Identity Broker Forum

Welcome to the community forum for Identity Broker.

Browse the knowledge base, ask questions directly to the product group, or leverage the community to get answers. Leave ideas for new features and vote for the features or bug fixes you want most.

0
Fixed

Can't edit the FTP Agent timeout

Adrian Corston 5 years ago in CSV connector updated by Matthew Davis (Technical Product Manager) 4 years ago 3

When editing the FTP Agent timeout, the value entered is not saved and always resets back to 00:00:00.

v5.3.2 Revision #0

Answer

Patch for this one, should go in the /Services/ directory of Broker. Will be included in the next 5.3 rollup release.

Unify.IdentityBroker.Agent.Api.Shared.dll

0
Under review

Following error started appearing on google apps connector

Hayden Gray 5 years ago in UNIFYBroker/Google Apps updated by Matthew Davis (Technical Product Manager) 3 years ago 7

Hi All,

Noticed a ticket in voice with basically the same error as the one below. Adam noted an internal change made by google as the cause of the error (https://voice.unifysolutions.net/communities/6/topics/2802-google-apps-group-import-error). Would you be able to take a look and see if this is the same scenario. This occurrence is likely for the same client as the ticket linked.

Change detection engine import all items failed.
Change detection engine import all items for connector Google STAFF: Groups Connector failed with reason One or more errors occurred.. Duration: 00:14:34.7327688
Error details:
System.AggregateException: One or more errors occurred. ---> System.Exception: A Google API exception was thrown for call GroupsSettings.Get with message "Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]
". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]

at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass69_3`1.b__1()
at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException)
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass83_0.b__2(Tuple`2 group)
at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.b__1()
at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
at System.Threading.Tasks.Task.<>c__DisplayClass176_0.b__0(Object )
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at System.Threading.Tasks.Parallel.ForWorker[TLocal](Int32 fromInclusive, Int32 toExclusive, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Func`4 bodyWithLocal, Func`1 localInit, Action`1 localFinally)
at System.Threading.Tasks.Parallel.ForEachWorker[TSource,TLocal](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body, Action`2 bodyWithState, Action`3 bodyWithStateAndIndex, Func`4 bodyWithStateAndLocal, Func`5 bodyWithEverything, Func`1 localInit, Action`1 localFinally)
at System.Threading.Tasks.Parallel.ForEach[TSource](IEnumerable`1 source, ParallelOptions parallelOptions, Action`1 body)
at Unify.Product.IdentityBroker.GoogleAgent.ProcessedGroups(Func`1 getDirectoryService, Func`1 getGroupsSettingsService, ConcurrentBag`1 directoryServices, ConcurrentBag`1 groupsSettingsServices, GroupEntityAdapter groupAdapter, GroupSettingsEntityAdapter groupSettingAdapter, IGroupMembersEntityAdapter groupMembersAdapter, IEnumerable`1 groupsValue, Boolean manageGroupSettings, GroupMembersReadMethod groupMembersReadMethod, String[] groupNameSuffixWhitelistFilter)
at Unify.Product.IdentityBroker.GoogleAgent.d__57.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Buffer`1..ctor(IEnumerable`1 source)
at System.Linq.Enumerable.ToArray[TSource](IEnumerable`1 source)
at Unify.Product.IdentityBroker.AuditReadingConnectorDecorator.GetAllEntities(IStoredValueCollection storedValues, CancellationToken cancellationToken)
at Unify.Product.IdentityBroker.EventNotifierReadingConnectorDecoratorBase`1.GetAllEntities(IStoredValueCollection storedValues, CancellationToken cancellationToken)
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.ImportAllChangeProcess()
at Unify.Product.IdentityBroker.ChangeDetectionImportAllJob.RunBase()
at Unify.Framework.DefinedScopeJobAuditTrailJobDecorator.Run()
at Unify.Product.IdentityBroker.ConnectorJobExecutor.<>c__DisplayClass30_0.b__0()
at Unify.Framework.AsynchronousJobExecutor.PerformJobCallback(Object state)
---> (Inner Exception #0) System.Exception: A Google API exception was thrown for call GroupsSettings.Get with message "Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]
". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError
Invalid Value [400]
Errors [
Message[Invalid Value] Location[ - ] Reason[invalid] Domain[global]
]

at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass69_3`1.b__1()
at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException)
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass83_0.b__2(Tuple`2 group)
at System.Threading.Tasks.Parallel.<>c__DisplayClass17_0`1.b__1()
at System.Threading.Tasks.Task.InnerInvokeWithArg(Task childTask)
at System.Threading.Tasks.Task.<>c__DisplayClass176_0.b__0(Object )<---

UNIFYBroker Version: v5.3.1 Revision #4

Google Connector Version: v5.3.2.0

Let me know if you need any further information.

