Credential issue when reconcile to SCIM connector as target

This topic contains 5 replies, has 2 voices, and was last updated by  ellen.zhang@globalrelay.net 2 days, 12 hours ago.

  • Author
    Posts
  • #24655

    I am trying to map an AD to my SCIM endpoint. I configured SCIM connector and use BASIC authentication in the configuration. When I did the Reconcile, i got the below exception in the audit log:

    {“transactionId”:”e34be636-4238-4e15-8a29-310f15b34cd8-442″,”timestamp”:”2019-01-31T18:52:37.621Z”,”eventName”:”recon”,”userId”:”openidm-admin”,”exception”:null,”linkQualifier”:null,”mapping”:”systemAd1Account_systemScimAccount”,”message”:”Reconciliation initiated by openidm-admin”,”sourceObjectId”:null,”targetObjectId”:null,”reconciling”:null,”ambiguousTargetObjectIds”:null,”reconAction”:”recon”,”entryType”:”start”,”reconId”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-467″}
    {“transactionId”:”e34be636-4238-4e15-8a29-310f15b34cd8-442″,”timestamp”:”2019-01-31T18:52:38.027Z”,”eventName”:”recon”,”userId”:”openidm-admin”,”exception”:”org.forgerock.openidm.sync.SynchronizationException: Invalid credential has been provided to operation QUERY for system object\r\n\tat org.forgerock.openidm.sync.ReconTypeBase.query(ReconTypeBase.java:261)\r\n\tat org.forgerock.openidm.sync.ReconTypeByQuery.queryTarget(ReconTypeByQuery.java:58)\r\n\tat org.forgerock.openidm.sync.ReconciliationContext.queryTarget(ReconciliationContext.java:328)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.doRecon(ObjectMapping.java:997)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.lambda$newReconDelegate$1(ObjectMapping.java:362)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.lambda$recon$4(ObjectMapping.java:950)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:83)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:98)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.recon(ObjectMapping.java:950)\r\n\tat org.forgerock.openidm.sync.ReconciliationService.reconcile(ReconciliationService.java:522)\r\n\tat org.forgerock.openidm.sync.ReconciliationService.access$000(ReconciliationService.java:105)\r\n\tat org.forgerock.openidm.sync.ReconciliationService$1.run(ReconciliationService.java:469)\r\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\r\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: org.forgerock.json.resource.PermanentException: Invalid credential has been provided to operation QUERY for system object\r\n\tat org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:261)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ExceptionHelper.adaptConnectorException(ExceptionHelper.java:117)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ObjectClassResourceProvider.handleQuery(ObjectClassResourceProvider.java:519)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ObjectClassRequestHandler.handleQuery(ObjectClassRequestHandler.java:132)\r\n\tat org.forgerock.json.resource.Router.handleQuery(Router.java:317)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:95)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.lambda$filterQuery$4(AuditFilter.java:143)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.logAuditAccessEntry(AuditFilter.java:175)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.filterQuery(AuditFilter.java:143)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:82)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.lambda$filterQuery$4(ServletConnectionFactory.java:403)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.handleRequestWithLogging(ServletConnectionFactory.java:436)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.filterQuery(ServletConnectionFactory.java:403)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.router.filter.PassthroughFilter.filterQuery(PassthroughFilter.java:66)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.FilterChain.handleQuery(FilterChain.java:250)\r\n\tat org.forgerock.json.resource.InternalConnection.queryAsync(InternalConnection.java:74)\r\n\tat org.forgerock.json.resource.AbstractAsynchronousConnection.query(AbstractAsynchronousConnection.java:72)\r\n\tat org.forgerock.json.resource.AbstractConnectionWrapper.query(AbstractConnectionWrapper.java:165)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.lambda$query$12(ServletConnectionFactory.java:363)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:51)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:68)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.time(ServletConnectionFactory.java:278)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.query(ServletConnectionFactory.java:363)\r\n\tat org.forgerock.json.resource.AbstractConnectionWrapper.query(AbstractConnectionWrapper.java:165)\r\n\tat org.forgerock.openidm.sync.ReconTypeBase.query(ReconTypeBase.java:230)\r\n\t… 14 more\r\nCaused by: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: 401: Unauthorized\r\n\tat org.forgerock.openicf.connectors.scim.client.ScimClient.query(ScimClient.java:394)\r\n\tat org.forgerock.openicf.connectors.scim.ScimConnector.executeQuery(ScimConnector.java:314)\r\n\tat org.forgerock.openicf.connectors.scim.ScimConnector.executeQuery(ScimConnector.java:67)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:162)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:118)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:104)\r\n\tat com.sun.proxy.$Proxy72.search(Unknown Source)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)\r\n\tat com.sun.proxy.$Proxy72.search(Unknown Source)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:157)\r\n”,”linkQualifier”:null,”mapping”:”systemAd1Account_systemScimAccount”,”message”:”SOURCE_IGNORED: 0 FOUND_ALREADY_LINKED: 0 UNQUALIFIED: 0 ABSENT: 0 TARGET_IGNORED: 0 MISSING: 0 ALL_GONE: 0 UNASSIGNED: 0 AMBIGUOUS: 0 CONFIRMED: 0 LINK_ONLY: 0 SOURCE_MISSING: 0 FOUND: 0 “,”messageDetail”:{“_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”mapping”:”systemAd1Account_systemScimAccount”,”state”:”FAILED”,”stage”:”COMPLETED_FAILED”,”stageDescription”:”reconciliation failed”,”progress”:{“source”:{“existing”:{“processed”:0,”total”:”5″}},”target”:{“existing”:{“processed”:0,”total”:”?”},”created”:0},”links”:{“existing”:{“processed”:0,”total”:”?”},”created”:0}},”situationSummary”:{“SOURCE_IGNORED”:0,”FOUND_ALREADY_LINKED”:0,”UNQUALIFIED”:0,”ABSENT”:0,”TARGET_IGNORED”:0,”MISSING”:0,”ALL_GONE”:0,”UNASSIGNED”:0,”AMBIGUOUS”:0,”CONFIRMED”:0,”LINK_ONLY”:0,”SOURCE_MISSING”:0,”FOUND”:0},”statusSummary”:{“SUCCESS”:0,”FAILURE”:0},”durationSummary”:{“sourceQuery”:{“min”:280,”max”:280,”mean”:280,”count”:1,”sum”:280,”stdDev”:0},”onReconScript”:{“min”:77,”max”:77,”mean”:77,”count”:1,”sum”:77,”stdDev”:0},”auditLog”:{“min”:1,”max”:1,”mean”:1,”count”:1,”sum”:1,”stdDev”:0}},”parameters”:{“sourceQuery”:{“resourceName”:”system/AD1/account”,”queryId”:”query-all-ids”},”targetQuery”:{“resourceName”:”system/scim/account”,”queryId”:”query-all-ids”}},”started”:”2019-01-31T18:52:37.496Z”,”ended”:”2019-01-31T18:52:38.027Z”,”duration”:531,”sourceProcessedByNode”:{}},”sourceObjectId”:null,”status”:”FAILURE”,”targetObjectId”:null,”reconciling”:null,”ambiguousTargetObjectIds”:null,”reconAction”:”recon”,”entryType”:”summary”,”reconId”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-485″}

