Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Azure AD / Entra ID - REST Connector - New Account not created in Application

Murmur
Regular Contributor III
Regular Contributor III

Hi everyone, 

We currently see a weird behaviour, when we try to provision / create a new account in Entra ID. 

When I try to provision a new account for a User, the Account is created in Saviynt, but not in Entra ID. 

I don't really get valuable insights from the logs. 

Settings: 

- The Security System was set up via the "Design" tab
- I have two Connectors running (Import - which works fine, Provisioning (REST) - which fails). 

The Provisioning Connection details looked like this (IDs redacted and secrets removed) - Update below: 

 
Spoiler
{
   "authentications": {
      "AzureADProvisioning": {
         "authType": "oauth2",
         "httpMethod": "POST",
         "httpParams": {
            "grant_type": "client_credentials",
            "client_secret": "",
            "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "resource": "https://graph.microsoft.com/"
         },
         "httpHeaders": {
            "contentType": "application/x-www-form-urlencoded"
         },
         "httpContentType": "application/x-www-form-urlencoded",
         "expiryError": "ExpiredAuthenticationToken",
         "timeOutError": "Read timed out",
         "errorPath": "odata~dot#error.code",
         "maxRefreshTryCount": 3,
         "tokenResponsePath": "access_token",
         "tokenType": "Bearer",
         "accessToken": "",
         "authError": [
            "InvalidAuthenticationToken",
            "Authentication_MissingOrMalformed"
         ],
         "retryFailureStatusCode": [
            401
         ]
      }
   }
}
 
 
The CreateAccountJSON looks like this: 
Spoiler
{"accountIdPath":"call1.message.id","dateFormat":"yyyy-MM-dd'T'HH:mm:ssXXX","responseColsToPropsMap":{"displayName":"call1.message.displayName~#~char","name":"call1.message.userPrincipalName~#~char"},"call":[{"name":"call1","connection":"AzureADProvisioning","url":"https://graph.microsoft.com/v1.0/users","httpMethod":"POST","httpParams":"{\"accountEnabled\":true,\"displayName\":\"${user.firstname}\",\"mailNickname\":\"${user.firstname}\",\"userPrincipalName\":\"${user.username}_savi@mylab.de\",\"passwordProfile\":{\"forceChangePasswordNextSignIn\":true,\"password\":\"${password}\"}}","httpHeaders":{"Authorization":"${access_token}"},"httpContentType":"application/json","successResponses":{"statusCode":[200,201,204,205]}}]}
 
Do you have any idea where I've been wrong? 
Would be grateful for all hints that help me to debug this.
 

UPDATE:

I just changed the Connector Type (which was created automatically) to Azure AD Provisioning REST. 

The ConnectionJSON now looks like this (TenantID, ClientID and Secret redacted):

 
Spoiler
{
   "authentications": {
     "userAuth": {
       "authType": "oauth2",
       "httpMethod": "POST",
       "httpParams": {
         "grant_type": "client_credentials",
         "client_secret": "@CLIENT_SECRET@",
         "client_id": "@CLIENT_ID@",
         "resource": "https://graph.microsoft.com/"
       },
       "httpHeaders": {
         "contentType": "application/x-www-form-urlencoded"
       },
       "httpContentType": "application/x-www-form-urlencoded",
       "expiryError": "ExpiredAuthenticationToken",
      "authError": ["InvalidAuthenticationToken"],
       "timeOutError": "Read timed out",
       "errorPath": "error.code",
       "maxRefreshTryCount": 5,
       "tokenResponsePath": "access_token",
       "tokenType": "Bearer",
       "accessToken": "Bearer abc"
     },
     "entAuth": {
       "authType": "oauth2",
       "httpMethod": "POST",
       "httpParams": {
         "grant_type": "client_credentials",
         "client_secret": "@CLIENT_SECRET@",
         "client_id": "@CLIENT_ID@",
         "resource": "https://graph.windows.net/"
       },
       "httpHeaders": {
         "contentType": "application/x-www-form-urlencoded"
       },
       "httpContentType": "application/x-www-form-urlencoded",
       "expiryError": "ExpiredAuthenticationToken",
       "authError": ["InvalidAuthenticationToken","Authentication_MissingOrMalformed"],
       "timeOutError": "Read timed out",
      "errorPath": "odata~dot#error.code",
      "maxRefreshTryCount": 3,
       "tokenResponsePath": "access_token",
       "tokenType": "Bearer",
      "accessToken": "Bearer abcde"
     }
   }
 }
 

