This topic has 8 replies, 2 voices, and was last updated 3 years, 5 months ago by 
-
Posts
-
I am trying to map an AD to my SCIM endpoint. I configured SCIM connector and use BASIC authentication in the configuration. When I did the Reconcile, i got the below exception in the audit log:
{“transactionId”:”e34be636-4238-4e15-8a29-310f15b34cd8-442″,”timestamp”:”2019-01-31T18:52:37.621Z”,”eventName”:”recon”,”userId”:”openidm-admin”,”exception”:null,”linkQualifier”:null,”mapping”:”systemAd1Account_systemScimAccount”,”message”:”Reconciliation initiated by openidm-admin”,”sourceObjectId”:null,”targetObjectId”:null,”reconciling”:null,”ambiguousTargetObjectIds”:null,”reconAction”:”recon”,”entryType”:”start”,”reconId”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-467″}
{“transactionId”:”e34be636-4238-4e15-8a29-310f15b34cd8-442″,”timestamp”:”2019-01-31T18:52:38.027Z”,”eventName”:”recon”,”userId”:”openidm-admin”,”exception”:”org.forgerock.openidm.sync.SynchronizationException: Invalid credential has been provided to operation QUERY for system object\r\n\tat org.forgerock.openidm.sync.ReconTypeBase.query(ReconTypeBase.java:261)\r\n\tat org.forgerock.openidm.sync.ReconTypeByQuery.queryTarget(ReconTypeByQuery.java:58)\r\n\tat org.forgerock.openidm.sync.ReconciliationContext.queryTarget(ReconciliationContext.java:328)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.doRecon(ObjectMapping.java:997)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.lambda$newReconDelegate$1(ObjectMapping.java:362)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.lambda$recon$4(ObjectMapping.java:950)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:83)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:98)\r\n\tat org.forgerock.openidm.sync.ObjectMapping.recon(ObjectMapping.java:950)\r\n\tat org.forgerock.openidm.sync.ReconciliationService.reconcile(ReconciliationService.java:522)\r\n\tat org.forgerock.openidm.sync.ReconciliationService.access$000(ReconciliationService.java:105)\r\n\tat org.forgerock.openidm.sync.ReconciliationService$1.run(ReconciliationService.java:469)\r\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)\r\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: org.forgerock.json.resource.PermanentException: Invalid credential has been provided to operation QUERY for system object\r\n\tat org.forgerock.json.resource.ResourceException.newResourceException(ResourceException.java:261)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ExceptionHelper.adaptConnectorException(ExceptionHelper.java:117)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ObjectClassResourceProvider.handleQuery(ObjectClassResourceProvider.java:519)\r\n\tat org.forgerock.openidm.provisioner.openicf.impl.ObjectClassRequestHandler.handleQuery(ObjectClassRequestHandler.java:132)\r\n\tat org.forgerock.json.resource.Router.handleQuery(Router.java:317)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:95)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.lambda$filterQuery$4(AuditFilter.java:143)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.logAuditAccessEntry(AuditFilter.java:175)\r\n\tat org.forgerock.openidm.audit.filter.AuditFilter.filterQuery(AuditFilter.java:143)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:82)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.lambda$filterQuery$4(ServletConnectionFactory.java:403)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.handleRequestWithLogging(ServletConnectionFactory.java:436)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.filterQuery(ServletConnectionFactory.java:403)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.openidm.router.filter.PassthroughFilter.filterQuery(PassthroughFilter.java:66)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.openidm.router.filter.MutableFilterDecorator.filterQuery(MutableFilterDecorator.java:90)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.Filters$ConditionalFilter.filterQuery(Filters.java:84)\r\n\tat org.forgerock.json.resource.FilterChain$Cursor.handleQuery(FilterChain.java:93)\r\n\tat org.forgerock.json.resource.FilterChain.handleQuery(FilterChain.java:250)\r\n\tat org.forgerock.json.resource.InternalConnection.queryAsync(InternalConnection.java:74)\r\n\tat org.forgerock.json.resource.AbstractAsynchronousConnection.query(AbstractAsynchronousConnection.java:72)\r\n\tat org.forgerock.json.resource.AbstractConnectionWrapper.query(AbstractConnectionWrapper.java:165)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.lambda$query$12(ServletConnectionFactory.java:363)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:51)\r\n\tat