Saviynt Forums

mohitarora1 · ‎10/31/2023

Hi Team,

I am trying to integrate Cyberark using REST connector. The connectonJSON provided in Understanding the Integration Between EIC and CyberArk (saviyntcloud.com) throws syntax error in 23.8.

I have tried to use below, but the connection still fails.

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": [
"ITATS366E",
"PASWS006E"
],
"url": "https://test.privilegecloud.cyberark.com/PasswordVault/api/Auth/cyberark/Logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "Basic dgddyfSJASG",
"httpParams": "{\"username\":\"test\",\"password\":\"test\"}",
"retryFailureStatusCode": [
401,
403
],
"testConnectionParams": {
"http": {
"url": "https://test.privilegecloud.cyberark.com/PasswordVault/API/Users/",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"successResponse": [],
"successResponsePath": "",
"errors": [],
"errorPath": "ErrorCode"
}
}
}
}

I am getting the token successfully via postman

and also subsequent call using token is successful.

nimitdave · ‎10/31/2023

@mohitarora1 , please share the error snippet. Also have showlogs=true in the config json as that may provide more detail that can help to troubleshooting.

mohitarora1 · ‎10/31/2023

thanks @nimitdave , I have added the config json, but I think this would be helpful in import. As of now, I am able to see below in the logs on save and test.

mohitarora1 · ‎11/01/2023

Hi Team,

Any help on this would be appreciated.

thanks

nimitdave · ‎11/01/2023

@mohitarora1 , Please see if this helps:

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": [
"ITATS366E",
"PASWS006E"
],
"url": "https://HOSTNAME/PasswordVault/API/Auth/CyberArk/Logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "Basic dgddyfSJASG",
"httpParams": "{\"username\":\"@username\",\"password\":\"@password\"}",
"retryFailureStatusCode": [
401,
403
]
}
}
}

mohitarora1 · ‎11/02/2023

Hi @nimitdave , this isn't working.

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": [
"ITATS366E",
"PASWS006E"
],
"url": "https://test.privilegecloud.cyberark.com/PasswordVault/API/Auth/CyberArk/Logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "Basic dgddyfSJASG",
"httpParams": "{\"username\":\"test\",\"password\":\"test\"}",
"retryFailureStatusCode": [
401,
403
],
"testConnectionParams": {
"http": {
"url": "https://test.privilegecloud.cyberark.com/PasswordVault/API/Users",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"successResponse": [
200
],
"successResponsePath": "Users",
"errors": [],
"errorPath": "ErrorCode"
}
}
}
}

In my opinion, saviynt is not able to read the token via string.content, because I hard coded the token and it brought the data.

Cyberark API returns the token without path to identify the token, the response itself is the token.

Thanks,

Mohit Arora

mohitarora1 · ‎11/03/2023

@nimitdave I have noticed, we are getting 401 code, and Saviynt is unable to refresh the token and eventually job fails. It works if we provide hard coded token in the JSONs, can you confirm so that if this is an issue and requires a support ticket.

Thanks,

Mohit

nimitdave · ‎11/03/2023

@mohitarora1 , can you share the body for request that provides you that token. I think we are missing another call to get the token as https://URL/PasswordVault/API/Auth/CyberArk/Logon is just logon to the vault. But to make the API calls you will be using a different user and the response of above url will help to fetch the secret for that user(appuser). And then token/secret from AIMWebService/api/Accounts call will be used for importing/provisioning data. Sample attached below:

*********************************************************

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpParamsName": "password",
"call": {
"call1": {
"callOrder": 0,
"url": "https://URL/AIMWebService/api/Accounts?appID=<appuser>&safe=<safename>&object=<appname>",
"httpMethod": "GET",
"httpHeaders": {
"Accept": "application/json"
},
"httpContentType": "application/json",
"keyPath": "Content",
"successResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
}
}
},
"url": "https://URL/PasswordVault/API/Auth/CyberArk/Logon",
"httpMethod": "POST",
"httpParams": {
"username": "saviynt_ops",
"password": "abcd"
},
"httpHeaders": {
"Accept": "application/xml"
},
"httpContentType": "application/x-www-form-urlencoded",
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed",
"FAILURE",
"INVALID_SESSION_ID",
"ExpiredAuthenticationToken",
"Read timed out",
401
],
"retryFailureStatusCode": [
401
],
"errorPath": "errors.type",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"tokenType": "",
"accessToken": ""
}
}
}

**********************************************************************************

mohitarora1 · ‎11/03/2023

Hi @nimitdave ,

I am following below API documentation provided by Cyberark team.

