Additional Settings

The Additional Settings tab has options for provisioning and common configuration for HTTP errors.

Provisioning Settings

The Web Services connector supports the following provisioning features.

  • Create Account With "Ent" Request

    The Create Account operation executes with entitlement attributes. If the Create Account operation response contains the required attributes, including the identity attribute, the account object is created and the account link displays under the identity from whom the account creation was triggered.

  • Throw Provisioning Rules

    Configure the connector to set the exception flag and display any exceptions encountered during provisioning.

    There are three options available:

    • Throw Provisioning Before And After Rule Exception – Set the exception flag during both the WebServicesBeforeOperationRule and the WebServicesAfterOperationRule.

    • Throw Provisioning After Rule Exception – Set the exception flag during the WebServicesAfterOperationRule.

    • Throw Provisioning Before Rule Exception – Set the exception flag during the WebServicesBeforeOperationRule.

    The connector does not retry these errors based on the errors configured in the possibleHttpErrors attribute.

  • Update Attributes with Change Password

    Include a password change and an attribute change in a single request. The Change Password operation is used for changing the password on the managed target system. If the provisioning plan contains no attribute request with the name "password", the update operation type endpoint is invoked. Enabling this attribute does not include requests for add or remove entitlement operations. Those requests are executed independently.

  • Get Object Required for PTA

    The Pass Through Authentication operation is used to perform verification of user credentials. When checked, it executes the Get Object operation to verify if the entered Username (considered as an Account ID attribute in this example) is present on the target system or not. When unchecked it skips the Get Object operation. The Pass Through Authentication operation must have response mapping with account object schema attributes.

Common Configurations for Errors

Configure HTTP errors that the connector may encounter during configured HTTP operations. You can configure these HTTP errors using the configuration UI or create an API call to define them.

HTTP Errors

When the connector encounters an error during an HTTP operation, it will typically fail the operation and retry it. You must manually configure any possible HTTP error codes or messages that the API endpoint may return. Enter the HTTP Error Keys and their respective HTTP Enter Values.

You can manually configure HTTP error codes and messages for times when an API endpoint in the Web Services source sends unexpected error codes to flag failure conditions. Manually configuring these codes enables the connector to properly handle them. Configure the source with all possible HTTP error codes and messages that the API endpoint may return. Enter the HTTP Error Keys and their respective HTTP Enter Values.

This is not applicable to the child endpoints.

For example:

  • The Web Services source returns the HTTP status code: 200, but the response payload contains an error. Without the manually entered HTTP error, the source won't know that it must fail the request and retry the operation.

  • During OAuth token generation, the source needs to regenerate a token to replace an invalid or expired token. You can configure an HTTP error code or message to specify an invalid/expiry token error in this event. The source regenerates and saves the token for OAuth2 authentication, then retries the operation with the newly generated access token.

Object Not Found Error Messages

Enter the error message that the connector displays when it can't find objects or fails to make connections.

For example:

404 - Object Not Found

Authentication Failed Error Messages

Enter the error message that the connector displays when authorization fails.

For example:

Authentication Failed

Expired Password Error Messages

Enter the message that the connector displays when passwords expire.

For example:

Password Expired

Disable Cookies – The Web Services source can disable cookies while executing HTTP requests. You can disable cookies for all the operations performed except for the authentication API.

If you use OAuth 2.0 authentication and you have the error messages for expired password correctly set, the connector tries to refresh the access token after the first failed connection attempt if the authentication endpoint supports it.

Retryable Errors Definition API Call

Add the following API call to the IdentityNow REST API to define possible HTTP errors.

        "op": "add",
        "path": "connectorAttributes/retryableErrors",
        "value": [
            "<Error 1>",
            "<Error 2>"

For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.