Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Cyberark SCIM Connector for PVWA

chrispable
New Contributor II
New Contributor II

Hi,

The Cyberark SCIM connector (known as Cyberark Connector in Saviynt) requires information in the connection JSON. The example connection JSON given only provides a means to use a username and password with the SCIM connector and not a bearer token as the idaptive scim server provides. Can you please provide a syntax for using the bearer token?

 

Alternatively, the username / password in the idaptive connector is also not working for the required OAUTH control flow. Here is the JSON being used (censored):

{
  "authentications": {
    "acctAuth": {
      "authType": "Basic",
      "url": "https://XXXXX.my.idaptive.app/scim",
      "httpMethod": "GET",
      "httpParams": {},
      "httpHeaders": {},
      "httpContentType": "text/html",
      "properties": {
        "userName": "identity-privilege-integration-user$@XXXXX",
        "password": "XXXXXXX["
      },
      "expiryError": "ExpiredAuthenticationToken",
      "authError": [
        "InvalidAuthenticationToken",
        "ExpiredAuthenticationToken",
        "AuthenticationFailed",
        "Read timed out"
      ],
      "importSuccessResponses": {
        "statusCode": [
          200,
          201,
          202,
          203,
          204,
          205
        ]
      },
      "errorPath": "error.code",
      "maxRefreshTryCount": 5,
      "tokenResponsePath": "access_token",
      "tokenType": "Basic",
      "accessToken": "<access token>"
    }
  }
}

 

14 REPLIES 14

rushikeshvartak
All-Star
All-Star
{
  "authentications": {
    "acctAuth": {
      "authType": "oauth2",
      "url": "https://URL/oauth/token",
      "httpMethod": "POST",
      "httpParams": {
        "client_id": "identity-privilege-integration-user$",
        "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
        "assertion": "${access_token}"
      },
      "httpHeaders": {
        "Content-Type": "application/x-www-form-urlencoded"
      },
      "httpContentType": "application/x-www-form-urlencoded",
      "authError": [
        "Unable to authenticate the client",
        "Invalid token Bearer"
      ],
      "retryFailureStatusCode": [
        401,
        403,
        404
      ],
      "expiryError": "ExpiredAuthenticationToken",
      "importSuccessResponses": {
        "statusCode": [
          200,
          201,
          202,
          203,
          204,
          205
        ]
      },
      "errorPath": "error.code",
      "maxRefreshTryCount": 5,
      "tokenResponsePath": "access_token",
      "refreshType": "",
      "tokenType": "Bearer",
      "accessToken": "Bearer <Token value>"
    }
  }
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushikesh,

Thanks, there is still a bit of a problem with this. The URL to use is set, and I test a post connection with POSTMAN successfully, however, saviynt has this in the log saying there is a 404. I censored the full URL.

2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestUtilService - Calling https://xxxxxxx.my.idaptive.app/oauth2/token/__idaptive_cybr_user_oidc
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - isFipsEnabled = false
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslParams : null
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - proxyParams : null
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslSocketFactory : null
2022-08-01/14:20:24.196 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - HttpClientBuilder.create().build() called.
2022-08-01/14:20:24.535 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestUtilService - fetching result from response.responseText
2022-08-01/14:20:24.550 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService - access token populated for oauth authentication..
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService - Inside pullObjectsByRest
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService -
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - isFipsEnabled = false
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslParams : null
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - proxyParams : null
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslSocketFactory : null
2022-08-01/14:20:24.583 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - HttpClientBuilder.create().build() called.
2022-08-01/14:20:24.846 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService -
2022-08-01/14:20:24.847 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService - pullObjectsByRest - responseStatusCode ::404
2022-08-01/14:20:24.847 [{}] [https-jsse-nio-443-exec-48] ERROR rest.RestProvisioningService - Exception in pullObjectsByRest :404

Does host resolve from Saviynt Server. 

try Ping /telnet from Server 

if required do host file entry 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

The error implies communication is working because 404 is a server response, but just to be sure, I tested the connectivity. It is successful.

chrispable_1-1659378428430.png

 