org.forgerock.openidm.metrics.MetricsCollector.time(MetricsCollector.java:68)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.time(ServletConnectionFactory.java:278)\r\n\tat org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.query(ServletConnectionFactory.java:363)\r\n\tat org.forgerock.json.resource.AbstractConnectionWrapper.query(AbstractConnectionWrapper.java:165)\r\n\tat org.forgerock.openidm.sync.ReconTypeBase.query(ReconTypeBase.java:230)\r\n\t… 14 more\r\nCaused by: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: 401: Unauthorized\r\n\tat org.forgerock.openicf.connectors.scim.client.ScimClient.query(ScimClient.java:394)\r\n\tat org.forgerock.openicf.connectors.scim.ScimConnector.executeQuery(ScimConnector.java:314)\r\n\tat org.forgerock.openicf.connectors.scim.ScimConnector.executeQuery(ScimConnector.java:67)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.SearchImpl.rawSearch(SearchImpl.java:162)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.SearchImpl.search(SearchImpl.java:118)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.ConnectorAPIOperationRunnerProxy.invoke(ConnectorAPIOperationRunnerProxy.java:104)\r\n\tat com.sun.proxy.$Proxy72.search(Unknown Source)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.local.operations.ThreadClassLoaderManagerProxy.invoke(ThreadClassLoaderManagerProxy.java:96)\r\n\tat com.sun.proxy.$Proxy72.search(Unknown Source)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\r\n\tat sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\r\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\r\n\tat java.lang.reflect.Method.invoke(Unknown Source)\r\n\tat org.identityconnectors.framework.impl.api.BufferedResultsProxy$BufferedResultsHandler.run(BufferedResultsProxy.java:157)\r\n”,”linkQualifier”:null,”mapping”:”systemAd1Account_systemScimAccount”,”message”:”SOURCE_IGNORED: 0 FOUND_ALREADY_LINKED: 0 UNQUALIFIED: 0 ABSENT: 0 TARGET_IGNORED: 0 MISSING: 0 ALL_GONE: 0 UNASSIGNED: 0 AMBIGUOUS: 0 CONFIRMED: 0 LINK_ONLY: 0 SOURCE_MISSING: 0 FOUND: 0 “,”messageDetail”:{“_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”mapping”:”systemAd1Account_systemScimAccount”,”state”:”FAILED”,”stage”:”COMPLETED_FAILED”,”stageDescription”:”reconciliation failed”,”progress”:{“source”:{“existing”:{“processed”:0,”total”:”5″}},”target”:{“existing”:{“processed”:0,”total”:”?”},”created”:0},”links”:{“existing”:{“processed”:0,”total”:”?”},”created”:0}},”situationSummary”:{“SOURCE_IGNORED”:0,”FOUND_ALREADY_LINKED”:0,”UNQUALIFIED”:0,”ABSENT”:0,”TARGET_IGNORED”:0,”MISSING”:0,”ALL_GONE”:0,”UNASSIGNED”:0,”AMBIGUOUS”:0,”CONFIRMED”:0,”LINK_ONLY”:0,”SOURCE_MISSING”:0,”FOUND”:0},”statusSummary”:{“SUCCESS”:0,”FAILURE”:0},”durationSummary”:{“sourceQuery”:{“min”:280,”max”:280,”mean”:280,”count”:1,”sum”:280,”stdDev”:0},”onReconScript”:{“min”:77,”max”:77,”mean”:77,”count”:1,”sum”:77,”stdDev”:0},”auditLog”:{“min”:1,”max”:1,”mean”:1,”count”:1,”sum”:1,”stdDev”:0}},”parameters”:{“sourceQuery”:{“resourceName”:”system/AD1/account”,”queryId”:”query-all-ids”},”targetQuery”:{“resourceName”:”system/scim/account”,”queryId”:”query-all-ids”}},”started”:”2019-01-31T18:52:37.496Z”,”ended”:”2019-01-31T18:52:38.027Z”,”duration”:531,”sourceProcessedByNode”:{}},”sourceObjectId”:null,”status”:”FAILURE”,”targetObjectId”:null,”reconciling”:null,”ambiguousTargetObjectIds”:null,”reconAction”:”recon”,”entryType”:”summary”,”reconId”:”e34be636-4238-4e15-8a29-310f15b34cd8-453″,”_id”:”e34be636-4238-4e15-8a29-310f15b34cd8-485″}I ran the below command to test the connector, the status is ok:
curl \
–header “X-OpenIDM-Username: openidm-admin” \
–header “X-OpenIDM-Password: openidm-admin” \
–request POST \
“http://localhost:8080/openidm/system?_action=test”[{“name”:”scim”,”enabled”:true,”config”:”config/provisioner.openicf/scim”,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0]”,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ALL__”,”account”,”group”],”ok”:true},{“name”:”sciminterop1″,”enabled”:true,”config”:”config/provisioner.openicf/sciminterop1″,”connectorRef”:{“bundleVersion”:”1.4.3.0″,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ACCOUNT__”,”__ALL__”,”__GROUP__”],”ok”:true},{“name”:”AD1″,”enabled”:true,”config”:”config/provisioner.openicf/AD1″,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0)”,”bundleName”:”org.forgerock.open
And I also checked the credentials via sending the request to the SCIM endpoint using the same username and password, it works.
