07/28/2022 02:11 PM
Hi,
The Cyberark SCIM connector (known as Cyberark Connector in Saviynt) requires information in the connection JSON. The example connection JSON given only provides a means to use a username and password with the SCIM connector and not a bearer token as the idaptive scim server provides. Can you please provide a syntax for using the bearer token?
Alternatively, the username / password in the idaptive connector is also not working for the required OAUTH control flow. Here is the JSON being used (censored):
{
"authentications": {
"acctAuth": {
"authType": "Basic",
"url": "https://XXXXX.my.idaptive.app/scim",
"httpMethod": "GET",
"httpParams": {},
"httpHeaders": {},
"httpContentType": "text/html",
"properties": {
"userName": "identity-privilege-integration-user$@XXXXX",
"password": "XXXXXXX["
},
"expiryError": "ExpiredAuthenticationToken",
"authError": [
"InvalidAuthenticationToken",
"ExpiredAuthenticationToken",
"AuthenticationFailed",
"Read timed out"
],
"importSuccessResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
},
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Basic",
"accessToken": "<access token>"
}
}
}
Solved! Go to Solution.
07/28/2022 08:13 PM
{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"url": "https://URL/oauth/token",
"httpMethod": "POST",
"httpParams": {
"client_id": "identity-privilege-integration-user$",
"grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
"assertion": "${access_token}"
},
"httpHeaders": {
"Content-Type": "application/x-www-form-urlencoded"
},
"httpContentType": "application/x-www-form-urlencoded",
"authError": [
"Unable to authenticate the client",
"Invalid token Bearer"
],
"retryFailureStatusCode": [
401,
403,
404
],
"expiryError": "ExpiredAuthenticationToken",
"importSuccessResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
},
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"refreshType": "",
"tokenType": "Bearer",
"accessToken": "Bearer <Token value>"
}
}
}
08/01/2022 07:42 AM
Hi Rushikesh,
Thanks, there is still a bit of a problem with this. The URL to use is set, and I test a post connection with POSTMAN successfully, however, saviynt has this in the log saying there is a 404. I censored the full URL.
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestUtilService - Calling https://xxxxxxx.my.idaptive.app/oauth2/token/__idaptive_cybr_user_oidc
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - isFipsEnabled = false
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslParams : null
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - proxyParams : null
2022-08-01/14:20:24.192 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslSocketFactory : null
2022-08-01/14:20:24.196 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - HttpClientBuilder.create().build() called.
2022-08-01/14:20:24.535 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestUtilService - fetching result from response.responseText
2022-08-01/14:20:24.550 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService - access token populated for oauth authentication..
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService - Inside pullObjectsByRest
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService -
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - isFipsEnabled = false
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslParams : null
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - proxyParams : null
2022-08-01/14:20:24.579 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - sslSocketFactory : null
2022-08-01/14:20:24.583 [{}] [https-jsse-nio-443-exec-48] DEBUG services.HttpClientUtilityService - getHttpClient - HttpClientBuilder.create().build() called.
2022-08-01/14:20:24.846 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService -
2022-08-01/14:20:24.847 [{}] [https-jsse-nio-443-exec-48] DEBUG rest.RestProvisioningService - pullObjectsByRest - responseStatusCode ::404
2022-08-01/14:20:24.847 [{}] [https-jsse-nio-443-exec-48] ERROR rest.RestProvisioningService - Exception in pullObjectsByRest :404
08/01/2022 07:45 AM
Does host resolve from Saviynt Server.
try Ping /telnet from Server
if required do host file entry
08/01/2022 11:27 AM
The error implies communication is working because 404 is a server response, but just to be sure, I tested the connectivity. It is successful.