Can you share JSON


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

{
  "authentications": {
    "acctAuth": {
      "authType": "oauth2",
      "url": "https://CENSORED_VALUE.my.idaptive.app/oauth2/token/__idaptive_cybr_user_oidc",
      "httpMethod": "POST",
      "httpParams": {
        "client_id": "identity-privilege-integration-user$",
        "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
        "assertion": "${access_token}"
      },
      "httpHeaders": {
        "Content-Type": "application/x-www-form-urlencoded"
      },
      "httpContentType": "application/x-www-form-urlencoded",
      "authError": [
        "Unable to authenticate the client",
        "Invalid token Bearer"
      ],
      "retryFailureStatusCode": [
        401,
        403,
        404
      ],
      "expiryError": "ExpiredAuthenticationToken",
      "importSuccessResponses": {
        "statusCode": [
          200,
          201,
          202,
          203,
          204,
          205
        ]
      },
      "errorPath": "error.code",
      "maxRefreshTryCount": 5,
      "tokenResponsePath": "access_token",
      "refreshType": "",
      "tokenType": "Bearer",
      "accessToken": "Bearer CENSORED_VALUE"
    }
  }
}

Can you check if extra logs printed after enabling below

rushikeshvartak_0-1659381622434.png

Also confirm connection Type as CyberArkConnector


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

I confirm I am using cyberark connector. I do not have the field for configjson so I am unable to modify that.

 

My available fields are:

ConnectionJSON
URL_LIST_JSON
PAGINATION
ACCOUNT_ATTRIBUTE_JSON
STATUS_THRESHOLD_CONFIG
CreateAccountJSON
UpdateAccountJSON
EnableAccountJSON
DisableAccountJSON
AddAccessJSON
RemoveAccessJSON
ChangePassJSON
RemoveAccountJSON
PasswdPolicyJSON
ENTVAL_TO_PROPERTIES_MAPPING

chrispable
New Contributor II
New Contributor II

I've manually altered the connection to add the ConfigJSON entry with the content above. I suspect it is not being used, as the logs show no additional data.

can you share postman screenshot


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Here is the endpoint showing a 400 response when contacted (this is expected, I am not sending information to it). If there was an error in the saviynt request, one would expect the endpoint to also return something other than 404. It seems like saviynt is contacting the wrong endpoint.

chrispable_0-1659613742405.png

 

Here is a successful request from postman with the bearer set

chrispable_1-1659613863002.png

 

You need to fix URL in postman once it worked u can test in saviynt

https://CENSORED_VALUE.my.idaptive.app/oauth2/token/__idaptive_cybr_user_oidc

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

The URL in postman is fine. It is returning 400 because I did not supply any arguments (this is also the correct URL according to cyberark). There is no case that URL will issue a 404. Saviynt is connecting to a URL that is not the same as configJSON and returning a 404 error.

You can see in postman, the other call works just fine too.

chrispable
New Contributor II
New Contributor II

Hi, I managed to get this to work finally, here is the configuration to use, fill in the parts in brackets.

Connection JSON:

{
  "authentications": {
    "acctAuth": {
      "authType": "oauth2",
      "url": "https://[IDAPTIVE TENANT ID].my.idaptive.app/oauth2/token/[IDAPTIVE APPLICATION ID]",
      "httpMethod": "POST",
      "httpParams": {
        "client_id": "[IDAPTIVE CLIENT ID - usually: identity-privilege-integration-user$]",
        "grant_type": "client_credentials",
        "scope": "[IDAPTIVE SCOPE NAME - usually: SCIMCall]",
        "assertion": "${access_token}"
      },
      "httpHeaders": {
        "Content-Type": "application/x-www-form-urlencoded"
      },
      "httpContentType": "application/x-www-form-urlencoded",
      "authError": [
        "Unable to authenticate the client",
        "Invalid token Bearer"
      ],
      "retryFailureStatusCode": [
        401,
        403,
        404
      ],
      "expiryError": "ExpiredAuthenticationToken",
      "importSuccessResponses": {
        "statusCode": [
          200,
          201,
          202,
          203,
          204,
          205
        ]
      },
      "errorPath": "error.code",
      "maxRefreshTryCount": 5,
      "tokenResponsePath": "access_token",
      "refreshType": "",
      "tokenType": "Bearer",
      "accessToken": "Bearer [IDAPTIVE BEARER TOKEN]"
    }
  }
}

 

URL list:

{
  "USERLIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/Users",
  "GROUPLIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/Groups",
  "SAFELIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/Containers",
  "SAFE_PERMISSIONS_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/ContainerPermissions",
  "PRIVILEGED_ACCOUNTLIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/PrivilegedData"
}