0
Not a bug

Export to Identity Broker (Google Apps) failing

Boyd Bostock 3 years ago in UNIFYBroker/Microsoft Identity Manager updated by anonymous 3 years ago 5

Export to Identity Broker (Google Apps) failing with an error reported in MIM which stops all remaining exports. There is no error in reported in the Identity Broker logs and the change is made successfully in Google.

Problem may have been introduced with RC 5.0.5. Changes were made successfully prior to Identity Broker upgrade.

MIM Error

System.Exception: A Google API exception was thrown for call Users.MakeAdmin with message "Google.Apis.Requests.RequestErrorNot Authorized to access this resource/api [403]
Errors [
Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]
]
". See inner exception for details. Processing continued: False. ---> Google.GoogleApiException: Google.Apis.Requests.RequestError
Not Authorized to access this resource/api [403]
Errors [
Message[Not Authorized to access this resource/api] Location[ - ] Reason[forbidden] Domain[global]
]


at Google.Apis.Requests.ClientServiceRequest`1.Execute()
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
--- End of inner exception stack trace ---
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClass111`1.<BackoffRetry>b__109()
at Unify.Product.IdentityBroker.GoogleAgent.ThrowIfPrimaryCall(Boolean primaryCall, Action throwException)
at Unify.Product.IdentityBroker.GoogleAgent.BackoffRetry[TResult](String logEvent, Boolean throwExceptions, Func`1 request, Action newClient, TResult& result, Int32 retries)
at Unify.Product.IdentityBroker.GoogleAgent.MakeUserAdmin(DirectoryService directoryService, IEntitySchema schema, User user, IConnectorEntity entity, Boolean throwExceptions)
at Unify.Product.IdentityBroker.GoogleAgent.<>c__DisplayClassc1.<UserUpdate>b__be(IConnectorEntity loopEntity)


Affected Versions:
Fixed by Version:

Answer

Answer
Under review

The export fails because there is a difference between the isAdmin value and what was returned by Google for the existing user values. Parts of the export work because the MakeAdmin call is separate from the other calls. Try removing the isAdmin field from the schema, or add the required scope to the service account.

Answer
Under review

The export fails because there is a difference between the isAdmin value and what was returned by Google for the existing user values. Parts of the export work because the MakeAdmin call is separate from the other calls. Try removing the isAdmin field from the schema, or add the required scope to the service account.

If you'd like tTo confirm this, capture the web requests made to Google (i.e. the retrieval of the existing user account) and compare with the pending export from MIM. The MakeAdmin call should contain a value that reflects the updated value.

Removed isAdmin and isDelegatedAdmin from the schema as they are not required, exports now work successfully.