Dear everybody

We're trying to provision users to a cloud application and i am
experiencing a strange behaviour. The Shim does not pick up the
information in the operation data, at least not all of it.
Within this solution we first need to send an authentication message
(GET) to one URL. After requiring the AccessToken, the actual
provisioning is send to another URL with the AccessToken.
When i use the driver configuration variables for the subscriber channel
it works, but that will only work for 1 URL.
It is an IDM 401 setup and there are no issues with communication,
networks firewalls etc.

So, first part to show what goes wrong :
The driver submits the following to the shim :

[09/26/14 17:26:38.698]:Concur ST: Submitting document to subscriber
shim:
[09/26/14 17:26:38.699]:Concur ST:
<nds dtdversion="4.0" ndsversion="8.x">
<input>
<modify class-name="User" event-id="0"
qualified-src-dn="O=ACME\CN=xxxxxxxxxxxx"
src-dn="\ACME_IAM4_ACC\ACME\CN=xxxxxxxxxxxx">
<modify-attr attr-name="OATHNToken">
<add-value>
<value type="string">xxxxxxxxxxxx</value>
</add-value>
</modify-attr>
</modify>
<operation-data event-id="1" method="GET">
<request-headers remove-existing="true">
<request-header name="Authorization">Basic
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</request-header>
<request-header
name="X-ConsumerKey">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</request-header>
</request-headers>
</operation-data>
</input>
</nds>


The mod event is fake because the driver will not send empties (although
the configuration is set to do so).
The cloud application seems not mind anyway and ignores the event given
the response.

The response is :


[09/26/14 17:26:38.701]:Concur ST: Concur: Value of Boolean flag
'remove-existing' is : false
[09/26/14 17:26:38.701]:Concur ST: Concur:
HTTPSubscriberTransport.send()
[09/26/14 17:26:38.701]:Concur ST: Concur: Preparing HTTP GET
connection to http://tinyurl.com/lblal8u
[09/26/14 17:26:38.701]:Concur ST: Concur: Setting up SSL
connection..........
[09/26/14 17:26:38.702]:Concur ST: Concur: Setting the following HTTP
request properties:
[09/26/14 17:26:38.856]:Concur ST: Concur: IOExecption : Server
returned HTTP response code: 400 for URL: http://tinyurl.com/pr3ta5n
[09/26/14 17:26:38.857]:Concur ST: Concur: Response code and message:
400 Bad Request
[09/26/14 17:26:38.857]:Concur ST: SubscriptionShim.execute()
returned:
[09/26/14 17:26:38.857]:Concur ST:
<nds dtdversion="2.0">
<source>
<product build="20120601_162440" instance="xxxxxxxxxxxx"
version="3.5.7">Identity Manager Driver for SOAP</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<Error>
<Message>You must provide your consumer key in an X-ConsumerKey
header.</Message>
</Error>
</output>
<operation-data event-id="1" method="GET">
<request-headers remove-existing="false">
<request-header name="Authorization">Basic
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</request-header>
<request-header
name="X-ConsumerKey">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</request-header>
</request-headers>
</operation-data>
</nds>

As you van see, *it DOES pick up the method="GET"*, so that part works.

Authorization header is set to "ignore" in de driver config, so it
should pick up the one in the operation data.
When we configure the Authorization and the X-ConsumerKey in the driver
configuration it does work nicely.
We tried to move the operation data inside the operation but that does
not work either.

The most significant part is the the trace shows : *Value of boolean
flag 'remove-existing' is : false, which it should not.*

So, i moved everything to the driver configuration and move towards the
actual provisioning.
The event submitted to the shim is :