Thank you

0
Fixed

Aurion agent proxy settings don't appear to be working

Richard Green 5 years ago in UNIFYBroker/Aurion updated by Matthew Davis (Technical Product Manager) 4 years ago 6

Hi Gents,

Raising this ticket out of a support request from DIIS (Industry). They are looking to transition to a cloud hosted instance of Aurion, and to use a proxy server to provide a bridge between the 2.

However it appears the proxy settings for the Aurion agent are being ignored in communications.

They are on:

  • Identity Broker Service v5.2.1.0
  • Identity Broker for Aurion v5.2.0.1

They have provided the following (santitised) agent configuration:

<?xml version="1.0" encoding="utf-8"?>

<agentengine>

<agents>

<agent name="Aurion" id="9cd4a7d7-2852-40d5-afc4-089102472dc7" type="Unify.Agent.Aurion" description="
{COMMENTS REMOVED}">

<extended>

<communicator credentialsoptions="None" uri="https://api.aurion.cloud/{instance_name_removed}/production/servlet/services/ev397_aurion_ws?wsdl" ignorecertificateerrorslevel="Default" preauthenticate="false" usedefaulttimeout="false" timeout="PT55M" proxyoptions="Custom" proxyuri="http://{ PROXYIP}:8080/" proxycredentialsoptions="Default">

</communicator></extended></agent></agents></agentengine>


I've spoken with Matt, and apparently there is a known issue with version 5.2 and a fix which addresses this issue. (Not currently available on Voice).

Answer

Closing due to no response. If the patch hasn't fixed the issue, please feel free to re-open the ticket. 

0
Answered

Initiating actions in UNIFYBroker/Plus on attribute value change

I am building a customer solution that requires an email to be sent to a user's manager when that user's attribute changes to a particular value (i.e. employeeState from "pending" to "active").

How can I implement this in UNIFYBroker/Plus?  This is functionality that is likely to be generally necessary, as customers often have a requirement to initiate a once-off event/action in response to a user's changed circumstances.

0
Fixed

User creation via SCIM gateway is successful but UNIFYBroker logs a SCIM operation error

Adrian Corston 5 years ago updated by Matthew Davis (Technical Product Manager) 4 years ago 7

Even though a SCIM connection from Azure UNIFYBroker successfully created a new user in AD, it also logged an error.

Log and config attached.

create-success.pcapng

Extensibility.zip

UnifyLog20200212.zip

Image 5613

Answer

Closed due to no response. If the patch has caused issues or not resolved the root issue, please feel free to re-open the ticket.

0
Fixed

Issues with SCIM gateway

Beau Harrison (Senior Product Software Engineer) 5 years ago updated 5 years ago 21
  • Authenticating
    • What credentials?
    • Purpose of "Secret Token" in Azure portal
  • Querying (used for test connection)
    • Null reference exception
  •  HTTPS
    • Bad request returned from TLS1.2 Client Hello

0
Answered

Can't find any entities in a pre-provisioning outbound task during Baseline Sync for brand new entities in the Locker

I have a locker with a number of new entities that I am trying to provision to an adapter via a link.  The underlying connector (AD, "group" object type) requires certain entity data attributes to be set that aren't available in the Locker, so I am trying to use an Outgoing Pre-Provisioning Task to set those attributes.  However, I cannot see any entities in the Pre-Provisioning Task.

I followed these instructions:

Image 5560

Here is my synchronously executed outgoing pre-provisioning task:

$ProvisioningOU = "OU=Azure Entitlements Demo,DC=adrian,DC=unifysolutions,DC=net"
$Logger.LogInformation("***** Pre-Provision to '$ProvisioningOU' *****")

foreach ($entity in $sourceEntities) {
$Logger.LogInformation("***** Pre-Provision sourceEntity *****")
}

foreach ($entity in $targetEntities) {
$Logger.LogInformation("***** Pre-Provision targetEntity *****")
$cn = $entity.SourceEntity["displayName"]
$dn = "CN=$cn,$ProvisioningOU"
$entity["ActiveDirectoryGroupDn"] = $dn
$Logger.LogInformation("Provision '$cn' to $dn")
}

foreach ($entity in $joinedEntities) {
$Logger.LogInformation("***** Pre-Provision joinedEntity *****")
}

$Logger.LogInformation("***** Pre-Provision Done *****")

Here is what I see in the error log (set to Diagnostic):

Image 5561

There do not appear to be any entities being passed to the Task.  The 5 entities not currently provisioned are marked as Incomplete (the other entity is pre-existing in the target connector/adapter).

