Identity Manager 9.2 and SCIM-connector

What are the error messages from the frozen jobs? 

[1777292] Error connecting system (SCIM)!
[1777223] DistributionConnector: Error connecting the system.
Could not establish a connection to SCIM provider.

And from the target system:
The remote server returned an error: (400) Bad Request."
Method:"Authenticate" Number:"2550120" Message:"Error returned: {"error":"invalid_client"}"

Hi Henrik,

The client ID is not correct.
Your original description is the shell migration did not run.
2 possibilities:
1.) the SCIM - Connectionstring has not been converted (depending on where you have migrated from)
2.) the Shell - Migration wanted to apply a patch and the SCIM connect did not work.

In any case something is missing. SCIM connector is sending the client ID now not only in the header as a base64 encoded string but also in plain text in the body of the authentication request.

The client should just run the connection wizard completely and enter client ID and client secret in the fields provided, the wizard will then make the Base64 encoded string itself. It is important that both the Base64 encoded string and the two components client secret / client ID are stored in plain text. The wizard is also able to extract the parts from the pre-encoded Base64 string, you will see them in the corresponding fields. As long as this is not the case, something is missing.

Regards,

   Tino

Like I said in my post, the only way to make a successful connection is to enter client_secret and client_id. Then I can browser the target system, but if I close the project and open it up again I can only enter client_secret in base64 and then it times out. If I then edit the connection only client_secret (base64) has any value. client_secret is blank.

Hope that helps..

Where can I find information about the connection in the database?

Hi Henrik,

the connections you can find  using sql stmt "select DisplayName, ConnectionParameter from DPRSystemConnection". You will probably see the parameters in connectionstring are replaced by variable names (i.e. "... dprauthoauthclientsecret[S,V]=dprauthoauthclientsecret;...").

So have a look at the variable "dproauthclientsecret" in your sync project. This variable should have the Base64 coded value of <client ID> ":" <client secret>. you may edit the value there.

Regards,

  Tino

I found the error. One part was my fault and the other is a minor fault by the developers. Client Authorization is supposed to be a base64-encoded string comprised of id AND secret with a colon between them. When I did that, the system as you rightly wrote "converted" that into client_id and client_secret in the connection.

The minor fault remaining is that when you open the project and try to access the target system it asks for a "password". The label says "Client secret (Base64)" when it really should say "Client Authorization (Base64)" because the project wants both the id and secret in one string, not just the secret.

I found the error. One part was my fault and the other is a minor fault by the developers. Client Authorization is supposed to be a base64-encoded string comprised of id AND secret with a colon between them. When I did that, the system as you rightly wrote "converted" that into client_id and client_secret in the connection.

The minor fault remaining is that when you open the project and try to access the target system it asks for a "password". The label says "Client secret (Base64)" when it really should say "Client Authorization (Base64)" because the project wants both the id and secret in one string, not just the secret.