What else I can check to find the issue?
Thanks
EllenHere is the “provisioner.openicf-sciminterop1.json”
{
“connectorRef” : {
“displayName” : “Scim Connector”,
“bundleVersion” : “1.4.3.0”,
“systemType” : “provisioner.openicf”,
“bundleName” : “org.forgerock.openicf.connectors.scim-connector”,
“connectorName” : “org.forgerock.openicf.connectors.scim.ScimConnector”
},
“poolConfigOption” : {
“maxObjects” : 10,
“maxIdle” : 10,
“maxWait” : 150000,
“minEvictableIdleTimeMillis” : 120000,
“minIdle” : 1
},
“resultsHandlerConfig” : {
“enableNormalizingResultsHandler” : false,
“enableFilteredResultsHandler” : false,
“enableCaseInsensitiveFilter” : false,
“enableAttributesToGetSearchResultsHandler” : true
},
“operationTimeout” : {
“CREATE” : -1,
“UPDATE” : -1,
“DELETE” : -1,
“TEST” : -1,
“SCRIPT_ON_CONNECTOR” : -1,
“SCRIPT_ON_RESOURCE” : -1,
“GET” : -1,
“RESOLVEUSERNAME” : -1,
“AUTHENTICATE” : -1,
“SEARCH” : -1,
“VALIDATE” : -1,
“SYNC” : -1,
“SCHEMA” : -1
},
“configurationProperties” : {
“SCIMEndpoint” : “https://lb-scim-interopsnap1-nvan.dev-globalrelay.net/scim/v1”,
“SCIMVersion” : “1”,
“authenticationMethod” : “BASIC”,
“user” : “[email protected]”,
“password” : {
“$crypto” : {
“type” : “x-simple-encryption”,
“value” : {
“cipher” : “AES/CBC/PKCS5Padding”,
“stableId” : “openidm-sym-default”,
“salt” : “sdMSR3U1SCA/A0lJzKEdTA==”,
“data” : “wcOhSXBSQ9QLuldwgCbxyA==”,
“keySize” : 16,
“purpose” : “idm.config.encryption”,
“iv” : “h6aZ9q+Ay8KnNIG2BZOH/A==”,
“mac” : “mbDg1agFbWl2hAs0x4xAoA==”
}
}
}
},
“enabled” : true,
“tokenEndpoint” : null,
“clientId” : “interop1”,
“clientSecret” : null,
“authToken” : null,
“acceptSelfSignedCertificates” : false,
“disableHostNameVerifier” : false,
“disableHttpCompression” : false,
“clientCertAlias” : null,
“clientCertPassword” : null,
“maximumConnections” : “10”,
“httpProxyHost” : null,
“httpProxyPort” : null
}Hi Gael, thanks for the following up. Did I provide the correct configuration file you need? Thanks
EllenYour configuration looks ok and the error you get is:
InvalidCredentialException: 401: UnauthorizedSo it seems to be a user/password issue.
What kind of test/query you do to validate the user/password ?I made a curl command call to check the connection set:
curl \
–header “X-OpenIDM-Username: openidm-admin” \
–header “X-OpenIDM-Password: openidm-admin” \
–request POST \
“http://localhost:8080/openidm/system?_action=test”[{“name”:”scim”,”enabled”:true,”config”:”config/provisioner.openicf/scim”,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0]”,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ALL__”,”account”,”group”],”ok”:true},{“name”:”sciminterop1″,”enabled”:true,”config”:”config/provisioner.openicf/sciminterop1″,”connectorRef”:{“bundleVersion”:”1.4.3.0″,”bundleName”:”org.forgerock.openicf.connectors.scim-connector”,”connectorName”:”org.forgerock.openicf.connectors.scim.ScimConnector”},”displayName”:”Scim Connector”,”objectTypes”:[“__ACCOUNT__”,”__ALL__”,”__GROUP__”],”ok”:true},{“name”:”AD1″,”enabled”:true,”config”:”config/provisioner.openicf/AD1″,”connectorRef”:{“bundleVersion”:”[1.4.0.0,1.5.0.0)”,”bundleName”:”org.forgerock.open
And I also checked the credentials via sending the request to the SCIM endpoint from the same ForgeRock Directory server using the same username and password, it worked:
c:\curl>curl -v -X GET https://lb-scim-interopsnap1-nvan.dev-globalrelay.net/scim/v1/Users/11111111111111 -u [email protected]:Password1
Note: Unnecessary use of -X or –request, GET is already inferred.