In the Pre-Provisioning Task, how can I access the entities that are to be provisioned?

0
Thanks

Fantastic job with the REST API!

Bob Bradley 5 years ago updated by Matthew Davis (Technical Product Manager) 5 years ago 3

Blown away with how easy this is to work with - just needed a little push in the right direction and it worked a treat with minimal effort.  Endless possibilities here - particularly with scripted deployment!

Thanks guys!

Answer

Hey Bob,

Thanks for the great feedback! There are some nuances with the client generation, if you change the address to localhost you will have more luck. Otherwise, you can use an external tool (such as NSwagStudio) to achieve the same outcome.

0
Answered

PowerShell transformation recalculation

Rizwan Ahmed 5 years ago updated by Matthew Davis (Technical Product Manager) 2 years ago 6

We have staff details sourced from Oracle table example fields are EmployeeNumber, StartDate and LastUpdated. The requirement is to activate the staff account seven days before the start date. We calculate the AccountStatus in a PowerShell transformation i.e. Active or Inactive based on the StartDate. UNIFYBroker is configured to run full import every hour.

For example, a new staff member is added into the source system on 20-Dec-2019; and after 20-Dec-2019 the record is not updated in the source system, below is the state. 

 

Staff Connector

Staff Adapter

EmployeeNumber = 123456

StartDate = 2-Jan-2020

LastUpdated = 20-Dec-2019

EmployeeNumber = 123456

StartDate = 2-Jan-2020

LastUpdated = 20-Dec-2019

AccountStatus = Inactive

As per the requirement staff should be enabled on 27-Dec-2019. On 2-Jan-2020 following was the state.

 
 

Staff Connector

Staff Adapter

EmployeeNumber = 123456

StartDate = 2-Jan-2020

LastUpdated = 20-Dec-2019

EmployeeNumber = 123456

StartDate = 2-Jan-2020

LastUpdated = 20-Dec-2019

AccountStatus = Inactive

However, when we execute Advanced Operations --> Generate Changes manually AccountStatus was updated to ‘Active’.

It appears that if there is no change to the connector entity the adapter’s PowerShell transformation is not recalculated even on connector's full import. 

Is there a workaround?

Answer

Powershell transformations now have the ability to register fields with change detection in the latest 5.3 release. 

Information on the capability is available on this ticket, documentation will be updated in the future to include proper usage of this capability:

https://unifyvoice.userecho.com/communities/6/topics/4238-time-offset-flag-didnt-re-evaluate-when-date-threshold-was-passed

0
Answered

LdapOperationException: Found multiple entities with the distinguished name

Hi, 

Unify.IdentityBroker.FIMAdapter.dll is generating error during a Delta import, but works fine with a Full Import:

The extensible extension returned an unsupported error.
The stack trace is:

"Unify.Product.IdentityBroker.LdapOperationException: Found multiple entities with the distinguished name 'CN=00******,OU=Staff,DC=IdentityBroker'.
at Unify.Product.IdentityBroker.LdapConnection.SendRequest(ILdapRequest request)
at Unify.Product.IdentityBroker.LdapConnectionProxy.d__8.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.d__30.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Linq.Enumerable.d__17`2.MoveNext()
at Unify.Product.IdentityBroker.ExtensionMethods.Take[TSource](IEnumerator`1 source, Int32 count, IList`1& items)
at Unify.Product.IdentityBroker.ExtensionMethods.d__3`1.MoveNext()
at Unify.Product.IdentityBroker.ImportProxy.Import(GetImportEntriesRunStep importRunStep)
at Unify.Product.IdentityBroker.UnifyLdapConnector.GetImportEntries(GetImportEntriesRunStep importRunStep)
Forefront Identity Manager 4.4.1749.0"

Each time the error occurs, it is a different user.

I have check in the UnifyBroker connector and adapter, there is only one entry for this user. I checked in ADSI, only one record as well.

There are 3 connectors plugged to UNIFYBroker, all connectors have already got this issue in the past.

The database is on a loadbalanced cluster.

Do you have any idea why this error occurs?

UNIFYBroker v.5.3.1 RC2

Unify.IdentityBroker.FIMAdapter.dll v5.3.0

Answer

Hi Anthony

This is a known issue with this release of Broker, not the MA. I recommend upgrading to the latest release, Broker v5.3.2 RTM, which contains the fix for this issue.