Highlighted
Super Contributor.
Super Contributor.
413 views

IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

Hello!

I have the following integrated environment:

  • SLES Server: One Box IDM (eDirectory, Engine, IDMApps, OSP, SSPR)
  • Windows Server: Identity Governance

SSO between both apps is working perfectly, and everything looks good from an authentication point of view.

However, I’m unable to configure external workflow-fulfilment from IG. I’ve followed every single step of the official documentation and forums, but IG is unable to detect IDM Workflows.

IG-noWfs.png

The error message is “Connection Successful. There are no workflows for external provisioning in Identity Manager. To enable fulfilment via Identity Manager workflow, create an external workflow with ‘appId’ and ‘changesetID’ inputs on the request.”

IG provides a sample workflow (with its GCVs), so I deployed it as it is, but I’m unable to view if from IG.

I’ve also done the following:

  • Imported certificates from eDir/IDMApps/IG into eDir/IDMApps/IG keystores. (I don’t think this is the issue, because the error would be something related to certificates).
  • Added uaadmin.sa.data & admin.sa.system as trustees for the “sample” workflow.
  • Disabled firewall in both servers.
  • Restarted tomcat/servers.
  • Created a new WF from the scratch, just with ‘appId’ and ‘changesetID’ as parameters.
  • Checked configutil.bat (IG) and configupdate.sh (IDM) parameters.

But the result has been the same: “There are no workflows for external provisioning in Identity Manager”.

 

  • Am I missing any step/configuration?
  • How does IG get IDM workflows? Does it use LDAP, REST, SOAP, or another method?

 

Thanks in advance.

Labels (1)
1 Solution

Accepted Solutions
Highlighted
Super Contributor.
Super Contributor.

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

Thank you all for the tips.

I was finally able to tackle down all the necesary steps to call an IDM WF from IG.

 

Identity Manager

  • From Designer, deploy the Fulfillment Sample WF "IAG Fulfillment Sample" and GCVs (IG > Fulfillment > Configuration > Identity Manager Workflow (system) > Fulfillment Samples). Add uaadmin.sa.data as trustee.
  • From iManager, create a user (eg: iag.sa.data), and set a password.
  • From idmapps, go to Configuration > Administration assignments.
    First, create an admin assigment for Provisioning Domain for the iag.sa.data user, and make suke you don't check "All Permissions".

idmdash - iag - admin assignments - 1.png

Second, edit the admin assignment you created before, Click on "+" (New Permission). Under "Add Provisioning Request Definition Permissions", click on "Select Provisioning Request Definition" and browse the sample wf (IAG Fulfillment Sample), and then select the 6 permissions.

Finally, click on "Add Permissions" button.

idmdash - iag - admin assignments - 2.png


If the permission assignment is successfull, you'd be able to see the following ACL attributes in cn=IAG Fulfillment Sample,cn=RequestDefs,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system:

idmdash - iag - admin assignments - 3.png

4#entry#cn=iag,ou=sa,o=data#nrfAccessAvailabilitySet
4#entry#cn=iag,ou=sa,o=data#nrfAccessDelegateConfigure
4#entry#cn=iag,ou=sa,o=data#nrfAccessMgrInitiatePRD
4#entry#cn=iag,ou=sa,o=data#nrfAccessMgrRetractPRD
4#entry#cn=iag,ou=sa,o=data#nrfAccessMgrTaskAddressee
4#entry#cn=iag,ou=sa,o=data#nrfAccessMgrViewRunningPRD

 

  • Edit ism-configuration-properties. Set FALSE in the following properties and then restart tomcat:
    • WorkflowService/SOAP-End-Points-Accessible-By-ProvisioningAdminOnly = false
    • WorkflowService/soap/getProvisioningRequests = false

Note: Every *Soap* entries in ism-configutation-properties properties lock the web services operations to a provisioning administrator. All operations can be opened by to all users by setting WorkflowService/SOAP-End-Points-Accessible-By-ProvisioningAdminOnly to false and specifying WorkflowService/soap/<operation> to false. A true value means that only provisioning administrators are allowed these operations.

In my particular environment, I have te following values for the *soap* entries in ism-configuration-properties.

