- 23 Jul 2024
- 19 Minutes to read
- Print
- DarkLight
- PDF
Frequently Asked Questions (FAQ)
- Updated on 23 Jul 2024
- 19 Minutes to read
- Print
- DarkLight
- PDF
Version 22.37.201
Access Management
1. Issue: User Termination is not working as per Schedule
Resolution:
Follow the steps:
Connector Configuration (Wrong attribute configuration in connector configuration)
User Data passed through connectors (User data in the response is empty - Debug Logs)
Changes are required to connector code to resolve this issue. Kindly validate the above points.
Information:
For further assistance, kindly contact Cross Identity Point of Contact.
2. Issue: After approval, the access request for entitlement does not reach to Connector.
Resolution:
The Display attribute in the Accounts section was "Display Name" and has been changed to "SAMAccountName" now. Because we don't have the option to change at the UI level, the update is done at the DB level.
Follow the steps:
Select * from fluidiam_applications where application_id="<application id>";
- Check the "display attribute" field valueSelect * from fluidiam_provisioning_attributes for the application_id="<application id>";
- Select the attribute value to be used as a display attributeUpdate the new display attribute value in the fluidiam_applications table.
Following this change, the access request for entitlements will be sent from CI to the connector.
Information:
For further assistance, kindly contact Cross Identity Team.
3. Issue: Second-level approver not getting an Approval email notification.
Resolution:
This could be due to both users having the same email address configured. Examine the configured email addresses for both users.
4. Issue: Encountering error message "Space is not allowed character and cannot be added in the list" while updating the Account lockout threshold.
Resolution:
Please follow the steps:
Determine whether the customer is trying to save password policy details by entering a space in the ‘Allowed Special Characters field’
There is a checkbox labeled for Allow ‘SPACE’
Select the checkbox to allow ‘SPACE’ in the Special Characters Field instead of adding space.
With the above modifications from the configuration, the user can save the password policy details.
5. Issue: When an Account is imported from AD, the expiration date is displayed in Hexadecimal format.
Resolution:
Use the following JavaScript Expression to convert Zulu time format to local time.
function getVal(){ var last_login = USER.getAttribute('accountExpires'); var high = last_login.substr(0,9); var low = last_login.substr(9,2); var epoch = (((parseInt(high) - 116444736) * 100) + parseInt(low) + 10800); var millis = epoch * 1000; var localMillis = millis - (60000 * new Date().getTimezoneOffset()); var d = new Date(localMillis); var dd = d.getDate(); var mm = d.getMonth()+1; var yyyy = d.getFullYear(); if(dd<10) { dd='0'+dd; } if(mm<10) { mm='0'+mm; } var res = mm+'-'+dd+'-'+yyyy; return res; }
Information:
For further assistance, kindly contact Cross Identity Team.
6. Issue: When SSL is enabled, unable to import users from AD.
Resolution:
Investigate if there is an issue with Port Number
Enter the Correct Port Number to resolve this issue.
Information:
For further assistance, kindly contact Cross Identity Team.
7. Issue: Configured a scheduler to suspend user accounts based on the termination date. However, the scheduler is not being triggered.
Resolution:
During manual suspend operation, the user was moved to different OU (From the connector). The same user was not returned to adManagedOU after being restored.
Then, during a scheduled suspension, it searched for the user in adManagedOU which was retrieved from Configuration, so context.search did not return any values because the user was present in different OU. As a result, a null pointer exception is thrown while searching DN value.
Information:
For further assistance, kindly contact Cross Identity Team.
8. Issue: After performing a reset and recon, the user is removed from the owned accounts of the target applications.
Resolution:
Replace the AdminAdapterController class file to resolve the issue.
Information:
For further assistance, kindly contact Cross Identity Team.
9. Issue: The user must submit a single request for multiple Groups/Roles for the same application from the CI request access page.
Resolution:
The user can apply for multiple application groups/roles if the workflow process is updated with multiple entitlements.
10. Issue: WAM Logout does not work.
Resolution:
The domain name must be identical to both CID SAAS and the target application.
The configuration is based on both Tomcat and Apache usage.
For Tomcat server: Enable SSL - server.xml
For Apache server: Enable ssl.conf
Information:
For further assistance, kindly contact Cross Identity Team.
11. Issue: CI end-user and AD users are unable to log in to CI end-user portal.
Resolution:
Verify the issue with the Security Tab policy
Changing the priority to low may help to resolve this issue.
12. Issue: The user has access to the end-user portal outside the network IP range.
Resolution: Add Target and Repository to the Authentication policy to resolve this issue.
