Frequently Asked Questions (FAQ)

Version 22.37.201

Access Management              

1. Issue: User Termination is not working as per Schedule

Resolution:

Follow the steps:

1. Connector Configuration (Wrong attribute configuration in connector configuration)

2. User Data passed through connectors (User data in the response is empty - Debug Logs)

 Changes are required to connector code to resolve this issue. Kindly validate the above points. 

2. Issue:  After approval, the access request for entitlement does not reach to Connector.

Resolution:
The Display attribute in the Accounts section was "Display Name" and has been changed to "SAMAccountName" now. Because we don't have the option to change at the UI level, the update is done at the DB level. 

Follow the steps:

1. Select * from fluidiam_applications where application_id="<application id>";
    - Check the "display attribute" field value

2.  Select * from fluidiam_provisioning_attributes for the application_id="<application id>";
   - Select the attribute value to be used as a display attribute

3. Update the new display attribute value in the fluidiam_applications table.
    
    Following this change, the access request for entitlements will be sent from CI to the connector.

3. Issue: Second-level approver not getting an Approval email notification.

Resolution: 

This could be due to both users having the same email address configured. Examine the configured email addresses for both users.

4. Issue: Encountering error message "Space is not allowed character and cannot be added in the list" while updating the Account lockout threshold.
 
Resolution:

Please follow the steps:

1. Determine whether the customer is trying to save password policy details by entering a space in the ‘Allowed Special Characters field’

2. There is a checkbox labeled for Allow ‘SPACE’

3. Select the checkbox to allow ‘SPACE’ in the Special Characters Field instead of adding space.

With the above modifications from the configuration, the user can save the password policy details.

5. Issue: When an Account is imported from AD, the expiration date is displayed in Hexadecimal format.

Resolution: 

Use the following JavaScript Expression to convert Zulu time format to local time.
   function getVal(){   var last_login = USER.getAttribute('accountExpires');   var high    = last_login.substr(0,9);   var low     = last_login.substr(9,2);   var epoch   = (((parseInt(high) - 116444736) * 100) + parseInt(low) + 10800);   var millis = epoch * 1000;   var localMillis = millis - (60000 * new Date().getTimezoneOffset());   var d = new Date(localMillis);   var dd = d.getDate();   var mm = d.getMonth()+1;  var yyyy = d.getFullYear();   if(dd<10)  {       dd='0'+dd;   }  if(mm<10)  {       mm='0'+mm;   }  var res = mm+'-'+dd+'-'+yyyy;   return   res;   }

6. Issue: When SSL is enabled, unable to import users from AD.
 
Resolution:

1. Investigate if there is an issue with Port Number

2. Enter the Correct Port Number to resolve this issue.

7. Issue: Configured a scheduler to suspend user accounts based on the termination date. However, the scheduler is not being triggered.
 
Resolution: 

During manual suspend operation, the user was moved to different OU (From the connector). The same user was not returned to adManagedOU after being restored.

Then, during a scheduled suspension, it searched for the user in adManagedOU which was retrieved from Configuration, so context.search did not return any values because the user was present in different OU. As a result, a null pointer exception is thrown while searching DN value.

8. Issue: After performing a reset and recon, the user is removed from the owned accounts of the target applications.  

Resolution:
 
Replace the AdminAdapterController class file to resolve the issue.

9. Issue: The user must submit a single request for multiple Groups/Roles for the same application from the CI request access page.
 

Resolution:
The user can apply for multiple application groups/roles if the workflow process is updated with multiple entitlements.

10. Issue: WAM Logout does not work.

Resolution:

The domain name must be identical to both CID SAAS and the target application.

The configuration is based on both Tomcat and Apache usage.

For Tomcat server: Enable SSL - server.xml
For Apache server: Enable ssl.conf 

11. Issue: CI end-user and AD users are unable to log in to CI end-user portal.

Resolution: 

Verify the issue with the Security Tab policy

Changing the priority to low may help to resolve this issue. 

12. Issue: The user has access to the end-user portal outside the network IP range.
 
Resolution: Add Target and Repository to the Authentication policy to resolve this issue.

13. Issue: During the password reset, the UI displays an error message such as 'Error Occurred while resetting password', but the password change was successful.
 
Resolution:

An update password column in the “Fluidiam_smtp” table where the value is null.

Authentication Management  

14. Issue: Getting authentication error while login into the end-user portal using AD credentials.

Resolution: 

Check if we have any AD policies enabled. If yes, please enable the AD policy to 1st priority. 