RoleService/Role/soap = true
ResourceService/Resource/soap/requestResourceRevoke = false
ResourceService/Resource/soap/requestResourceGrant = false
ResourceService/Resource/soap/getAssignmentsForResource = true
ResourceService/Resource/soap/getResourceRequestStatusByCorrelationId = false
ResourceService/Resource/soap/getResourceAssignmentsForCurrentUser = false
ResourceService/Resource/soap/getResourceRequestStatusByIdentity = true
ResourceService/Resource/soap = true
ResourceService/Resource/soap/getResourceAssignmentsForUser = true
ResourceService/Resource/soap/getResourceRequestStatusForCurrentUser = false
RoleService/Role/SOAP-End-Points-Authorization-Security-Enabled = false
RoleService/Resource/SOAP-End-Points-Authorization-Security-Enabled = false
WorkflowService/SOAP-End-Points-Authorization-Security-Enabled = false
WorkflowService/SOAP-End-Points-Resource-Beta-Enabled = false
WorkflowService/SOAP-End-Points-Accessible-By-ProvisioningAdminOnly = false
WorkflowService/soap/getProcessesById = true
WorkflowService/soap/getProcessesByCreationTime = true
WorkflowService/soap/getProcessesByCreationInterval = true
WorkflowService/soap/getProcessesByInitiator = true
WorkflowService/soap/getProcessesByRecipient = true
WorkflowService/soap/getProcessesByStatus = true
WorkflowService/soap/getProcessesByApprovalStatus = true
WorkflowService/soap/getProcesses = true
WorkflowService/soap/getCommentsByActivity = true
WorkflowService/soap/getCommentsByUser = true
WorkflowService/soap/getCommentsByCreationTime = true
WorkflowService/soap/getComments = true
WorkflowService/soap/addComment = true
WorkflowService/soap/reassignWorkTask = true
WorkflowService/soap/setWorkTaskPriority = true
WorkflowService/soap/unclaim = true
WorkflowService/soap/setUserActivityTimeout = false
WorkflowService/soap/getUserActivityTimeout = false
WorkflowService/soap/setWebServiceActivityTimeout = false
WorkflowService/soap/getWebServiceActivityTimeout = false
WorkflowService/soap/setCompletedProcessTimeout = true
WorkflowService/soap/getCompletedProcessTimeout = true
WorkflowService/soap/setEmailNotifications = true
WorkflowService/soap/getEmailNotifications = true
WorkflowService/soap/getEngineConfiguration = true
WorkflowService/soap/setEngineConfiguration = true
WorkflowService/soap/getClusterState = true
WorkflowService/soap/removeEngine = true
WorkflowService/soap/getEngineState = true
WorkflowService/soap/reassignProcesses = true
WorkflowService/soap/reassignAllProcesses = true
WorkflowService/soap/reassignPercentageProcesses = true
WorkflowService/soap/getProvisioningStatuses = true
WorkflowService/soap/resetPriorityForWorkTask = true
WorkflowService/soap/getQuorumForWorkTask = true
WorkflowService/soap/getGraph = true
WorkflowService/soap/getFlowDefinition = true
WorkflowService/soap/getFormDefinition = true
WorkflowService/soap/multiStart = true
WorkflowService/soap/setResult = true
WorkflowService/soap/setRoleRequestStatus = true
WorkflowService/soap/getAllProvisioningRequests = false
WorkflowService/soap/getDefinitionByID = false
WorkflowService/soap/getProvisioningRequests = false
WorkflowService/soap/getProvisioningCategories = false
WorkflowService/soap/startWithCorrelationId = false
WorkflowService/soap/terminate = false
WorkflowService/soap/getProcess = false
WorkflowService/soap/getProcessesArray = false
WorkflowService/soap/getCommentsByType = false
WorkflowService/soap/getWorkEntries = false
WorkflowService/soap/getDataItems = false
WorkflowService/soap/getWork = false
WorkflowService/soap/forwardAsProxyWithDigitalSignature = false
WorkflowService/SOAP-End-Points-MaxInactiveIntervalTime = 1200
WorkflowService/SOAP-End-Points-Process-Query-MaxRows = 10000
VirtualDataService/soap = false
VirtualDataService/soap/query = false
VirtualDataService/soap/getAttribute = false
VirtualDataService/soap/setAttribute = false
VirtualDataService/soap/getAttributes = false
VirtualDataService/soap/globalQuery = false
VirtualDataService/soap/maxInactiveIntervalTime = 60

 