13. Issue: During the password reset, the UI displays an error message such as 'Error Occurred while resetting password', but the password change was successful.
Resolution:
An update password column in the “Fluidiam_smtp” table where the value is null.
Information:
For further assistance, kindly contact Cross Identity Team.
Authentication Management
14. Issue: Getting authentication error while login into the end-user portal using AD credentials.
Resolution:
Check if we have any AD policies enabled. If yes, please enable the AD policy to 1st priority.
15. Issue: The end-user portal cannot be accessed using an AD user. Capable of logging in with a User created in CI.
Resolution:
Please follow steps as configuration:
1. Sign in to CI as the Admin User
2. Go to the Advanced tab
3. Add custom attribute
4. Navigate to "Identity Sources " --> "Directories" and add custom attribute as "Expression" under attribute mapping.
5. Add expression as mentioned:
function getVal(){ return 'ActiveDirectory';} and import users again
6. Go to "Authentication Policies," create one policy with a low priority and make the directory as CI, and add a static role for all users
7. The final step is to add a higher priority policy and designate AD as a directory and add the following condition.
Information:
For further assistance, kindly contact Cross Identity Team.
16. Issue: User having difficulty accessing the end-user portal. Previously, when a user was created, an email/text message with a random password was sent. When we attempt to log in with that password, we are taken to a screen where we can change our password. We can no longer log in with a randomly generated password, and when we try to reset the password using the forget password link, we get an error message saying that the password could not be changed due to an active directory failure.
Resolution:
Add
sql_mode = (blank)in my.cnf file to resolve this issue
Information:
For further assistance, kindly contact Cross Identity Team.
17. Issue: Email OTP is not being generated using the username and password provided in Cross Identity's SMTP Configuration.
Error message:
Caused by: javax.mail.AuthenticationFailedException: 535 5.7.139
Authentication was unsuccessful, the user credentials were incorrect.
Resolution: Verify SMTP credentials. If they are incorrect, please contact the SMTP service provider.
18. Issue: Email does not work for service accounts when MFA is enabled.
Resolution: There are two options:
1. Do not enable MFA for the service account.
2. If enabling MFA for the service account, the regular password will not work. The user needs to generate an app password following the below steps:
a. Go to your Google Account.
b. Select Security.
c. Under "Signing in to Google," select App Passwords. You may need to sign in. If you don’t have this option, it might be because:
2-Step Verification is not set up for your account.
2-Step Verification is only set up for security keys.
Your account is through work, school, or other organizations.
You turned on Advanced Protection.
d. At the bottom, choose Select app and choose the app you using > Select device and choose the device you’re using > Generate.
e. Follow the instructions to enter the App Password. The App Password is the 16-character code in the yellow bar on your device.
f. Tap Done.
3. If the user enables MFA and does not follow the above steps, please provide the personal account credentials.
19. Issue: When you upload an IdP certificate, CI will save it in an AWS S3 bucket. During that time, it removes any spaces from the file name and uploads them to the S3 bucket. However, the exact name (including the space) is stored in the fluidiam_idp table. https://uphold-uat.Cross Identity.com/CIDSaas/default/admin/security. Hence, there will be a mismatch of the file name during the authentication flow.
Resolution:
To fix the issue, need to remove the space in the fluidiam idp table.
20. Issue: When an email OTP is not received, a null pointer exception is thrown.
If anyone receives an exception when sending mails in CI, the exception is coming from one of the three locations listed below:
#### Exception occurred while sending mail.java.lang.NullPointerException
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:460)
at java.util.Properties.setProperty(Properties.java:166)
at java.lang.System.setProperty(System.java:798)
at com.fluid.iam.utility.MailUtility.sendMail2 (MailUtility.java:144)
OR
at com.fluid.iam.utility.MailUtility.sendHtmlEmail (MailUtility.java:238)
OR
at com.fluid.iam.utility.MailUtility.sendOTP2(MailUtility.java:333)
It means that the “tlsProtocol” value is coming as null and CI is trying to set that value in mail property and getting NullPointer exception:
Line 144: System.setProperty("mail.smtp.ssl.protocols", tlsProtocol);
Line 238: System.setProperty("mail.smtp.ssl.protocols", tlsProtocol);
Line 333: System.setProperty("mail.smtp.ssl.protocols", tlsProtocol);
This “tlsProtocol” value is coming from fluidiam_config_properties table. To address the issue, you must add the value in this table.
Resolution:
Execute the below mentioned DB script in the environment to resolve the issue:
insert into fluidiam_config_properties(config_key,config_value)
values ('tls_protocol','TLSv1.2'),('debugenabled','true');
Client Creation
Issue: Getting 'Undefined' error in the 'Import Status' tab while importing AD user into CI.
