Export to Identity Broker (Google Apps) failing
Export to Identity Broker (Google Apps) failing with an error reported in MIM which stops all remaining exports. There is no error in reported in the Identity Broker logs and the change is made successfully in Google.
Problem may have been introduced with RC 5.0.5. Changes were made successfully prior to Identity Broker upgrade.
MIM Error
System.Exception: A Google API exception was thrown for call Users.MakeAdmin with message "Google.Apis.Requests.RequestErrorNot Authorized to access this resource/api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ] ". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError Not Authorized to access this resource/api [403] Errors [ Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global] ] at Google.Apis.Requests.ClientServiceRequest`1.Execute() at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries) --- End of inner exception stack trace --- at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass111`1.<BackoffRetry>b__109() at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException) at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries) at Unify.Product.IdentityBroker.GoogleAgent.MakeUserAdmin(DirectoryService directoryService, IEntitySchema schema, User user, IConnectorEntity entity, Boolean throwExceptions) at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClassc1.<UserUpdate>b__be(IConnectorEntity loopEntity)
Answer
The export fails because there is a difference between the isAdmin value and what was returned by Google for the existing user values. Parts of the export work because the MakeAdmin call is separate from the other calls. Try removing the isAdmin field from the schema, or add the required scope to the service account.
If you'd like tTo confirm this, capture the web requests made to Google (i.e. the retrieval of the existing user account) and compare with the pending export from MIM. The MakeAdmin call should contain a value that reflects the updated value.
Removed isAdmin and isDelegatedAdmin from the schema as they are not required, exports now work successfully.
Customer support service by UserEcho
The export fails because there is a difference between the isAdmin value and what was returned by Google for the existing user values. Parts of the export work because the MakeAdmin call is separate from the other calls. Try removing the isAdmin field from the schema, or add the required scope to the service account.