Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

+3
Completed

Identity Broker for Google Apps v5

Boyd Bostock 8 years ago in UNIFYBroker/Google Apps updated by anonymous 7 years ago 2

Can Identity Broker for Google Apps be made available for Identity Broker v5?


This Broker can manage more attributes than the Google Apps Directory Synchronization and can make use of existing PCNS deployments rather than require Google Apps Password Sync GAPS which needs to be installed on all DCs and is limited to one Google Apps domain.


Cairns Catholic Education will use it and Brisbane Catholic Education would be likely to use it to replace GAPS and GADS with FIM/MIM and IdB.

0
Answered

A user-interface could not be located for this agent type.

Hayden Gray 2 months ago in UNIFYBroker/Google Apps updated by Matthew Davis (Technical Product Manager) 2 months ago 3

Hi Team,

We are currently doing environment updates at a site and at the same time updating their UNIFYBroker version from 5.3.1 Revision 4 to the latest version 5.3.4 but are running into issues. The customer also has the Google Apps connectors installed in there environment, but the latest version that I can see available which I have installed is 5.3.2.

The install is successful and the service starts however when validating components in the UNIFYBroker interface I noticed the following errors occurring.

On the Google Agents the following error is produced:

A user-interface could not be located for this agent type. The list of known types are:
Unify.Agent.FTP (FTP Agent)
Unify.Agent.SSH (SSH Agent)
Unify.Agent.SqlServerDatabase (SQL Server Database Agent)
Unify.Agent.OracleDb (Oracle Database Agent)
Unify.Agent.OleDb (Ole Database Agent)
Google (Google Agent)


On the Google Connectors the following error is produced:

A user-interface could not be located for this connector type. The list of known types are:
Unify.IdentityBroker.Connector.Google.Calendar (Google Calendar)
Unify.IdentityBroker.Connector.Google.DomainContact (Google Domain Shared Contact)
Unify.IdentityBroker.Connector.Google.OrgUnit (Google Org Unit)
Unify.IdentityBroker.Connector.Google.Group (Google Group)
Unify.IdentityBroker.Connector.Google.UserSettings (Google User Settings)
Unify.IdentityBroker.Connector.Google.User (Google User)
Unify.Connectors.PowerShell (PowerShell Connector)
Unify.Connectors.Direct (Database Connector)
Unify.Connectors.CSV (CSV Connector)
Unify.Connectors.Placeholder (Placeholder Connector)


I saw a similar issue mentioned on a previous ticket regarding Aurion connectors where an incorrect version was being used and I am figuring something similar could be happening here.

Thank you

Answer
Hayden Gray 2 months ago

Thanks Matt, that helped me find the issue.

Issues was the IIS site was pointing to the standaloneweb directory where it should be pointing to just the web directory. Repointing and doing an IIS reset got it working as expected.

Thank you

0
Planned

Updating Google Connector Resets Agent

Hi,

Recently we ran into an issue with the Google Apps Connector where going into update the connector properties would set the agent to another rather than keeping the original value.

Image 5979

Image 5978


This caused an issue where we saved the connector without realizing the agent had been changed, causing the connector to import from another domain.

We can make sure the agent is set correctly before we make any updates, but it would be useful to have this behavior changed to avoid any issues accidents in future. Google Connector version is 5.3.2.0

Thanks

0
Answered

Google group membership exports

I have an environment where we are noticing some membership disparities for some google groups that are failing on export. My question around this is when a group membership fails to update for whatever reason, will the export process continue and try to amend the remaining membership changes for that group? Or will it simply throw the error back to MIM and move on to the next group in the export? UNIFYBroker and the Google Connectors are at the latest versions.

Thank you

Answer

The latter, the group update does not continue, and moves onto the next group.

0
Fixed

Issue with Google Groups Connector generating large numbers of RSA files on export

We have recently been having issue whereby the UNIFYBroker service account appdata directory (C:\Users\<IdB Service Account>\AppData\Roaming\Microsoft\Crypto\RSA\<user object SID>) seems to fill up rapidly with RSA files. At its currently rate it appears to be filling up with the addition of thousands of files a day. I have done some testing between UNIFYBroker and Process Monitor and have been able to narrow down a particular operation in UNIFYBroker that seems to be generating all the files in this directory and not clearing them after creating them.

The main operation from what I can tell seems to be the export operation on the google groups connector. I have tested imports on these same connector and this doesn't seem to be generating the files from what I can tell. Please see the images below showing the timings for these jobs lining up at exactly the same time.