Identity Governance

  • Open configutil.cmd/sh and enable IDM integration. Then restart tomcat.
  • Go to Configuration > Identity Manager System Connection, and complete the following parameters:
    > Identity Manager URL: https://idm.XXXXXX.local:8543/IDMProv/
    > Certificate -> Click on Load Certificate
    > Identity Manager Username: cn=iag,ou=sa,o=data
    > Password: *******
    Click on test connection.

ig - configuration - identity manager connection OK.png

  • Go to IG > Fulfillment > Configuration > Identity Manager Workflow (system), and click on Test Connection.
    - Select "IAG Fulfillment Sample" next to Workflow

ig - fulfillment configuration ok.png

 

 

 

Cheers,

 

Adrian Botta

View solution in original post

12 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

Greetings,

ID Gov utilizes as set (totally three (3) as of right now) of SOAP calls to the Identity Applications to get the listing of the different types of workflows. As part of that SOAP call, we utilize the user/account that is defined in the connection information

1) Do you have the uaadmin defined in the connection information within ID Gov? If not, did you enable for your non-admin user to be able to utilize SOAP calls to the Identity Applications?

2) Did you receive any errors when deploying the workflows from Designer to eDirectory/User Application Driver?

3) In Designer, when you look at the workflows from above (the one you imported and the one you created), what is the value of the status field on the Overview tab?

4) When you login to the Identity Applications, can you select the workflow(s) you have deployed above from Designer to start?

 

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

Highlighted
Knowledge Partner
Knowledge Partner

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

If you are not using an admin user, like Provisioning Admin, but instead Provisioning Manager or Role Admin vs Role Manager, for each endpoint, in SOAP in the ism-configuration.properties file you have to enable non-admin access to the endpoint.

For initial testing try with a uaadmin who has all the permission roles. 

Permissions in UA are fun.  There is ability to see a PRD via trustees.  Then there can be permissions to start/stop workflows, or grant rolees. etc...

As Steve notes it uses SOAP to get to UA. 

From the IDG box, you could try Fernando's bash_rbpm_soap.sh script which allows simple SOAP calls for the UA functions which would test if there is connectivity.

One issue Steve can probably answer for us, is what URL to use for the UA?

Especially if you have a two node or more cluster.

Generally, SOAP ops use Basic Auth which the main URL, usually does not like and redirects you to OSP.  So often I find you need to point at the individual node UrL.

OSP does not like that, but you are basically skipping OSP in this case. 

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

Greetings Geoffrey,
   The SOAP endpoints are not "protected" by OAuth (so OSP in the case of the ID Apps). So one can fully utilize a Load Balancer here. I have worked with many customers on this kind of configuration.

 


Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

Highlighted
Knowledge Partner
Knowledge Partner

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

I agree with what you are saying in principal, but I have had numerous issues when there is a load balancer in front.  Or even a round robin DNS.  But good point about OSP not protecting the SOAP Endpoints, that makes a lot of sense.

 

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

Thank you for your quick responses!

 

I forgot to mention, IG version is 3.6.1 and IDM is 4.8.1.

 

Regarding your questions:

1) Do you have the uaadmin defined in the connection information within ID Gov? If not, did you enable for your non-admin user to be able to utilize SOAP calls to the Identity Applications?

uaadmin.sa.data throws "Read time out" (Why is this happening?). It's stange, because uaadmin is IG's bootstrap account and I'm able to log into IG with uaadmin. 

IG - IDM Config.png

admin.sa.system (edir admin) connects successfully. 

IG - IDM Config - admin.png

ism-configutation-properties: Is configured as explained in https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/netiq-identity-manager-provisioning-web-service.html

  • WorkflowService/SOAP-End-Points-Authorization-Security-Enabled = FALSE (I've also tried with TRUE)
  • WorkflowService/SOAP-End-Points-Accessible-By-ProvisioningAdminOnly = FALSE


2) Did you receive any errors when deploying the workflows from Designer to eDirectory/User Application Driver?
No.


3) In Designer, when you look at the workflows from above (the one you imported and the one you created), what is the value of the status field on the Overview tab?

Status = Active.

IDM - IAG WF.png

4) When you login to the Identity Applications, can you select the workflow(s) you have deployed above from Designer to start?

Yes.

IDM - IAG WF - Exec.png

 

 

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution
Greetings,
    The Read Time-out error is happening because the Identity Applications is taking too long to respond to the SOAP calls. 
 
 
1) How many total Workflows do you have defined in the Identity Applications?
 