REST APIs | CyberArk Docs

Below is the screenshot of the token request.

In the documentation, it is mentioned to use the token received from the logon request for subsequent calls and it works for me in the postman and with hard-coded token in saviynt.

Thanks

rushikeshvartak · ‎11/03/2023

Can you try below

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": [
"ITATS366E",
"PASWS006E"
],
"url": "https://<<hostname>>/PasswordVault/API/Auth/CyberArk/Logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "<access token>",
"httpParams": ""
}
}
},
{
"username": "admin",
"password": "@password@"
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

mohitarora1 · ‎11/06/2023

Hi @rushikeshvartak , connection json works syntax wise but saviynt is not validating the actual connection, it just checks the syntax of it, even if you provide invalid credentials. Problem here is, even though connection is successful, the import is failing, because it is unable to generate token. If I hard code the token in the import json, it works and brings in the data.

Even if I provide right credentials in the JSON, saviynt is not able to generate the token and we get 401 error while refreshing token.

Thanks,

Mohit Arora

Thanks,

Mohit Arora

Darshanjain · ‎11/07/2023

Hi @mohitarora1

Can you try the connection json as below only changing the url ,username and password and try it out.

  {
    "authentications": {
      "acctAuth": {
        "authType": "oauth2",
        "httpHeaders": {
          "Accept": "application/xml",
          "contentType": "application/json"
        },
        "authError": [
          "ITATS366E",
          "PASWS006E"
        ],
        "url": "https://<<hostname>>/PasswordVault/API/Auth/CyberArk/Logon",
        "httpMethod": "POST",
        "httpContentType": "application/json",
        "errorPath": "ErrorCode",
        "maxRefreshTryCount": 5,
        "tokenResponsePath": "string.content",
        "authHeaderName": "Authorization",
        "accessToken": "<access token>,\r\n",
        "httpParams": ": "
      }
    }
  },
  {
    "username": "admin",
    "password": "@password@"
  }

Thanks

Darshan

mohitarora1 · ‎11/07/2023

Hi @Darshanjain ,

I have tested this already, this does not work as well.

Thanks,

Mohit Arora

Darshanjain · ‎11/07/2023

Hi @mohitarora1

can you create a FD ticket on this mentioning the forum link, we will get it checked internally . please attach the logs and all the connection json's you tried.

Thanks

Darshan

Darshanjain · ‎11/07/2023

Hi @mohitarora1

Did you try with tokenresponsepath as blank , if not please try with below json once and let me know.

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpParamsName": "password",
"call": {
"call1": {
"callOrder": 0,
"url": "",
"httpMethod": "GET",
"httpHeaders": {
"Accept": "application/json"
},
"httpContentType": "application/json",
"keyPath": "Content",
"successResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
}
}
},
"url": "
https://cyberark.com/PasswordVault/API/Auth/CyberArk/Logon"
,
"httpMethod": "POST",
"httpParams": {
"username": "test",
"password": "test",
"concurrentSession":"True"
},
"httpHeaders": {
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
},
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed",
"FAILURE",
"INVALID_SESSION_ID",
"ExpiredAuthenticationToken",
"Read timed out",
"PASWS013E",
401,
403,
500
],
"retryFailureStatusCode": [
401,
403,
500
],
"errorPath": "errors.type",
"maxRefreshTryCount": 5,
"tokenResponsePath": "",
"tokenType": "",
"accessToken": "test"
}
}
}