Image 5847

Image 5848

Environment Details:

UNIFYBroker: v5.3.1

Google Connector: v5.3.2

Let me know if you need any further information.

0
Fixed

Duplicate address error when adding members to Google Groups

Hi All,

I am currently assisting a client with an issue in UNIFYBroker, whereby a Google Group connector, is reporting a duplicate account error for some users when trying to added them to google groups. We can inspect the groups manually in google and these groups definitely do not contain these users. Being unable to find a root cause for the issue in Broker/MIM, the client raised a ticket with Google and received the following response:

Thank you for contacting Google Cloud Support. I understand that you are not being able to add an address to one of your Groups as you are getting a message that the address has already been to the Group.

I reviewed the information you provided on the chat and did the checks we do in this cases. The reason you are not able to add the external address is because the address you are trying to add is either an alias, a contact or a recovery address for a Google account. The system has the Google account already associated to the Group and since the system already knows the main account is already added it does not let you add it again. In this case you will need to contact the external user and ask for an alternate address they may have and check if that address is already on the Group. The other address is already receiving the messages sent to the Group.

Not being able to find a solutions around this within Broker and MIM I was hoping you may be able to take a look and see if you can spot anything we may be missing here.

This issue has quite a big of attention within the client environment as key people are missing out on important Covid-19 information. The current work around is listed in Google's response, however this often takes weeks to remediate.

Let me know if you need any further information.

Thanks

0
Under review

Following error started appearing on google apps connector

Hayden Gray 4 years ago in UNIFYBroker/Google Apps updated by Matthew Davis (Technical Product Manager) 2 years ago 7

Hi All,

Noticed a ticket in voice with basically the same error as the one below. Adam noted an internal change made by google as the cause of the error (https://voice.unifysolutions.net/communities/6/topics/2802-google-apps-group-import-error). Would you be able to take a look and see if this is the same scenario. This occurrence is likely for the same client as the ticket linked.

Change detection engine import all items failed.
Change detection engine import all items for connector Google STAFF: Groups Connector failed with reason One or more errors occurred.. Duration: 00:14:34.7327688
Error details:
System.AggregateException: One or more errors occurred. ---> System.Exception: A Google API exception was thrown for call GroupsSettings.Get with message "Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]
". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]

at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass69_3`1.b__1()
at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException)
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass83_0.b__2(Tuple`2 group)
at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.b__1()
at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
at System.Threading.Tasks.Task.<>c__DisplayClass176_0.b__0(Object )
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Func`4 bodyWithLocal, Func`1 localInit, Action`1 localFinally)
at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Action`3 bodyWithStateAndIndex, Func`4 bodyWithStateAndLocal, Func`5 bodyWithEverything, Func`1 localInit, Action`1 localFinally)
at System.Threading.Tasks.Parallel.ForEach[TSource](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body)
at Unify.Product.IdentityBroker.GoogleAgent.ProcessedGroups(Func`1 getDirectoryService, Func`1 getGroupsSettingsService, ConcurrentBag`1 directoryServices, ConcurrentBag`1 groupsSettingsServices, GroupEntityAdapter groupAdapter, GroupSettingsEntityAdapter groupSettingAdapter, IGroupMembersEntityAdapter groupMembersAdapter, IEnumerable`1 groupsValue, Boolean manageGroupSettings, GroupMembersReadMethod groupMembersReadMethod, String[] groupNameSuffixWhitelistFilter)
at Unify.Product.IdentityBroker.GoogleAgent.d__57.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.AuditReadingConnectorDecorator.GetAllEntities(IStoredValueCollection storedValues, CancellationToken cancellationToken)
at Unify.Product.IdentityBroker.EventNotifierReadingConnectorDecoratorBase`1.GetAllEntities(IStoredValueCollection storedValues, CancellationToken cancellationToken)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.Exception: A Google API exception was thrown for call GroupsSettings.Get with message "Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]
". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]

at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass69_3`1.b__1()
at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException)
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass83_0.b__2(Tuple`2 group)
at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.b__1()
at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
at System.Threading.Tasks.Task.<>c__DisplayClass176_0.b__0(Object )<---

UNIFYBroker Version: v5.3.1 Revision #4

Google Connector Version: v5.3.2.0

Let me know if you need any further information.