When I now try to test my connection, I receive the following error message (Log attached): 

Spoiler
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121552775Z stdout F 2023-09-26 07:21:51,121 [http-nio-8080-exec-20] ERROR rest.RestProvisioningService - Error While Saving the connection: JSON syntax exception found in the following connection parameters - CLIENT_SECRET , AUTHENTICATION_ENDPOINT , MICROSOFT_GRAPH_ENDPOINT , CREATEUSERS , CLIENT_ID , AZURE_MGMT_ACCESS_TOKEN , CREATE_NEW_ENDPOINTS , AAD_TENANT_ID , ACCOUNT_IMPORT_FIELDS , AZURE_MANAGEMENT_ENDPOINT , ACCESS_TOKEN "
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121847577Z stdout F 2023-09-26 07:21:51,121 [http-nio-8080-exec-20] ERROR ws.Restfulv5Controller - Connection Failed when calling testExternalConnection "
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121861477Z stdout F java.lang.Exception: JSON syntax exception found in the following connection parameters - CLIENT_SECRET , AUTHENTICATION_ENDPOINT , MICROSOFT_GRAPH_ENDPOINT , CREATEUSERS , CLIENT_ID , AZURE_MGMT_ACCESS_TOKEN , CREATE_NEW_ENDPOINTS , AAD_TENANT_ID , ACCOUNT_IMPORT_FIELDS , AZURE_MANAGEMENT_ENDPOINT , ACCESS_TOKEN "
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121868577Z stdout F at com.saviynt.provisoning.rest.RestProvisioningService.testConnectionRest(RestProvisioningService.groovy:10809)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121874277Z stdout F at com.saviynt.ecm.integration.ExternalConnectionCallService.testExternalConnection(ExternalConnectionCallService.groovy:602)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121879377Z stdout F at com.saviynt.ecm.ws.Restfulv5Controller$_closure57.doCall(Restfulv5Controller.groovy:6449)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121884377Z stdout F at grails.plugin.springsecurity.rest.RestTokenValidationFilter.processFilterChain(RestTokenValidationFilter.groovy:118)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121889277Z stdout F at grails.plugin.springsecurity.rest.RestTokenValidationFilter.doFilter(RestTokenValidationFilter.groovy:84)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121891777Z stdout F at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121902177Z stdout F at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:155)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121904577Z stdout F at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121907677Z stdout F at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121909977Z stdout F at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121912377Z stdout F at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82)"
"ecm","2023-09-26T07:21:51.486+00:00","2023-09-26T07:21:51.121914877Z stdout F at java.lang.Thread.run(Thread.java:750)"

Do you have any clue about this? 

[This message has been edited by moderator to merge reply comment]

2 REPLIES 2

SB
Saviynt Employee
Saviynt Employee

The 2nd set of logs show a JSON syntax exception and this could have happened when you changed the Connection Type. Can you change the type back to REST, use the 2nd JSON and then try. 

In case the provisioning is failing, update ConfigJSON param in the REST connection with value {"showLogs":true}.
This will enable additional logging and may help to identify the cause.


Regards,
Sahil

Murmur
Regular Contributor III
Regular Contributor III

Hi Sahil, 

Thank you for looking into that!

The issue arose due to the fact, that the Connector Type from the EXTERNALCONNECTION changed from AzureAD to REST (without changing that manually, I'm still unsure why this happens, but its reproducible). 

I'll close this thread now, as the title and post does not fit the issue anymore.