 
Note: It is possible to utilize a stand alone tool like soapUI to issue the three (3) calls that happen to see which one is taking too long.  Typically, it is the call to get All workflows that can be seen by the account being passed in.  Hence the question about the total number of workflows that are deployed.
 
 
 I would suggest create an account that can only see this (or similar kinds of workflows), update the security on the Workflow and re-deploy, enabling non-Provisioning Admins to use the SOAP endpoints in the ID Apps (and restart after you do that), then change the configuration in ID Gov to utilize this new "account" and it should work correctly.
 
 
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
Highlighted
Super Contributor.
Super Contributor.

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution


Steven, 

Thank you for your previous reply.

Regarding:

The Read Time-out error is happening because the Identity Applications is taking too long to respond to the SOAP calls. 
A time-out makes sense...but why admin.sa.system (edir admin) doesn't give time-out? Using an ldap browser both uaadmin and admin can (almost) see the same number of objects and properties.

1) How many total Workflows do you have defined in the Identity Applications?
84 Workflows. 30 of them are Microfocus Approval Templates.

Note: It is possible to utilize a stand alone tool like soapUI to issue the three (3) calls that happen to see which one is taking too long.  Typically, it is the call to get All workflows that can be seen by the account being passed in.  Hence the question about the total number of workflows that are deployed.
 I would suggest create an account that can only see this (or similar kinds of workflows), update the security on the Workflow and re-deploy, enabling non-Provisioning Admins to use the SOAP endpoints in the ID Apps (and restart after you do that), then change the configuration in ID Gov to utilize this new "account" and it should work correctly.

I created a new account (iag.sa.data), and I configured trustees and IRFs: It can only see one PRD > cn=IAG Fulfillment Sample,cn=RequestDefs,[...] . 

Then I increased com.novell.soa.af.impl  and com.novell.soa.ws.impl logs, and run the "test connection" from IG. IDM-catalina.out showed the following log:

2020-06-22 17:49:05,967 INFO  [com.novell.pwdmgt.util.PasswordHelper] (https-jsse-nio-8543-exec-50) [RBPM] [Login_Success] cn=iag,ou=sa,o=data successfully logged in.
2020-06-22 17:49:05,975 TRACE [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-50) [RBPM] Is Request New = [true]
2020-06-22 17:49:05,975 DEBUG [com.novell.soa.ws.impl.xml.OutputStreamImpl] (https-jsse-nio-8543-exec-50) <SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'><SOAP-ENV:Body><ns1:getVersionResponse xmlns="http://www.novell.com/provisioning/service" xmlns:ns1="http://www.novell.com/provisioning/service"><Version  major='4' minor='3' revision='$Rev: 42055 $'></Version></ns1:getVersionResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
2020-06-22 17:49:06,063 INFO  [com.novell.pwdmgt.util.PasswordHelper] (https-jsse-nio-8543-exec-60) [RBPM] [Login_Success] cn=iag,ou=sa,o=data successfully logged in.
2020-06-22 17:49:06,066 DEBUG [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-60) [RBPM] get provisioning requests for category 'null' and operation 'null'
2020-06-22 17:49:06,066 TRACE [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-60) [RBPM] Is Request New = [true]
2020-06-22 17:49:06,138 INFO  [com.novell.pwdmgt.util.PasswordHelper] (https-jsse-nio-8543-exec-59) [RBPM] [Login_Success] cn=iag,ou=sa,o=data successfully logged in.
2020-06-22 17:49:06,141 DEBUG [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-59) [RBPM] get provisioning requests for category 'null' and operation 'null'
2020-06-22 17:49:06,142 TRACE [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-59) [RBPM] Is Request New = [true]
2020-06-22 17:49:06,223 INFO  [com.novell.pwdmgt.util.PasswordHelper] (https-jsse-nio-8543-exec-46) [RBPM] [Login_Success] cn=iag,ou=sa,o=data successfully logged in.
2020-06-22 17:49:06,225 DEBUG [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-46) [RBPM] get provisioning requests for category 'null' and operation 'null'
2020-06-22 17:49:06,225 TRACE [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-46) [RBPM] Is Request New = [true]
2020-06-22 17:49:06,286 INFO  [com.novell.pwdmgt.util.PasswordHelper] (https-jsse-nio-8543-exec-41) [RBPM] [Login_Success] cn=iag,ou=sa,o=data successfully logged in.
2020-06-22 17:49:06,289 DEBUG [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-41) [RBPM] get provisioning requests for category 'null' and operation 'null'
2020-06-22 17:49:06,289 TRACE [com.novell.soa.af.impl.soap.ProvisioningImpl] (https-jsse-nio-8543-exec-41) [RBPM] Is Request New = [true]

