Synchronization Editor prompts for Client Secret and Grant type in Target System (Starling connect)

What version of Identity Manager are you using? What this tells me is that you have an encrypted database and these variables will never be decrypted by the synchronization editor, you will need to input these credentials each time you want to access these.

You will need to enter the client secret in base64 format, I usually leave the Grant type empty which usually works for me.

Hi Troy, thank you for your reply

We are using version 8.1.5. I copied the client secret from the Starling connect page again with the both the plaintext (both hyphenated xxxx-xxxx-xxx-xxx-xxxxxx and without the hyphens xxxxxxxxxxxxxxx) and the base64 one, but no luck at all. Also tried with empty Grant type or "client_credentials", still no luck.

The "Client secret" has to be in Base64 when you have encryption turned on.

1. Copy the client secret from Starling Connect, and use this page to convert it to Base64: https://www.base64encode.org/

2. Copy the Base64 value and put it in the "Client secret (Base64)" field.

3. For "Grant type" it has to be "Client credentials"  You cannot leave it blank.

Like Troy said, you will have to input this every time you open the Sync Editor.

Or you use a remote connection.

Thank you for your suggestions.

Actually, I tried all these combinations and they all do not work

Hi Markus, I also tried that option but it returns

"Could not connect to net.tcp://<hostname>:2880/RemoteConnectService. The connection attempt lasted for a time span of 00:00:21.0337797. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because the connection host has failed to respond to xxx.xxx.xxx.xxx:2880"

Hi Markus, I also tried that option but it returns

"Could not connect to net.tcp://<hostname>:2880/RemoteConnectService. The connection attempt lasted for a time span of 00:00:21.0337797. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because the connection host has failed to respond to xxx.xxx.xxx.xxx:2880"

Did you configure the remote connection on the remote Job Service as described here?

https://support.oneidentity.com/technical-documents/identity-manager/8.1.5/target-system-synchronization-reference-guide/3#TOPIC-1646986

Hi Markus,

I think we have not configured the remote connection.

I would like to confirm what values we should use in the "client secret (Base64)" and "grant type" to connect? There is no documentation or examples on the values, especially on the "Grant Type". As mentioned above, I have tried quite a lot of different combinations but none is working. I have a feeling that the values for client secret and grant type are something tricky.

Grant type should be ClientCredentials without space.

Thank you, but it's not working neither, tried all these combinations and still no luck.

Client credentials / client_credentials / Client_Credentials / ClientCredentials / clientcredentials

All of them returns the same error:

[1777292] Error connecting system (Starling Connect Connector)!
[1777223] DistributionConnector: Error connecting the system.
Could not establish a connection to SCIM provider.

When do you get that error?

Can you paste more logs, starting with  "SystemConnector    Connecting target system..."

I would suggest that you contact Support as I know that 100% that the settings I gave you works.

With that, it means several things.

1. Your connections from the Sync Editor to Starling (https://cloud.oneidentity.com) has an issue. Maybe you are going through a proxy.   Manually double check by logging in and see if you can see your defined connectors.

2. The defined connector, ServiceNow, isn't configured properly.  You didn't delete and re-add did you?  Make sure your SCIM URL ("URI of service")  is still valid.

Hi VilounV,

It happens when I hit the "Target System" on the left navigation menu in the Synchronization Editor. It also prompts for input when trying to browse target system. The connector itself should be working because I can synchronize the User and Group data to One Identity Manager from target system (Starling Connect - ServiceNow) 

1. Yes, we can see the defined connector in the Starling page and the scim url in Sync editor is matching. We have DEV and UAT Servicenow, so I tried creating a new sync project with UAT ServiceNow and it behaved the same after the configuration is done (asking for client secret and grant type but returning same error)

2. If I click "Edit Connect..." from the Target System page, I can pass all the connection tests but at the end it throws another error

[1777138] Error creating connection parameter from a parameter string.
at VI.FormBase.UILogic.TriggeredExecution._EventHandler(Object sender, EventArgs e)
at VI.Projector.Editor.SystemConnectionControl._EditConnection()
at VI.Projector.Connection.SystemConnectionParameterCollection.FromString(String connectionString, IValueDecrypter decrypter, ISystemConnectionParameterDescriptor parameterDescriptor, Boolean doNotDecrypt)
[1777360] The value to encrypt was encoded with a different encryption method.
at VI.Projector.Connection.SystemConnectionParameterCollection.FromString(String connectionString, IValueDecrypter decrypter, ISystemConnectionParameterDescriptor parameterDescriptor, Boolean doNotDecrypt)
at VI.Projector.Security.EncryptionBase.DecryptWithCallback(String value, String key, String displayName, Boolean valueCanContainVariables, Action`1 callBack)
at VI.Projector.Security.EncryptionBase.Decrypt(String data)

3. Regarding the logs when I input the base64 client secret and grant type (tried both "Client Credentials" and "ClientCredentials"), here is the log for your reference. I already copied and pasted the client secret from Starling to  Base64 Encode and Decode - Online to get the base64 value.