* timeout on name lookup is not supported
* Trying 10.178.203.217…
* TCP_NODELAY set
* Connected to lb-scim-interopsnap1-nvan.dev-globalrelay.net (10.178.203.217) port 443 (#0)
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 222 bytes…
* schannel: sent initial handshake data: sent 222 bytes
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 4016 length 4096
* schannel: sending next handshake data: sending 182 bytes…
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 2/3)
* schannel: encrypted data buffer: offset 330 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with lb-scim-interopsnap1-nvan.dev-globalrelay.net port 443 (step 3/3)
* schannel: stored credential handle in session cache
* Server auth using Basic with user ‘[email protected]’
> GET /scim/v1/Users/11111111111111 HTTP/1.1
> Host: lb-scim-interopsnap1-nvan.dev-globalrelay.net
> Authorization: Basic c3lzdXNlckBqdmVzYXp2dy50ZXN0OlBhc3N3b3JkMQ==
> User-Agent: curl/7.53.1
> Accept: */*
>
* schannel: client wants to read 16384 bytes
* schannel: encdata_buffer resized 17408
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: encrypted data got 245
* schannel: encrypted data buffer: offset 245 length 17408
* schannel: decrypted data length: 175
* schannel: decrypted data added: 175
* schannel: decrypted data cached: offset 175 length 16384
* schannel: encrypted data buffer: offset 0 length 17408
* schannel: decrypted data buffer: offset 175 length 16384
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 175
* schannel: decrypted data buffer: offset 0 length 16384
< HTTP/1.1 404 Not Found
< Content-Length: 0
< Server:
< Date: Thu, 14 Feb 2019 20:00:52 GMT
< Strict-Transport-Security: max-age=15768000
< Set-Cookie: grsh=all; path=/; Secure
<
* Connection #0 to host lb-scim-interopsnap1-nvan.dev-globalrelay.net left intactHi Gael,
I got Basic Authentication working after making the Scim provisioning not read-only. Thanks for your help. I am posting another question which I hope you can help me with:
The testing and observation I got after the connection to our endpoint works:
1- For a CRUD happy path, initial and subsequent reconciliations from the same IDM installation were half successful. There were no errors reported by ForgeRock, however if resource attributes in the source directory are modified or the resources were moved out of scope, ForgeRock does not make calls to update or delete those entries.
Are you aware of a ForgeRock configuration setting that is needed to send updates to auto-provisioned Users?2- An observation in our SCIM REST logs is that ForgeRock makes a GET call to a scim/v2/<resource> endpoint with no ID in the URL before sending resource data to our server.
Here are details on a ‘Missing errors’ for 3 modified objects that we see in the ForgeRock logs. We are receiving three ‘GET’ requests using our SCIM ids. Is there any way to determine what is ‘missing’?
ForgeRock Service Log
[170] Feb 28, 2019 2:28:25.179 PM org.forgerock.openidm.sync.ReconciliationService deletePersistedInstance
INFO: Culled ReconProgressState for recon 3f460e28-d33c-4854-b8fd-dcfbb7845028-4595
[241] Feb 28, 2019 2:28:26.101 PM org.forgerock.openidm.sync.ObjectMapping doRecon
INFO: Performing source sync for recon 5be3367a-6b1f-436f-b17f-9e01174d73bf-87632 on mapping ADUser_ScimUser
[241] Feb 28, 2019 2:28:27.304 PM org.forgerock.openidm.sync.ObjectMapping logReconEnd
INFO: Reconciliation completed. SOURCE_IGNORED: 0 FOUND_ALREADY_LINKED: 0 UNQUALIFIED: 0 ABSENT: 0 TARGET_IGNORED: 0 MISSING: 3 ALL_GONE: 0 UNASSIGNED: 0 AMBIGUOUS: 0 CONFIRMED: 0 LINK_ONLY: 0 SOURCE_MISSING: 0 FOUND: 0
[222] Feb 28, 2019 2:28:30.976 PM org.forgerock.openidm.router.filter.ScriptedFilter evaluateOnResponse
INFO: Filter response: 5be3367a-6b1f-436f-b17f-9e01174d73bf-87980.
You must be logged in to reply to this topic.