Resolution:
Execute the following query in the DB to fix this issue:
INSERT INTO fluidiam_config_properties (config_key,config_value) VALUES ('addirectorytriggerprov', 'true');
Information:
For further assistance, kindly contact Cross Identity Team.
Connector
Issue: When importing SOT for add, modify, or delete, an exception is thrown. There is no error for Delete, and the user is not deleting from CI.
Resolution:
The problem was discovered in the CSV connector, so the connector was modified in the same way as the SOT connectors.
We used to send sot users with the Action key in older sot connectors. However, we should include the key "Employee status" in the message. This is what we changed for all the functionalities.
Information:
For further assistance, kindly contact Cross Identity Team.
Identity Platform
Issue: In the application configuration, the custom application attribute is not displayed.
Resolution:
Please follow the steps:
In the IGA application, select Edit, and then Application Account Attributes
Click Add
Now, Add Application Attribute window will appear, scroll down to the bottom to see a text box. In the text box, enter a Number (How many custom attributes do you need to create, Example:2) and check it
Click Add and a message will appear called "Successfully added selected attributes"
As you entered 2 in Step 3, there are now 2 textboxes in Application Account Attributes
You can do the mapping and enter your custom attribute name in the text box here
Click on Save.
Issue: Unable to redirect the CI domain URL.
Resolution:
Check the Apache Server’s Redirection rules
This can be resolved by changing the Redirection Rule.
Information:
For further assistance, kindly contact Cross Identity Team
Issue: Following the migration, the existing IGA application is unable to add application attributes and perform the mapping.
Resolution:
The fluidiam_assets_attributes table was dropped, and a new table was created in the migration script from sprint 30 to sprint 35. The data type of the attributes on the column has been changed from varchar to long text.
From sprint 30 to 35, we lost the data in the fluidiam_assets_attributes table. We must manually insert the data into uat as a workaround.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue:
AD import does not work with SSL enabled (636) even though an AD SSL certificate is installed
After a successful AD import without SSL (389), if the AD import is re-initiated, the Status is 'Success' but the values are 'Undefined'
Three users were added to the CI as a result of the AD import. I deleted one user and re-initiated the import, but the deleted user was not imported.
Resolution:
Ensure to verify the SSL certificate. This issue occurs when the SSL certificate is incorrect.
Request users for SSL Certificate correction.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Login as the end-user. The username is shown as NA in the top right corner.
Resolution:
In the admin portal, go to "User License" -> User menu-> Username will be chosen by default. For the first time, save this page.
Once saved, DB entry will be made in the fluidiam_userdipattr table. After that, the username will be visible in the End User portal.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: It takes time to create a user using the add user form.
Resolution:
The email address and SMS configuration must be validated with correct values. If they are incorrect, it will take time.
If they are incorrect, please disable them and verify that user creation occurs quickly.
Issue: Following a successful AD import, the total number of identities, groups, and OUs are displayed as 'Undefined".
Resolution:
A temporary fix patch is available (685). This patch must be deployed.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: After running the recon, unable to view entitlement entry in CI.
Resolution:
The Attribute Name and Mapped Attribute must be “name”. Please follow the configuration document;
Link of Configuration document for AD:
https://Cross Identity365.sharepoint.com/:w:/s/IntegrationsTeam/ETiPf0fUqudPvx8IFcTKxd0BgZCl7xGZsONcGqnmb4d9PA?e=qw8j83
All connectors and their related documents for Sprint37:
Issue: Browser Preference does not work.
Resolution:
Verify if an old Extension is still in use
Update the latest extensions to resolve this issue.
Issue: The AD import status indicates Undefined, instead of numbers for processed identities.
Resolution: Re-install configurations to address this issue.
Issue: Password change does not work.
Resolution:
Verify if there is a migration from 5.4 to 8 on MySQL
If yes, execute the below query to resolve this issue
SET GLOBAL sql_mode='';
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Sprint 30 to 37 upgrade issues
SOT - AD import is not working
The browser preference function is not functioning properly
The WAM flow is not performing as expected
When importing users through the CSV option, an email is sent to end-users.
Resolution:
config_Propeties Queries must be added to the DB to address this issue.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: High Availability Proxy configuration
Resolution:
This is a change of DB server configuration level.
Instead of an Ethernet interface, we used a Management Interface in the keepalived.conf file.
