I put through an update from Azure via SCIM which had two attributes changing at the same time, and the following error appeared in the UNIFYBroker log:

20220422,05:36:27,UNIFYBroker,SCIMGateway,Error,"Error during SCIM operation: System.InvalidOperationException: Sequence contains more than one element
at System.Linq.Enumerable.Single[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.SCIMProvider.Patch(IAdapterEntity adapterEntity, PatchRequest2 patch, ISCIMGatewayMapping mappings, IValueAdapter`2 valueAdapter, IEntitySchema schema)
at Unify.Product.IdentityBroker.SCIMProvider.d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SystemForCrossDomainIdentityManagement.ProviderBase.d__45.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SystemForCrossDomainIdentityManagement.ProviderAdapterTemplate`1.d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.SystemForCrossDomainIdentityManagement.ControllerTemplate`1.d__5.MoveNext()",Normal

Here is the corresponding update from the Azure side:

As a possible complication for this ticket, the user involved previously didn't have a value for their employeeNumber field (which is a required/key field of the underlying connector) and that caused this error:

20220422,05:34:08,UNIFYBroker,An exception has occured in the AdapterEntityChangeDetectorCollator. Please see the exception for details,Error,"Npgsql:
System.InvalidOperationException: Parameter 'key1value0' must have its value set
at Npgsql.NpgsqlParameter.ResolveHandler(ConnectorTypeMapper typeMapper)
at Npgsql.NpgsqlParameter.Bind(ConnectorTypeMapper typeMapper)
at Npgsql.NpgsqlCommand.ValidateParameters()
at Npgsql.NpgsqlCommand.d__100.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Npgsql.NpgsqlCommand.d__92.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Npgsql.NpgsqlCommand.ExecuteNonQuery()
at Unify.Product.IdentityBroker.MultiKeyValueQueryExecutor`2.PopulateTempTable(NpgsqlConnection connection, NpgsqlTransaction transaction, IDictionary`2 tempKeyLookup, ValueToObjectAdapter adapter, IEnumerable`1 multiKeyValues, String tempTableName)
at Unify.Product.IdentityBroker.MultiKeyValueQueryExecutor`2.Execute(NpgsqlConnection connection, ValueToObjectAdapter adapter, Guid partitionId, IEnumerable`1 multiKeyValues, String tempTableName, String entityValueFieldName, String entityTableName, String partitionIdName, Func`2 readData)
at Unify.Product.IdentityBroker.KnownEntityPartitionPostgreSqlUpdatableContextBase`3.GetEntities(Guid partitionId, IEnumerable`1 keys)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.<>c__DisplayClass1_0.b__0(MultiKeyValue`1[] multiKeyValues)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, Func`2 retrieveEntities, Guid connectorId, IEnumerable`1 wellKnownEntities)
at Unify.Product.IdentityBroker.EntityRepositoryExtensions.ConvertConnectorEntities(IEnumerable`1 connectorEntities, IMultiKey`1 schemaKey, IKnownEntityContextBase`3 context, Guid connectorId, IEnumerable`1 wellKnownEntities)
at Unify.Product.IdentityBroker.EntityChangeDetector.ProcessConnectorChangedEntities(Guid connectorId, IEnumerable`1 connectorEntities, IEnumerable`1 wellKnownItems)
at Unify.Product.IdentityBroker.AdapterEntityChangeDetectorCollator.DetectChanges(KeyValuePair`2 connectorEntities)
at Unify.Framework.Visitor.<>c__DisplayClass0_0`1.b__0(T item, Int32 index)
at Unify.Framework.Visitor.Visit[T](IEnumerable`1 visitCollection, Action`2 visitor)
at Unify.Product.IdentityBroker.AdapterEntityChangeDetectorCollator.Run()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)",Normal

Could you please investigate and fix the update error, and also consider improving the behaviour when a connector's required field is missing in a SCIM update?

For the purposes of my demo next week I can make sure this 'bad data' doesn't occur, and so the only dependency for this is SIT/UAT meaning that it's a medium priority.

I have a SCIM gateway configured in UNIFYConnect and Azure is able to use it to Add users just fine, but when it attempts an update this error is shown:

There's nothing written into the UNIFYBroker log when this happens.

Could you please investigate and advise how to make updates work?

The strangest thing ever... For this adapter:

When I generate changes to update the DNs (used to be DN=@IdBID), I see DNs assigned with different segment orders like this:

The two digit CN is DepartmentID.  The date CN is StartDate.  The four digit CN is PositionID.  The three letter CN is LocationID.  The six digit CN is EmployeeID.