15. Issue: The end-user portal cannot be accessed using an AD user. Capable of logging in with a User created in CI.

Resolution:
  Please follow steps as configuration:
  1. Sign in to CI as the Admin User
  2. Go to the Advanced tab
  3. Add custom attribute
  4. Navigate to "Identity Sources " --> "Directories" and add custom attribute as "Expression" under attribute mapping.
  5. Add expression as mentioned:
 function getVal(){       return 'ActiveDirectory';}       and import users again
  6. Go to "Authentication Policies," create one policy with a low priority and make the directory as CI, and add a static role for all users
  7. The final step is to add a higher priority policy and designate AD as a directory and add the following condition.

16. Issue: User having difficulty accessing the end-user portal. Previously, when a user was created, an email/text message with a random password was sent. When we attempt to log in with that password, we are taken to a screen where we can change our password. We can no longer log in with a randomly generated password, and when we try to reset the password using the forget password link, we get an error message saying that the password could not be changed due to an active directory failure.

Resolution:

Add 

sql_mode =   (blank)in my.cnf file to resolve this issue 

17. Issue: Email OTP is not being generated using the username and password provided in Cross Identity's SMTP Configuration.

Error message:

Caused by: javax.mail.AuthenticationFailedException: 535 5.7.139 

Authentication was unsuccessful, the user credentials were incorrect.

Resolution: Verify SMTP credentials. If they are incorrect, please contact the SMTP service provider.

18. Issue: Email does not work for service accounts when MFA is enabled.

Resolution: There are two options:

1. Do not enable MFA for the service account.

2. If enabling MFA for the service account, the regular password will not work. The user needs to generate an app password following the below steps:

   a. Go to your Google Account.

   b. Select Security.

   c. Under "Signing in to Google," select App Passwords. You may need to sign in. If you don’t have this option, it might be because:

• 2-Step Verification is not set up for your account.

• 2-Step Verification is only set up for security keys.

• Your account is through work, school, or other organizations.

• You turned on Advanced Protection.

 d. At the bottom, choose Select app and choose the app you using > Select device and choose the device you’re using > Generate.

 e. Follow the instructions to enter the App Password. The App Password is the 16-character code in the yellow bar on your device.

 f. Tap Done.

3. If the user enables MFA and does not follow the above steps, please provide the personal account credentials.

19. Issue: When you upload an IdP certificate, CI will save it in an AWS S3 bucket. During that time, it removes any spaces from the file name and uploads them to the S3 bucket. However, the exact name (including the space) is stored in the fluidiam_idp table. https://uphold-uat.Cross Identity.com/CIDSaas/default/admin/security. Hence, there will be a mismatch of the file name during the authentication flow.

Resolution:

To fix the issue, need to remove the space in the fluidiam idp table.

20. Issue: When an email OTP is not received, a null pointer exception is thrown.

If anyone receives an exception when sending mails in CI, the exception is coming from one of the three locations listed below:

#### Exception occurred while sending mail.java.lang.NullPointerException

java.lang.NullPointerException

             at java.util.Hashtable.put(Hashtable.java:460)

             at java.util.Properties.setProperty(Properties.java:166)

             at java.lang.System.setProperty(System.java:798)

             at com.fluid.iam.utility.MailUtility.sendMail2 (MailUtility.java:144)

OR

             at com.fluid.iam.utility.MailUtility.sendHtmlEmail (MailUtility.java:238)

OR

             at com.fluid.iam.utility.MailUtility.sendOTP2(MailUtility.java:333)

It means that the “tlsProtocol” value is coming as null and CI is trying to set that value in mail property and getting NullPointer exception:

Line 144:                         System.setProperty("mail.smtp.ssl.protocols", tlsProtocol);

Line 238:                         System.setProperty("mail.smtp.ssl.protocols", tlsProtocol);

Line 333:                         System.setProperty("mail.smtp.ssl.protocols", tlsProtocol);

This “tlsProtocol” value is coming from fluidiam_config_properties table. To address the issue, you must add the value in this table.

Resolution: 

Execute the below mentioned DB script in the environment to resolve the issue:

insert into fluidiam_config_properties(config_key,config_value)

values ('tls_protocol','TLSv1.2'),('debugenabled','true');

Client Creation 

Issue: Getting 'Undefined' error in the 'Import Status' tab while importing AD user into CI.

Resolution: 

Execute the following query in the DB to fix this issue:
INSERT INTO fluidiam_config_properties (config_key,config_value) VALUES ('addirectorytriggerprov', 'true');

Connector              

Issue: When importing SOT for add, modify, or delete, an exception is thrown. There is no error for Delete, and the user is not deleting from CI.