Before
nano keepalived.conf ! Configuration file for keepalived vrrp_instance V1_1 { state MASTER interface eth0 virtual_router_id 51 priority 101 advert_int 1 authentication { auth_type bigboss auth_pass passw0rd } virtual_ipaddress { 10.10.3.99 dev eth0 label eth0:1 } # track_script { # chk_haproxy # } }
After :
nano keepalived.conf ! Configuration file for keepalived vrrp_instance V1_1 { state MASTER interface mgt0 virtual_router_id 51 priority 101 advert_int 1 authentication { auth_type bigboss auth_pass passw0rd } virtual_ipaddress { 10.10.3.99 dev mgt0 label mgt0:1 } # track_script { # chk_haproxy # } }
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: The page becomes blank after upgrading from Sprint 30 to 37.
Values are missing from the fluidiam_client table.
Resolution:
Values must be added to the fluidiam_client table to resolve this issue.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Unable to import users from AD and a message is displayed 'Error in connecting to Directory'
Resolution:
Validate the DN configuration
Verify Username and Password. Consider changing the password.
Issue: The app store URL is not loading into CI
Resolution:
Consider the following points
Check if the internet is connected to the server
URLs must be whitelisted
Proxy issues must be resolved.
The details of the proxy server must be entered into the database.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: When you click the Advanced tab, you will be redirected to the site maintenance page.
Resolution:
Validate Encryption and Decryption in Agent to resolve this issue.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: The user is unable to access Local CI and receives a '404 error' message.
Resolution:
To resolve this issue, comment on the local machine hazelcastconfig.java
//config.setGroupConfig(new GroupConfig("dev", "")); /*for local setup end*/ /* for Setup in other machines START */ // // config.setGroupConfig(new GroupConfig(prop.getProperty("groupName"), "")); // List<String> hazelcastServersList=new ArrayList<>(0); // for(int i=1;i<=Integer.parseInt(prop.getProperty("hazelcast_servers_count"));i++) { // hazelcastServersList.add(prop.getProperty("hazelcast_public_ip"+i)); // // } // config.getNetworkConfig().setAddresses(hazelcastServersList); // config.getNetworkConfig().setSmartRouting(true); // /* for Setup in other machines END */
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: CI works slow in creating an identity.
Resolution:
Check to see if SMS and email are set up correctly. Due to SMS and email, we may experience slowness when creating a user or identity.
SMTP configuration was completed to resolve the slowness issue.
RabbitMq
Issue: Accounts are not getting pushed into the CI server post enabling the RabbitMq process of Recon.
Resolution:
The following mentioned configuration is mandatory for RabbitMq recon:
CrossRecon.war file must be deployed in the server. Application.properties should be updated with DB URL, username & password. log4j.properties must have the proper log file path
Rabbitmq server details must be updated in the Security tab in the admin portal
recontype.properties must set rabbitmq=true (In the respective connector)
Cross Recon Server must be up
Finally, run the recon and check the response log of connector & Cross recon.
Information:
For further assistance, kindly contact Cross Identity Team.
Reports
Issue: Unable to download any report in .pdf or .csv format. Getting "Error occurred while fetching transaction records".
Resolution:
Check to see if the reports folder is present under the following path: CIDSaas/assets/dwld. If the folder is missing, we must create a folder called "reports" to resolve the issue.
Tenant Management, App Store, Client Creation
Issue: Unable to register CI Agent.
Resolution:
This problem was discovered after Patch 715 was installed for the customer. (Please validate first if a patch has been deployed for the customer.)
Index.jsp and the Assets folder have been replaced.
Information:
For further assistance, kindly contact Cross Identity Team
Issue: Unable to connect to the local App store
The user has a local App store but the request is going to the global App Store.
Resolution:
rows(appstore_url,appstore_url,apptgle,appimage,appssoexe,lic,connector_war) of table fluidiam_config_properties has to be updated with Appstore URL and restart of Tomcat server is required.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Unable to onboard application in App store.
The issue is with the file name.
Resolution:
While creating 2 XML files to onboard an application into the app store - accountattributes.xml and integratorinfo.xml -
Because the filename was not the same as mentioned above, unable to add an application to the app store.
Information:
For further assistance, kindly contact Cross Identity Team.
Version 20.10
Access Management
Issue: During the load balancer user wants to configure two URLs for SSO and WAM.
Resolution:
Two URLs cannot be configured.
Issue: A user is trying to enter the URL of SP-Flow and encountering an "Unexpected error occurred. Please contact administrator" error.
Resolution:
This can occur if the issuer URL does not match with the URL mentioned in the CI configuration. Make sure to use the same URL to resolve this issue.