 

This line didn't look OK: "[RBPM] get provisioning requests for category 'null' and operation 'null'"

 

So, I enabled the IDMProv WS test api (https://www.netiq.com/documentation/identity-manager-48/identity_apps_admin/data/bdux84e.html#role-web-service-enable-test-page) and manually executed getProvisioningRequests() method from  https://idm.XXXXX.local:8543/IDMProv/provisioning/service?test (For more information: https://www.netiq.com/documentation/identity-manager-48/identity_apps_admin/data/netiq-identity-manager-provision-web-service-api.html)

 

If I don't enter any parameter, catalina shows >> [RBPM] get provisioning requests for category '' and operation '', and 0 PRDs are shown.

TEST-Empty.png

 

But if I enter the proper category and operation, the WS returns every Workflow (Including the one we're looking for)

Test-Parameters.png

So, I believe IG is not sending the appropriate category & operation to IDMProv Webservice.

What do you think?

 

Regards, 

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution
Greetings,
    As you saw with enabling debug on the ID Apps side we make the following three (3) SOAP calls:
 
1) getversion
    We need to make sure the SOAP API level meets a min requirement 
 
2) getProvisioningRequestsRequest 
  This one does not include any options (by design) so that all of the possible Workflows (no matter category, type, or operation) will be returned for the account/user that was utilized in the connection.  We will then analyze the results for the specific requirements we are looking for.
  
3) getProvisioningRequestsRequest 
   This time we want just the workflows where type = ResourceProvisioning
 
 
 
If you are not seeing workflows returned from issuing getProvisioningRequestsRequest when providing no parameters then either there is an ACL issue in your set-up or there is a bug in IDM 4.8.1
 
Do you see this same behavior when utilizing the uaadmin in the stand alone test?
 
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
Highlighted
Knowledge Partner
Knowledge Partner

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

I think Steve's last line might need some clarification.

He wrote" Do you see this same behavior when utilizing the uaadmin in the stand alone test?"

I think Steve is asking if you make the getProvisioningRequests call with no category or type, via SOAP UI or the like, do you get the null message or do you get list of all of them.  You are trying from the UA's endpoint Test tool, and you answered that it returns the null message.

So if you could get SOAP UI and try the query via that, with no category et al, that would be what Steve's question is aiming at getting an answer.

Highlighted
Super Contributor.
Super Contributor.

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution

Steven & Geoffrey, thank you for your tips!

After deleting every PRD from eDirectory (except "IAG Fulfillment Sample"), I was able to see the WF from IG using uaadmin.sa.data.

IG-ConnectionOK.png

So, as Steve's mentioned, the timeout with uaadmin.sa.data occurred because I have too many WFs

Q.: Is it possible to increase the timeout value for SOAP calls?

 

 I would suggest create an account that can only see this (or similar kinds of workflows), update the security on the Workflow and re-deploy, enabling non-Provisioning Admins to use the SOAP endpoints in the ID Apps (and restart after you do that), then change the configuration in ID Gov to utilize this new "account" and it should work correctly.

I created the account iag.sa.data and  assigned trustees on IAG Fulfillment Sample WF.

I discovered that if I assign the "Provisioning" Role with All Permissions (idmdash > configuration > admin-assignments), the behaviour is the same as for uaadmin.sa.data (Timeout).

So I tried to limit the Provisioning Role to the IAG Fulfillment Sample WF.

aig admin limited.png

After clicking on "Add Permissions", I can see a Success (top right corner), but IDM-catalina.out shows

2020-06-23 18:15:33,053 ERROR [com.netiq.idm.rest.admin.PermissionACLRightsService] (https-jsse-nio-8543-exec-147) [RBPM] Unknown service failure. java.lang.NullPointerException

 

I'll keep investigating the root cause.

Regards,

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: IDM Workflow fulfillment - no workflows for external provisioning

Jump to solution
Greetings,
   It is not possible at this time to increase the time-out for how long we will wait for a response from a SOAP call.  That has already been asked.
    
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.