Resolution:
The problem was discovered in the CSV connector, so the connector was modified in the same way as the SOT connectors.

We used to send sot users with the Action key in older sot connectors. However, we should include the key "Employee status" in the message. This is what we changed for all the functionalities.

Identity Platform

Issue: In the application configuration, the custom application attribute is not displayed.

Resolution: 

Please follow the steps: 

1. In the IGA application, select Edit, and then Application Account Attributes

2. Click Add

3. Now, Add Application Attribute window will appear, scroll down to the bottom to see a  text box. In the text box, enter a Number (How many custom attributes do you need to create, Example:2) and check it

4. Click Add and a message will appear called "Successfully added selected attributes"

5.  As you entered 2 in Step 3, there are now 2 textboxes in Application Account Attributes

6. You can do the mapping and enter your custom attribute name in the text box here

7. Click on Save.             

Issue: Unable to redirect the CI domain URL.

Resolution:

1. Check the Apache Server’s Redirection rules

2. This can be resolved by changing the Redirection Rule.

Issue: Following the migration, the existing IGA application is unable to add application attributes and perform the mapping.
 
Resolution:

The fluidiam_assets_attributes table was dropped, and a new table was created in the migration script from sprint 30 to sprint 35. The data type of the attributes on the column has been changed from varchar to long text.

From sprint 30 to 35, we lost the data in the fluidiam_assets_attributes table. We must manually insert the data into uat as a workaround.

Issue: 

1. AD import does not work with SSL enabled (636) even though an AD SSL certificate is installed

2. After a successful AD import without SSL (389), if the AD import is re-initiated, the Status is 'Success' but the values are 'Undefined'

3. Three users were added to the CI as a result of the AD import. I deleted one user and re-initiated the import, but the deleted user was not imported.
    
   Resolution:
   Ensure to verify the SSL certificate. This issue occurs when the SSL certificate is incorrect. 

    Request users for SSL Certificate correction. 

Issue: Login as the end-user. The username is shown as NA in the top right corner.

Resolution:

In the admin portal, go to "User License" -> User menu-> Username will be chosen by default. For the first time, save this page. 

Once saved, DB entry will be made in the fluidiam_userdipattr table. After that, the username will be visible in the End User portal.

Issue: It takes time to create a user using the add user form.

Resolution:

The email address and SMS configuration must be validated with correct values. If they are incorrect, it will take time.
If they are incorrect, please disable them and verify that user creation occurs quickly.

Issue: Following a successful AD import, the total number of identities, groups, and OUs are displayed as 'Undefined".
 
Resolution:

A temporary fix patch is available (685). This patch must be deployed.

Issue: After running the recon, unable to view entitlement entry in CI.

Resolution:
The Attribute Name and Mapped Attribute must be “name”. Please follow the configuration document; 

Link of Configuration document for AD:
https://Cross Identity365.sharepoint.com/:w:/s/IntegrationsTeam/ETiPf0fUqudPvx8IFcTKxd0BgZCl7xGZsONcGqnmb4d9PA?e=qw8j83   
 All connectors and their related documents for Sprint37:

https://Cross Identity365.sharepoint.com/:f:/s/IntegrationsTeam/EqEoEueKxnxIhn-e3yj5zo4BIw3w9kh56dhRRQww37dERA?e=VHX8sZ  

Issue: Browser Preference does not work.

Resolution:

Verify if an old Extension is still in use

Update the latest extensions to resolve this issue.

Issue: The AD import status indicates Undefined, instead of numbers for processed identities.
 
Resolution: Re-install configurations to address this issue.

Issue:  Password change does not work.

Resolution:

Verify if there is a migration from 5.4 to 8 on MySQL

If yes, execute the below query to resolve this issue
SET GLOBAL sql_mode=''; 

Issue:  Sprint 30 to 37 upgrade issues  

 SOT - AD import is not working

1. The browser preference function is not functioning properly 

2. The WAM flow is not performing as expected 

3. When importing users through the CSV option, an email is sent to end-users.

 Resolution: 

  config_Propeties Queries must be added to the DB to address this issue.

Issue: High Availability Proxy configuration
 
Resolution: 

This is a change of DB server configuration level.

Instead of an Ethernet interface, we used a Management Interface in the keepalived.conf file.
 