2022-03-30 23:01:05 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:05 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:05 SystemConnector Login / authentication on connect-supervisor.cloud.oneidentity.com:/ failed.
2022-03-30 23:01:05 SystemConnector Could not establish a connection to SCIM provider.
2022-03-30 23:01:05 SystemConnector Reconnect count: 1. Trying to reestablish connection.
2022-03-30 23:01:16 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:16 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:16 SystemConnector Login / authentication on connect-supervisor.cloud.oneidentity.com:/ failed.
2022-03-30 23:01:16 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:16 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:16 SystemConnector Error during token refresh.
2022-03-30 23:01:16 SystemConnector Connection test using /ServiceProviderConfig failed.
2022-03-30 23:01:16 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:16 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:16 SystemConnector Reconnect count: 2. Trying to reestablish connection.
2022-03-30 23:01:22 SqlLog (16 ms) - select top 1 IsDBSchedulerDisabled, IsJobServiceDisabled,
case
when exists (select top 1 1
from QBM_VDBQueueContent
where UID_Task = 'QBM-K-COMMONWAITFORCOMPILER'
) then 1
else 0
end as DbQueueWaitForCompiler,
len(dbo.QBM_FGIMaintenanceRunning()) as Maintenance,
case
when exists (select top 1 1
from DialogScriptAssembly a with (readpast)
where a.IsValid = 0) then 1
else 0
end as InvalidAssemblies
from DialogDatabase with (nolock)
where IsMainDatabase = 1
2022-03-30 23:01:27 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:27 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:27 SystemConnector Login / authentication on connect-supervisor.cloud.oneidentity.com:/ failed.
2022-03-30 23:01:27 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:27 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:27 SystemConnector Error during token refresh.
2022-03-30 23:01:27 SystemConnector Connection test using /ServiceProviderConfig failed.
2022-03-30 23:01:27 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:01:27 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:01:27 SystemConnector Reconnect count: 3. Trying to reestablish connection.

.... (skipping some lines as it retried for 10 times)

2022-03-30 23:02:45 SystemConnector Reconnect count: 10. Trying to reestablish connection.
2022-03-30 23:02:52 SqlLog (13 ms) - select top 1 IsDBSchedulerDisabled, IsJobServiceDisabled,
case
when exists (select top 1 1
from QBM_VDBQueueContent
where UID_Task = 'QBM-K-COMMONWAITFORCOMPILER'
) then 1
else 0
end as DbQueueWaitForCompiler,
len(dbo.QBM_FGIMaintenanceRunning()) as Maintenance,
case
when exists (select top 1 1
from DialogScriptAssembly a with (readpast)
where a.IsValid = 0) then 1
else 0
end as InvalidAssemblies
from DialogDatabase with (nolock)
where IsMainDatabase = 1
2022-03-30 23:02:55 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:02:55 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:02:55 SystemConnector Login / authentication on connect-supervisor.cloud.oneidentity.com:/ failed.
2022-03-30 23:02:56 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:02:56 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:02:56 SystemConnector Error during token refresh.
2022-03-30 23:02:56 SystemConnector Connection test using /ServiceProviderConfig failed.
2022-03-30 23:02:56 SystemConnector The remote server returned an error: (401) Unauthorized.
2022-03-30 23:02:56 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}
2022-03-30 23:02:56 GenericPool Getting item...
2022-03-30 23:02:56 GenericPool Got existing item: SCIM
2022-03-30 23:02:56 GenericPool Release item: SCIM
2022-03-30 23:02:56 VI.FormBase.ExceptionMgr Error connecting system (Starling Connect Connector)!

Based on this error I see, it's the Client Secret that is incorrect.

2022-03-30 23:02:55 SystemConnector {"error":"unauthorized_client","error_description":"Invalid client secret"}

In Starling Connect, click the "COPY" button next to the "Show SCIM client secret" and put that value in the base64 encoded website.  Copy that encoded value to the popup in the sync project.

Yes, that is what I did