Thank you

0
Fixed

Google passwords are not being set on creation

Boyd Bostock 6 years ago in UNIFYBroker/Google Apps updated by Adam van Vliet 6 years ago 6

Google passwords are not being set on creation, subsequent resets in AD are synchronised successfully.

In MIM the export_password attribute is set with the desired password, I was unable to find any information about this attribute or how to configure the Password Script in the Google Connector.

Unsure of when this started to re-occur as most users authenticate via the IDP, however Chromebooks authenticate directly. It appears this issue has occurred before https://voice.unifysolutions.net/communities/6/topics/2816-passwords-are-not-set-on-google-account-creation however the key is configured to be email address.

Identity Broker: v5.2.0 Revision #3
Google Connector: 5.2.0.2
Unify.IdentityBroker.Communicator.Google.dll: 5.2.0.1

Answer
Adam van Vliet 6 years ago

So just confirming, using the Identity Broker version of the Newtonsoft fixes that particular issue? I'll update the connector to use the same version so that it isn't able to override it.

Do you have an update on whether the password change is working?

0
Fixed

Google User Settings - Delete SendAs Address

Boyd Bostock 6 years ago in UNIFYBroker/Google Apps updated by Adam van Vliet 6 years ago 11

I am getting an error using the Google User Settings connector. The error occurs when deleting a custom SendAs address which was previously added using the connector.

Example

DN: CN=gsurname@email.com,OU=GmailSettings,DC=IdentityBroker

SendAs Unchanged: <SendAs name="""" address=""gsurname@email.com"" replyTo="""" signature="""" default=""false"" />

SendAs Unchanged: <SendAs name=""Givenname Surname"" address=""gsurname@email2.com"" replyTo="""" signature="""" default=""true"" />

SendAs Delete: <SendAs name=""Givenname Surname"" address=""gsurname@email3.com"" replyTo="""" signature="""" default=""false"" />

Error Message

System.ArgumentException: An item with the same key has already been added.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
   at System.Linq.Enumerable.ToDictionary[TSource,TKey,TElement](IEnumerable`1 source, Func`2 keySelector, Func`2 elementSelector, IEqualityComparer`1 comparer)
   at Unify.Product.IdentityBroker.UserSettingsEntityMapper.MapEntity(IEntity originalEntity, IConnectorEntity exportedEntity)
   at Unify.Product.IdentityBroker.GoogleUserSettingsConnector.<>c__DisplayClass20_0.<UpdateEntities>b__4(IConnectorEntity entity)
   at System.Linq.Enumerable.WhereSelectArrayIterator`2.MoveNext()
   at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
   at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
   at Unify.Product.IdentityBroker.GoogleUserSettingsConnector.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
   at Unify.Product.IdentityBroker.AuditUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
   at Unify.Product.IdentityBroker.EventNotifierUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)


Answer
Adam van Vliet 6 years ago

Now that I'm looking at it, name is probably a bad key for the list of send-as (I don't recall making the decision when originally developing it). Shall I give you a patch that uses the email address instead, try to save you going through that fun?

0
Declined

Separation of Signature and SendAs

Boyd Bostock 7 years ago in UNIFYBroker/Google Apps updated by anonymous 7 years ago 3

The signature is currently combined in the same attribute as the SendAs field. Is it possible to separate these attributes?

Signature in UI showing linkage to default SendAs

Image 3925

Signature in UI showing linkage to non-default SendAs

Image 3926

<SendAs name="" address="bbostock@cns.catholic.edu.au" replyTo="" signature="<div dir="ltr"><div>Regards</div><div>My Name</div><div><br></div><div>My Title2</div><div>My Department2</div><div>My Company2</div><div>p: 0400 000 000</div><div>e: <a href="mailto:myemail@mycompany2.com" target="_blank">myemail@mycompany2.com</a></div></div>" default="false" />, <SendAs name="Boyd Bostock" address="bbostock@sscc.qld.edu.au" replyTo="" signature="<div dir="ltr">Regards<div>My Name</div><div><br></div><div>My Title</div><div>My Department</div><div>My Company</div><div>p: 0400 000 000</div><div>e: <a href="mailto:myemail@mycompany.com" target="_blank">myemail@mycompany.com</a></div><div><br></div></div>" default="true" />

Answer
anonymous 7 years ago

I think it will be problematic as email addresses will change if people transfer between schools. For my purposes I will configure the MIM Rule Extension to preserve the signature if present.