[09/26/14 17:26:38.879]:Concur ST:Submitting document to subscriber
shim:
[09/26/14 17:26:38.879]:Concur ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<batch xmlns="http://www.concursolutions.com/api/user/2011/02">
<UserProfile>
<FirstName>xxxxxxx</FirstName>
<OrgUnit1>xxxxxxx</OrgUnit1>
<OrgUnit3>xxxxxxx</OrgUnit3>
<OrgUnit2>xxxxxxx</OrgUnit2>
<OrgUnit5>xxxxxxx</OrgUnit5>
<ACMEIdentityStatus>Active</ACMEIdentityStatus>
<ACMEIdentityType>Personal</ACMEIdentityType>
<OrgUnit4>xxxxxxx</OrgUnit4>
<ACMEPersonType>Employee</ACMEPersonType>
<LastName>xxxxxxx</LastName>
<FeedRecordNumber>1</FeedRecordNumber>
<LedgerKey>DEFAULT</LedgerKey>
<ExpenseUser>Y</ExpenseUser>
<TripUser>Y</TripUser>
<InvoiceUser>Y</InvoiceUser>
<Password>xxxxxxx</Password>
<LocaleName>en_US</LocaleName>
<CtryCode>FR</CtryCode>
<CtrySubCode>Europe/Paris</CtrySubCode>

<SKIP/>

<CrnKey>EUR</CrnKey>
<Custom21>FR</Custom21>
<LedgerKey>DEFAULT</LedgerKey>
<ExpenseUser>Y</ExpenseUser>
<TripUser>Y</TripUser>
<InvoiceUser>Y</InvoiceUser>
<ExpenseApprover>N</ExpenseApprover>
<InvoiceApprover>N</InvoiceApprover>
</UserProfile>
</batch>
<operation-data
url="https://xxxxxxx.xxxxxxx.com:8443/api/user/v1.0/Users">
<request-headers remove-existing="true">
<request-header name="Authorization">OAuth
xxxxxxxxxxxxxxxxxxxxx</request-header>"
<request-header
name="Content-Type">application/xml</request-header>
</request-headers>
</operation-data>
</input>
</nds>

The response is :



[09/26/14 17:26:38.884]:Concur ST:Concur: Value of boolean flag
'remove-existing' is : false
[09/26/14 17:26:38.885]:Concur ST:Concur:
HTTPSubscriberTransport.send()
[09/26/14 17:26:38.885]:Concur ST:Concur: Preparing HTTP *POST*
connection to https://xxxxxxx.xxxxxxx.xxxxxxx:8443...ser/v1.0/Users
[09/26/14 17:26:38.885]:Concur ST:Concur: Setting up SSL
connection..........
[09/26/14 17:26:38.886]:Concur ST:Concur: Setting the following HTTP
request properties:
[09/26/14 17:26:38.990]:Concur ST:Concur: Did HTTP POST with 1059 bytes
of data to https://xxxxxxx.xxxxxxx.com:8443/api/user/v1.0/Users
[09/26/14 17:26:39.065]:Concur ST:Concur: IOExecption : Server returned
HTTP response code: 400 for URL:
https://xxxxxxx.xxxxxxx.com:8443/api/user/v1.0/Users
[09/26/14 17:26:39.066]:Concur ST:Concur: Response code and message: 400
Bad Request
[09/26/14 17:26:39.066]:Concur ST:SubscriptionShim.execute() returned:
[09/26/14 17:26:39.066]:Concur ST:

Regardless the validity of the actual message (which is REST btw) :

THE OPERATION-DATA
URL=\"HTTPS://XXXXXXX.XXXXXXX.COM:8443/API/USER/V1.0/USERS IS BEING
PICKED UP BY THE SHIM[/B] (LOOK AT THE PATH PART)
BUT AGAIN : [B]VALUE OF BOOLEAN FLAG 'REMOVE-EXISTING' IS : FALSE, WHICH
IT SHOULDN'T.
And the request-header name="Authorization" is not used by the shim
resulting in a 400 Bad Request

We tried to move the operation-data around in the XML (inside the
operation) but that doesn't work either.
We cannot use the "multiple" connection in the driver configuration for
the Authorization header is dynamic based on the acquired token.


My big questions :
1) Why does the driver state "Value of Boolean flag 'remove-existing' is
: false" when it should not.
2) What am i doing wrong , or is this a bug.

I can't find any similar on the forum or within the TID's

I hope anyone can help me out here.


Thanks very much in advance !!!

David


--
dvandermaas
------------------------------------------------------------------------
dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=51850