    I ran the below command to test the connector, the status is ok:

    curl \
    –header “X-OpenIDM-Username: openidm-admin” \
    –header “X-OpenIDM-Password: openidm-admin” \
    –request POST \
    “http://localhost:8080/openidm/system?_action=test”

    [{“name”:”scim”,”enabled”:true,”config”:”config/provisioner.openicf/scim”,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0]”,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ALL__”,”account”,”group”],”ok”:true},{“name”:”sciminterop1″,”enabled”:true,”config”:”config/provisioner.openicf/sciminterop1″,”connectorRef”:{“bundleVersion”:”1.4.3.0″,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ACCOUNT__”,”__ALL__”,”__GROUP__”],”ok”:true},{“name”:”AD1″,”enabled”:true,”config”:”config/provisioner.openicf/AD1″,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0)”,”bundleName”:”org.forgerock.open

    And I also checked the credentials via sending the request to the SCIM endpoint using the same username and password, it works.

    What else I can check to find the issue?

    Thanks
    Ellen

    #24723
     gael 
    Participant

    Can you share your SCIM provisioner file from openidm/conf folder?

    #24725

    Here is the “provisioner.openicf-sciminterop1.json”

    {
    “connectorRef” : {
    “displayName” : “Scim Connector”,
    “bundleVersion” : “1.4.3.0”,
    “systemType” : “provisioner.openicf”,
    “bundleName” : “org.forgerock.openicf.connectors.scim-connector”,
    “connectorName” : “org.forgerock.openicf.connectors.scim.ScimConnector”
    },
    “poolConfigOption” : {
    “maxObjects” : 10,
    “maxIdle” : 10,
    “maxWait” : 150000,
    “minEvictableIdleTimeMillis” : 120000,
    “minIdle” : 1
    },
    “resultsHandlerConfig” : {
    “enableNormalizingResultsHandler” : false,
    “enableFilteredResultsHandler” : false,
    “enableCaseInsensitiveFilter” : false,
    “enableAttributesToGetSearchResultsHandler” : true
    },
    “operationTimeout” : {
    “CREATE” : -1,
    “UPDATE” : -1,
    “DELETE” : -1,
    “TEST” : -1,
    “SCRIPT_ON_CONNECTOR” : -1,
    “SCRIPT_ON_RESOURCE” : -1,
    “GET” : -1,
    “RESOLVEUSERNAME” : -1,
    “AUTHENTICATE” : -1,
    “SEARCH” : -1,
    “VALIDATE” : -1,
    “SYNC” : -1,
    “SCHEMA” : -1
    },
    “configurationProperties” : {
    “SCIMEndpoint” : “https://lb-scim-interopsnap1-nvan.dev-globalrelay.net/scim/v1”,
    “SCIMVersion” : “1”,
    “authenticationMethod” : “BASIC”,
    “user” : “sysuser@jvesazvw.test”,
    “password” : {
    “$crypto” : {
    “type” : “x-simple-encryption”,
    “value” : {
    “cipher” : “AES/CBC/PKCS5Padding”,
    “stableId” : “openidm-sym-default”,
    “salt” : “sdMSR3U1SCA/A0lJzKEdTA==”,
    “data” : “wcOhSXBSQ9QLuldwgCbxyA==”,
    “keySize” : 16,
    “purpose” : “idm.config.encryption”,
    “iv” : “h6aZ9q+Ay8KnNIG2BZOH/A==”,
    “mac” : “mbDg1agFbWl2hAs0x4xAoA==”
    }
    }
    }
    },
    “enabled” : true,
    “tokenEndpoint” : null,
    “clientId” : “interop1”,
    “clientSecret” : null,
    “authToken” : null,
    “acceptSelfSignedCertificates” : false,
    “disableHostNameVerifier” : false,
    “disableHttpCompression” : false,
    “clientCertAlias” : null,
    “clientCertPassword” : null,
    “maximumConnections” : “10”,
    “httpProxyHost” : null,
    “httpProxyPort” : null
    }