I tried clearing precalculated entities and re-running Generate Changes, but the same thing happens with the newly generated entities - the segments are always in the same (wrong) order for each entity.

This is happening in a non-Production environment, and the DN segment order for each entity appears to be persistent, so this is a very minor (but very strange) issue.

I have a customer where connector entity create fails (due to external issue on the customer side) for a number of entities during link sync, and for each one I end up with a Join showing on the Locker but no corresponding adapter entity.

For example, for a baseline sync I see:  Update entities 1690 to connector AD User reported 1690 entities saved, 3 failed

After this I look at locker joins:  Showing 1 to 10 of 1,693 entries

But adapter joins says: Showing 1 to 10 of 1,690 entries

This causes problems on the next baseline sync, because even though the locker is already joined (to a non-existant adapter entity) another attempt to create the adapter/connect is still made but then this error appears:

Unify.Product.Plus.JoinExecutorTargetEntityAlreadyJoinedException: Source entity '2ac4395a-2cb7-4f6e-9d80-e6a6a38994b7' value matched to target entity 'f70abdcf-4097-4d41-84a6-b0703308f16f', however this target entity is already connected to another source entity. 'fb9d3fea-9b4a-4708-a0e1-e730551ef030'. Cannot proceed with join.

I thought we worked through this and already had a patch for this issue, but I cannot work out which ticket it was in.

Could you please investigate and see what the situation around this is?

My customer's adapter has two entities for every every connector entity.  I am not aware of what might have caused this, other than the service outage that was resolved yesterday (unresponsive UI and no data was flowing through the system).

Could you please advise what caused there to be two adapter entities for each connector entity?

Hi, 

Monash Health  reported an issue with AD user creation. 

Following is the product installed, there have been no recent changes to the configuration.

UNIFYBroker v5.3.2 Revision #0

Plug-in Version Details
Plugin Key Version
Microsoft Active Directory 5.3.0.0
Chris21 Connector 5.3.0.0
Sync Changes 5.3.0.2
Plus Change Tracking 5.3.0.2
Connections 5.3.0.2
Links 5.3.0.2
Link Statistics 5.3.0.2
Lockers 5.3.0.2
Locker Statistics 5.3.0.2
Provisioning 5.3.0.2
Plus 5.3.0.2

Azure's SCIM implementation when creating a user who has a manager follows this approach:

1. Create the new SCIM user (without the manager reference)
2. Make sure the new user has been created
3. Update the new user's manager field

It seems the reason for this approach is because Azure wants to create all the users first, before it tries to add references to them via the manager field (which makes sense from a referential integrity perspective).

However, when using the UNIFYBroker SCIM gateway, step 2 is failing and Azure can't find the newly created user.  Azure first tries to get the new user object by ID, and then by username lookup, but neither works.  See the attached packet trace "SCIM User with manager creation.pcapng" for details.  The connector/adapter entity created has the same entity ID that was returned to Azure (9a9978e0-6179-42b5-8218-2173d7b6c0e5 in the packet trace) and the username field set correctly (adrian.corston@unifysolutions.net).

A later attempt by Azure to look up that entity by username (package trace "SCIM User lookup.pcapng") is successful (that lookup was followed by a PATCH which failed, but that is due to a different issue so please ignore that part of the trace).

SCIM User with manager creation.pcapng
SCIM User lookup.pcapng

This github ticket has information about the Azure SCIM pattern for setting manager: https://github.com/MicrosoftDocs/azure-docs/issues/11784 (comment from asmalser-msft)

Hi guys,

I am using the SCIM gateway in v5.3.2 and the department and manager attributes don't appear to work (i.e. the values sent by SCIM are not populated into the UNIFYBroker adapter fields).

Here's my configuration in Azure:

It seems possible that the problem might be related to the fact those two attributes are extension attributes and not part of the SCIM core user schema: https://datatracker.ietf.org/doc/html/rfc7643#section-4.1

As a separate request could you please add support for the givenName and familyName core user attributes?

I am setting up a SCIM gateway in UNIFYBroker, and it is returning a 401 (Unauthorized) error.

I have checked the Bearer token in the request header matches the Audience configuration in UNIFYBroker.

Do you have any suggestions what might be going wrong?

Obviously once this is working I will change the secret token shown above.

My customer has two adapters contributing data to the same locker field via two links.  I have set a priority sequence for the field, but when I run a Baseline sync on the link with the lower priority mapping the field in the locker is updated with the (wrong) value from that lower priority source. Running a Baseline Sync on the link with the higher priority mapping set the locker field back to the (right) value from the higher priority source.  The most recent Baseline sync to run always wins, regardless of the priority setting.