Before
nano keepalived.conf   ! Configuration file for keepalived   vrrp_instance V1_1 {   state MASTER   interface eth0   virtual_router_id 51   priority 101   advert_int 1   authentication {   auth_type bigboss   auth_pass passw0rd   }   virtual_ipaddress {   10.10.3.99 dev eth0 label eth0:1   }   # track_script {   # chk_haproxy   # }   }  
After :
nano keepalived.conf   ! Configuration file for keepalived   vrrp_instance V1_1 {   state MASTER   interface mgt0   virtual_router_id 51   priority 101   advert_int 1   authentication {   auth_type bigboss   auth_pass passw0rd   }   virtual_ipaddress {   10.10.3.99 dev mgt0 label mgt0:1   }   # track_script {   # chk_haproxy   # }   }

Issue: The page becomes blank after upgrading from Sprint 30 to 37.

Values are missing from the fluidiam_client table.
 
Resolution:

Values must be added to the fluidiam_client table to resolve this issue.

Issue: Unable to import users from AD and a message is displayed 'Error in connecting to Directory'
 
Resolution: 

1. Validate the DN configuration 

2. Verify Username and Password. Consider changing the password.

Issue: The app store URL is not loading into CI
 
Resolution:

Consider the following points

1. Check if the internet is connected to the server

2. URLs must be whitelisted

3. Proxy issues must be resolved.

The details of the proxy server must be entered into the database.

Issue: When you click the Advanced tab, you will be redirected to the site maintenance page.
 
Resolution: 

Validate Encryption and Decryption in Agent to resolve this issue.

Issue: The user is unable to access Local CI and receives a '404 error' message.
 
Resolution:
To resolve this issue, comment on the local machine hazelcastconfig.java
 
//config.setGroupConfig(new GroupConfig("dev", ""));   /*for local setup end*/    /* for Setup in other machines START */  //  // config.setGroupConfig(new GroupConfig(prop.getProperty("groupName"), ""));  // List<String> hazelcastServersList=new ArrayList<>(0);  // for(int i=1;i<=Integer.parseInt(prop.getProperty("hazelcast_servers_count"));i++) {  // hazelcastServersList.add(prop.getProperty("hazelcast_public_ip"+i));  //  // }  // config.getNetworkConfig().setAddresses(hazelcastServersList);  // config.getNetworkConfig().setSmartRouting(true);  //  /* for Setup in other machines END */

Issue: CI works slow in creating an identity.

Resolution:
Check to see if SMS and email are set up correctly. Due to SMS and email, we may experience slowness when creating a user or identity.

SMTP configuration was completed to resolve the slowness issue.

RabbitMq             

Issue: Accounts are not getting pushed into the CI server post enabling the RabbitMq process of Recon. 

Resolution:

The following mentioned configuration is mandatory for RabbitMq recon:

1. CrossRecon.war file must be deployed in the server. Application.properties should be updated with  DB URL, username & password. log4j.properties must have the proper log file path

2. Rabbitmq server details must be updated in the Security tab in the admin portal

3. recontype.properties must set rabbitmq=true (In the respective connector)

4. Cross Recon Server must be up

5. Finally, run the recon and check the response log of connector & Cross recon. 

Reports

Issue: Unable to download any report in .pdf or .csv format. Getting "Error occurred while fetching transaction records".

Resolution: 

Check to see if the reports folder is present under the following path: CIDSaas/assets/dwld. If the folder is missing, we must create a folder called "reports" to resolve the issue.

Tenant Management, App Store, Client Creation                 

Issue: Unable to register CI Agent.

Resolution:

This problem was discovered after Patch 715 was installed for the customer. (Please validate first if a patch has been deployed for the customer.)

Index.jsp and the Assets folder have been replaced. 

Issue: Unable to connect to the local App store

The user has a local App store but the request is going to the global App Store.
 

Resolution:

rows(appstore_url,appstore_url,apptgle,appimage,appssoexe,lic,connector_war) of table fluidiam_config_properties  has to be updated with Appstore URL and restart of Tomcat server is required.

Issue: Unable to onboard application in App store.
The issue is with the file name.

Resolution:

While creating 2 XML files to onboard an application into the app store - accountattributes.xml and integratorinfo.xml -

Because the filename was not the same as mentioned above, unable to add an application to the app store.

Version 20.10

Access Management

Issue: During the load balancer user wants to configure two URLs for SSO and WAM.
 
Resolution:
Two URLs cannot be configured.

Issue: A user is trying to enter the URL of SP-Flow and encountering an "Unexpected error occurred. Please contact administrator" error.

Resolution: 

This can occur if the issuer URL does not match with the URL mentioned in the CI configuration. Make sure to use the same URL to resolve this issue.

