We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Set API Password to Access Saviynt API's For Service User

Sivagami
Valued Contributor
Valued Contributor

I have a service user let's say apiuser and I need to give it Saviynt API access.

As an admin, I tried resetting the password from UI via Admin->Admin Functions->Admin Functions

The password set here if used in API throws 401 unauthorized

Note: Our environment is SSO enabled, so I can't log in via the direct link to log in with the password set and then change the API password from the UI option.

Sivagami_0-1659029433252.png

Anyone faced a similar issue and how did you manage to set the API password as self-service instead of reaching out to Saviynt to do it from the backend? 

-Siva

9 REPLIES 9

sahajranajee
Saviynt Employee
Saviynt Employee

Hi @Sivagami ,

Assuming you are already using this api/service account for calling APIs, the localauthenabled attribute on the user profile should already be 1. This attribute dictates whether local authentication would be allowed for a user when SSO is enabled on your application.

In that scenario, you can reset the password for your user using the 'changePassword' API.

Password change via this API would not set passwordexpired to 1 and hence the set password should work.

sahajranajee_0-1659083404894.png

 

In case you still see a 401 after a password change via the api, check the localauthenabled value for your user via Analytics.

You can then set the value for localauthenabled as 1 via SaviyntForSaviynt user import or via CustomQuery job.




Regards,
Sahaj Ranajee
Sr. Product Specialist

Thanks Sahaj for the response.

localauthenabled attribute is not 1 for api users that we already use. 

I tried the API to set the password for the new apiuser and it worked this time.

Thanks much for the self-service option you provided.

 

 

Hi,

Thanks for the detailed solution. We have enabled localauthenabled=1 for the service account user and changed the password using the API endpoint mentioned above. However, we are seeing 401 when tried to get the API token using Postman.

We checked the value of localauthenabled using Analytics and see the value is set to 'true'. User also has a ADMIN SAV role and an active Saviynt account.

Could you please let us know what could the reason?

Thanks!

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Were you able to resolve this? I have the same issue and have had no luck figuring it out.

Are you able to see login page ?

does same error with api ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

We are using SSO so there is no way to test this user with the login page. I'm using the API. This was set up prior to my working in this environment. I followed this process:

  • Created new user in Saviynt
  • During creation did not set to expire password
  • Granted role_admin
  • Reset password
  • Using Postman, calling: https://tenantname.saviyntcloud.com/ECM/api/login
    • Body: 
      {"username":"usernamehere","password":"passwordhere"}
      Header:
      Content-Type applicaton/json
       
      Using admin user in development, I can connect and get token. Using the created account, I am unable to retrieve a token. I get 401 unauthorized. There is nothing in the logs. I see the exact same behavior in production. Have tried setting LOCALAUTHENABLED to 1 on the account and it makes no difference.
       

can you provide logs when you hit api from postman


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

An update: tricked our SSO provider into allowing me to login to the UI as this user. I am able to log in. There appears to be no issue with the account. In 2020.1 there is no "reset API password" GUI option, so I'm wondering if this is somehow related to that. Does anyone know how this should work? Documentation is insufficient for this process.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

I wanted to return and post instructions I received from Saviynt support which worked for us. You can reset the password via gui. I think for us the issue that we kept encountering was when you reset the password you must be sure to set passwordexpire=0 and you also must have localauthenabled set to true *before* the password reset. The steps below can be used for setup of an API user:

 

Need to follow these steps, in order, when creating the Service Account/User:
1.  Create User
2.  Set localauthenabled=1 (true)
3.  Change password via 'Admin Function' to desired password
4.  Set passwordexpired=0 (false)
 
Note:  localauthenabled must be true before the password is changed/reset.  After the password is changed you can then set localauthenabled back to 0, as it is not required for API login.
 
When accessing the API:

1. Verify the password for the user/service account is correct

2. Ensure the user that we are using for API has the proper SAV role assigned and the access for API calls are added in that SAV role.
3. Use below steps to verify the call
 
  1. Enter the url value as (POST METHOD) - https://...dev.saviyntcloud.com/ECM/api/login
  2. 19.png

     

  3. Under Authorization tab, select type as No Auth
 

 

        3. Select ‘Body’ tab and then ‘Raw’. Enter the user name and password value in format 
18.png

 

{"username":"svc_api","password":"xxxxxxx"}
 
 

 

Thank you to @Amandhu Amandhu Rajashekhar from Saviynt support for this resolution.