Issue: Admin attempts to change the value in password policy for Minimum and Maximum lengths and receives the error "Space is not an allowed character and cannot be added to the list"
Resolution:
Verify if there is any space in fluidiam_password_policy table of special_chars column
Remove the space if any space from special _chars on the fluidiam_password_policy table to resolve this issue.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: AD user is unable to Reset password/Change password and receives the error message "Password could not be changed due to failure in active directory. Please try again or contact your administrator".
Resolution:
Update certificate host entries in DC configuration
Avoid configuring IP in DC.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Create the user via AD SoT Sync, Delete the user manually or via the back-end cleanup process, Reimport the user AD SoT sync (Rehire for example with the same ID), the user is not activated again.
The user is not reactivated upon:
User creation via AD SoT Sync
User Deletion manually or back-end cleanup process
User Reimport via AD SoT Sync (Example: Rehire)
Resolution:
Execute the below queries for specific Users. (* sting will be replaced with case-specific user data)
select * from fluidiam_users where username='*****' and tenant=****; select* from fluidiam_user_details where username='*****' and tenant=****; UPDATE fluidiam_users SET deleted='false' WHERE userid=*****; UPDATE fluidiam_license_users SET status='1' WHERE user_id=******;
Information:
For further assistance, kindly contact Cross Identity Team.
Authentication Management
Issue: Getting 504-gateway error once clicked on the dashboard from admin login.
Resolution:
Execute the following queries in the DB to fix this issue:
create index audit_username_index on fluidiam_enduser_audit(username); create index audit_operation_index on fluidiam_admin_audit(operation);
Information:
For further assistance, kindly contact Cross Identity Team.
Identity Platform
Issue: The challenge-response page displays blank for the end-user.
Resolution:
Update the below configuration to resolve this issue.
Security --> Security Questions --> select any one of the checkboxes, user can select both checkbox (
Do not allow username in answers | Do not allow the same answer for questions)
Issue: Unable to download the file from SAPECC connector
Resolution:
Please follow the steps:
1. Change the exe file name to - FSCMS
2. Update sapecc.exe MSI folder
3. Update Thick Client Installer.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: The user is unable to login into the end-user portal, receives the error message 'Something went wrong". Subsequently, a login attempt is successful.
Resolution:
Check that there is an issue with the configuration in Agent.
Update configurations in Agent to resolve this issue.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Clicking on the target application URL will take you to the CI login page. Login to CI successfully on the launchpad- click on the application icon, it logs into the application, but when you log out, it returns to the CI login page every time.
Resolution:
We need a logout URL for all applications, which we can configure in the ciwam.properties file.
If the URL is not present, the control is transferred to the end-user login page.
WAM
Issue: Clicking on the target application URL will take you to the CI login page. Login to CI successfully on the launchpad- click on the application icon, it logs into the application, but when you log out, it returns to the CI login page every time.
Resolution:
We need a logout URL for all applications, which we can configure in the ciwam.properties file.
If the URL is not present, the control is transferred to the end-user login page.
Information:
For further assistance, kindly contact Cross Identity Team.
Version 20.1.4
Identity Platform
Issue: User is unable to download Inward & outward MIS for Mandate & Transaction - NACH Application
Resolution:
We need to update the properties of skip elements with the necessary file extension to address this issue.
Issue: User is unable to unlock password
Resolution:
Validate if the user has permission to unlock the password.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: SMS is not working
Resolution: Check if the customer is using a proxy server or has made any changes to the proxy settings. If yes, the Remote IP address must be entered into the DB.
Information:
For further assistance, kindly contact Cross Identity Team.
Tenant Management, App Store, Client Creation
Issue: When a user launches an IE-specific application (with CBS enabled) from chrome, the URL that opens in IE is Invalid. As a rule, URLs begin with http://.
Resolution:
The issue is resolved with the help of Patch (532 for Sprint 30)
It is fixed in Sprint37 as it is a part of 714.
Information:
For further assistance, kindly contact Cross Identity Team.
Issue: Unable to import the thick client application from the App store. An error occurred while contacting the application store.
Error logs:
2022-02-09 11:11:48,090 ERROR AdminAppStoreController:357 - Exception occurred
2022-02-09 11:11:48,090 ERROR sxp:35 - /opt/tomcat8.5/apache-tomcat-8.5.75/webapps/CIDSaas/assets/dwld/DLU/3385.exe (No such file or directory)
java.io.FileNotFoundException: /opt/tomcat8.5/apache-tomcat-8.5.75/webapps/CIDSaas/assets/dwld/DLU/3385.exe (No such file or directory
Resolution: Check if DLU folder exists under webapps/CIDSaas/assets/dwld
If not, create a DLU folder. It should resolve the issue.