Identity Bridge not Syncing Group Members into Identity Cloud Service (IDCS) when the Role has a Huge Amount of Members: Oracle.Idaas.Idbridge.Settings.Exceptions.IdbridgeWebException
(Doc ID 2519907.1)
Last updated on JULY 25, 2023
Applies to:
Identity Cloud Service (IDCS) - Version N/A and laterInformation in this document applies to any platform.
Symptoms
There is a group in Active Directory that has a huge amount of members (~ 397 members).
The group is synchronized into IDCS however none of its members appear under the group users tab.
There could be 4 reasons that i could think of why this is happening:
1st mandatory user's attribute missing in Active Directory
For a user to be synced into IDCS, the user must have all the mandatory attributes IDCS needs in his/her entry in Active Directory.
The list of mandatory attributes a user must have in AD to be synced into IDCs are:
.sAMAccountName
.sn
.userAccountControl
In this case if the issue was because this we would have seen 397 entries in the ID bridge logs similar to:
We did not see those errors in the bridge logs and we also saw that all the 397 members were created in IDCS so we know that the issue is not because any missing attribute.
2nd Organization of the members not configured to be synced into IDCS
When we configure the bridge we need to specify the Organizations (OU) from where we are going to sync the users and the Organizations (OU) from where we are going to sync the groups
In the above example the users and groups synchronized into IDCS will be the ones from Organization (OU) US, which is the correct OU where the group and its members are in Active Directory.
In our case this is not the problem as we also checked that all the users that are members were created in IDCS.
We would have hit this issue if for example in the above example the group AD Group was under Organization US but its members under Organization ServiceAccount.
In that scenario the group would have been created but not its members as Organization ServiceAccount was not configured to sync its users from.
3rd a wrong user filter in IDCS
In the bridge configuration in IDCS we can specify a filter to indicate to the bridge which users we want to sync into IDCS
Our issue is not caused by a user's filter as there is no filter specified however this should be checked.
The reason is because there could be a wrong filter specified so none of the members of the group would be synced into IDCS.
For example imagine that all the members of the group have their user entry in Active Directory with attribute State = Florida however the filter we specified in IDCS is (State = FL).
That will not synchronize any of the members into IDCS.
4th something else
We enabled the bridge logs and saw the following error:
2018-10-04 16:24:07,624 [46] ERROR IDBridge - Server Response : {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Sync status should
contain lastSyncMessage for the synchronization cycle.","status":"400","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.idbridgecommon.identitysource.syncstatus.lastsyncmessageNotPresent"}}.
2018-10-04 16:24:07,624 [46] ERROR IDBridge - Exception of type 'Oracle.Idaas.Idbridge.Settings.Exceptions.IdbridgeWebException' was thrown.
Oracle.Idaas.Idbridge.Settings.Exceptions.IdbridgeWebException: Exception of type 'Oracle.Idaas.Idbridge.Settings.Exceptions.IdbridgeWebException' was thrown.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Cause |
| Solution |
| References |