    #24780

    Hi Gael, thanks for the following up. Did I provide the correct configuration file you need? Thanks
    Ellen

    #24803
     gael 
    Participant

    Your configuration looks ok and the error you get is:
    InvalidCredentialException: 401: Unauthorized

    So it seems to be a user/password issue.
    What kind of test/query you do to validate the user/password ?

    #24812

    I made a curl command call to check the connection set:
    curl \
    –header “X-OpenIDM-Username: openidm-admin” \
    –header “X-OpenIDM-Password: openidm-admin” \
    –request POST \
    “http://localhost:8080/openidm/system?_action=test”

    [{“name”:”scim”,”enabled”:true,”config”:”config/provisioner.openicf/scim”,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0]”,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ALL__”,”account”,”group”],”ok”:true},{“name”:”sciminterop1″,”enabled”:true,”config”:”config/provisioner.openicf/sciminterop1″,”connectorRef”:{“bundleVersion”:”1.4.3.0″,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ACCOUNT__”,”__ALL__”,”__GROUP__”],”ok”:true},{“name”:”AD1″,”enabled”:true,”config”:”config/provisioner.openicf/AD1″,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0)”,”bundleName”:”org.forgerock.open

    And I also checked the credentials via sending the request to the SCIM endpoint from the same ForgeRock Directory server using the same username and password, it worked:

    c:\curl>curl -v -X GET https://lb-scim-interopsnap1-nvan.dev-globalrelay.net/scim/v1/Users/11111111111111 -u sysuser@jvesazvw.test:Password1
    Note: Unnecessary use of -X or –request, GET is already inferred.
    * timeout on name lookup is not supported
    * Trying 10.178.203.217…
    * TCP_NODELAY set
    * Connected to lb-scim-interopsnap1-nvan.dev-globalrelay.net (10.178.203.217) port 443 (#0)
    * schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 1/3)
    * schannel: checking server certificate revocation
    * schannel: sending initial handshake data: sending 222 bytes…
    * schannel: sent initial handshake data: sent 222 bytes
    * schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 2/3)
    * schannel: encrypted data buffer: offset 4016 length 4096
    * schannel: sending next handshake data: sending 182 bytes…
    * schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 2/3)
    * schannel: encrypted data buffer: offset 330 length 4096
    * schannel: SSL/TLS handshake complete
    * schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 3/3)
    * schannel: stored credential handle in session cache
    * Server auth using Basic with user ‘sysuser@jvesazvw.test’
    > GET /scim/v1/Users/11111111111111 HTTP/1.1
    > Host: lb-scim-interopsnap1-nvan.dev-globalrelay.net
    > Authorization: Basic c3lzdXNlckBqdmVzYXp2dy50ZXN0OlBhc3N3b3JkMQ==
    > User-Agent: curl/7.53.1
    > Accept: */*
    >
    * schannel: client wants to read 16384 bytes
    * schannel: encdata_buffer resized 17408
    * schannel: encrypted data buffer: offset 0 length 17408
    * schannel: encrypted data got 245
    * schannel: encrypted data buffer: offset 245 length 17408
    * schannel: decrypted data length: 175
    * schannel: decrypted data added: 175
    * schannel: decrypted data cached: offset 175 length 16384
    * schannel: encrypted data buffer: offset 0 length 17408
    * schannel: decrypted data buffer: offset 175 length 16384
    * schannel: schannel_recv cleanup
    * schannel: decrypted data returned 175
    * schannel: decrypted data buffer: offset 0 length 16384
    < HTTP/1.1 404 Not Found
    < Content-Length: 0
    < Server:
    < Date: Thu, 14 Feb 2019 20:00:52 GMT
    < Strict-Transport-Security: max-age=15768000
    < Set-Cookie: grsh=all; path=/; Secure
    <
    * Connection #0 to host lb-scim-interopsnap1-nvan.dev-globalrelay.net left intact

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?