Issue: Admin attempts to change the value in password policy for Minimum and Maximum lengths and  receives the error "Space is not an allowed character and cannot be added to the list"
 
Resolution: 

Verify if there is any space in fluidiam_password_policy table of special_chars column

Remove the space if any space from special _chars on the fluidiam_password_policy table to resolve this issue.

Issue: AD user is unable to Reset password/Change password and receives the error message "Password could not be changed due to failure in active directory. Please try again or contact your administrator".
 
Resolution:
Update certificate host entries in DC configuration

Avoid configuring IP in DC.

Issue: Create the user via AD SoT Sync, Delete the user manually or via the back-end cleanup process, Reimport the user AD SoT sync (Rehire for example with the same ID), the user is not activated again.

The user is not reactivated upon:

• User creation via AD SoT Sync

• User Deletion manually or back-end cleanup process

• User Reimport via AD SoT Sync  (Example: Rehire)
    

Resolution:
Execute the below queries for specific Users. (* sting will be replaced with case-specific user data)
 
select * from fluidiam_users where username='*****' and tenant=****; select* from fluidiam_user_details where username='*****' and tenant=****;   UPDATE fluidiam_users SET deleted='false' WHERE userid=*****; UPDATE fluidiam_license_users SET status='1' WHERE user_id=******;

Authentication Management           

Issue: Getting 504-gateway error once clicked on the dashboard from admin login.

Resolution: 

Execute the following queries in the DB to fix this issue:
 
create index audit_username_index on fluidiam_enduser_audit(username); create index audit_operation_index on fluidiam_admin_audit(operation);

Identity Platform

Issue: The challenge-response page displays blank for the end-user.

Resolution: 

Update the below configuration to resolve this issue.
Security --> Security Questions --> select any one of the checkboxes, user can select both checkbox (
Do not allow username in answers | Do not allow the same answer for questions)

Issue: Unable to download the file from SAPECC connector
 
Resolution:
Please follow the steps:
 1. Change the exe file name to - FSCMS
 2. Update sapecc.exe MSI folder
 3. Update Thick Client Installer.

Issue: The user is unable to login into the end-user portal, receives the error message 'Something went wrong". Subsequently, a login attempt is successful.
 
Resolution: 

Check that there is an issue with the configuration in Agent.

Update configurations in Agent to resolve this issue.

Issue: Clicking on the target application URL will take you to the CI login page. Login to CI successfully on the launchpad- click on the application icon, it logs into the application, but when you log out, it returns to the CI login page every time.

Resolution:
We need a logout URL for all applications, which we can configure in the ciwam.properties file.

If the URL is not present, the control is transferred to the end-user login page.

WAM    

Issue: Clicking on the target application URL will take you to the CI login page. Login to CI successfully on the launchpad- click on the application icon, it logs into the application, but when you log out, it returns to the CI login page every time.

Resolution:
We need a logout URL for all applications, which we can configure in the ciwam.properties file.

If the URL is not present, the control is transferred to the end-user login page.

Version 20.1.4

Identity Platform

Issue: User is unable to download Inward & outward MIS for Mandate & Transaction - NACH Application
 

Resolution: 

We need to update the properties of skip elements with the necessary file extension to address this issue.

Issue: User is unable to unlock password
 
Resolution: 

Validate if the user has permission to unlock the password.

Issue: SMS is not working

Resolution:  Check if the customer is using a proxy server or has made any changes to the proxy settings. If yes, the Remote IP address must be entered into the DB.

Tenant Management, App Store, Client Creation             

Issue: When a user launches an IE-specific application (with CBS enabled) from chrome, the URL that opens in IE is Invalid. As a rule, URLs begin with http://.

Resolution:
The issue is resolved with the help of Patch (532 for Sprint 30)
It is fixed in Sprint37 as it is a part of 714. 

Issue: Unable to import the thick client application from the App store. An error occurred while contacting the application store.

Error logs:

2022-02-09 11:11:48,090 ERROR AdminAppStoreController:357 - Exception occurred

2022-02-09 11:11:48,090 ERROR sxp:35 - /opt/tomcat8.5/apache-tomcat-8.5.75/webapps/CIDSaas/assets/dwld/DLU/3385.exe (No such file or directory)

java.io.FileNotFoundException: /opt/tomcat8.5/apache-tomcat-8.5.75/webapps/CIDSaas/assets/dwld/DLU/3385.exe (No such file or directory

Resolution: Check if DLU folder exists under webapps/CIDSaas/assets/dwld

If not, create a DLU folder. It should resolve the issue.