08/01/2022 11:54 AM
Can you share JSON
08/01/2022 11:56 AM
{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"url": "https://CENSORED_VALUE.my.idaptive.app/oauth2/token/__idaptive_cybr_user_oidc",
"httpMethod": "POST",
"httpParams": {
"client_id": "identity-privilege-integration-user$",
"grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
"assertion": "${access_token}"
},
"httpHeaders": {
"Content-Type": "application/x-www-form-urlencoded"
},
"httpContentType": "application/x-www-form-urlencoded",
"authError": [
"Unable to authenticate the client",
"Invalid token Bearer"
],
"retryFailureStatusCode": [
401,
403,
404
],
"expiryError": "ExpiredAuthenticationToken",
"importSuccessResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
},
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"refreshType": "",
"tokenType": "Bearer",
"accessToken": "Bearer CENSORED_VALUE"
}
}
}
08/01/2022 12:20 PM - edited 08/01/2022 12:22 PM
Can you check if extra logs printed after enabling below
Also confirm connection Type as CyberArkConnector
08/02/2022 12:17 PM
I confirm I am using cyberark connector. I do not have the field for configjson so I am unable to modify that.
My available fields are:
ConnectionJSON
URL_LIST_JSON
PAGINATION
ACCOUNT_ATTRIBUTE_JSON
STATUS_THRESHOLD_CONFIG
CreateAccountJSON
UpdateAccountJSON
EnableAccountJSON
DisableAccountJSON
AddAccessJSON
RemoveAccessJSON
ChangePassJSON
RemoveAccountJSON
PasswdPolicyJSON
ENTVAL_TO_PROPERTIES_MAPPING
08/03/2022 12:07 PM
I've manually altered the connection to add the ConfigJSON entry with the content above. I suspect it is not being used, as the logs show no additional data.
08/03/2022 05:51 PM
can you share postman screenshot
08/04/2022 04:51 AM - edited 08/04/2022 04:52 AM
Here is the endpoint showing a 400 response when contacted (this is expected, I am not sending information to it). If there was an error in the saviynt request, one would expect the endpoint to also return something other than 404. It seems like saviynt is contacting the wrong endpoint.
Here is a successful request from postman with the bearer set
08/04/2022 09:17 AM
You need to fix URL in postman once it worked u can test in saviynt
https://CENSORED_VALUE.my.idaptive.app/oauth2/token/__idaptive_cybr_user_oidc
08/04/2022 09:24 AM
The URL in postman is fine. It is returning 400 because I did not supply any arguments (this is also the correct URL according to cyberark). There is no case that URL will issue a 404. Saviynt is connecting to a URL that is not the same as configJSON and returning a 404 error.
You can see in postman, the other call works just fine too.
08/09/2022 05:31 AM
Hi, I managed to get this to work finally, here is the configuration to use, fill in the parts in brackets.
Connection JSON:
{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"url": "https://[IDAPTIVE TENANT ID].my.idaptive.app/oauth2/token/[IDAPTIVE APPLICATION ID]",
"httpMethod": "POST",
"httpParams": {
"client_id": "[IDAPTIVE CLIENT ID - usually: identity-privilege-integration-user$]",
"grant_type": "client_credentials",
"scope": "[IDAPTIVE SCOPE NAME - usually: SCIMCall]",
"assertion": "${access_token}"
},
"httpHeaders": {
"Content-Type": "application/x-www-form-urlencoded"
},
"httpContentType": "application/x-www-form-urlencoded",
"authError": [
"Unable to authenticate the client",
"Invalid token Bearer"
],
"retryFailureStatusCode": [
401,
403,
404
],
"expiryError": "ExpiredAuthenticationToken",
"importSuccessResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
},
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"refreshType": "",
"tokenType": "Bearer",
"accessToken": "Bearer [IDAPTIVE BEARER TOKEN]"
}
}
}
URL list:
{
"USERLIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/Users",
"GROUPLIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/Groups",
"SAFELIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/Containers",
"SAFE_PERMISSIONS_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/ContainerPermissions",
"PRIVILEGED_ACCOUNTLIST_URL": "https://[IDAPTIVE TENANT].my.idaptive.app/scim/v2/PrivilegedData"
}