This page covers various errors & troubleshooting methods for SCIM. See below for:
SCIM Error Messages
When configuring SCIM, you may see the following errors if your provisioning agent communicates with Directory Server over HTTPS:
Note: When configuring SCIM, if you do not want your provisioning agent to communicate with Directory Server over HTTPS, please see Bypass HTTPS Communication.
"Connection reset" Error
This error occurs due to the lack of a certificate bound to HTTPS port 5049 in the XMLEndpointUtility.exe.
To resolve this error, you must ensure that a certificate is bound to the Laserfiche Directory Server HTTPS port 5049 by using XMLEndpointUtility.exe.
"Unable to find valid certification path to requested target" Error
This error occurs due to the Okta agent's Java Runtime Environment file called cacerts missing the Laserfiche Directory Server HTTPS certificate.
To resolve this error, open a command prompt (not Powershell) as an administrator and run the following lines:
"<1>" -import -trustcacerts -keystore "<2>" -storepass changeit -noprompt -alias <3> -file "<4>"
- <1> is by default C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\bin\keytool.exe.
- <2> is by default C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\lib\security\cacerts.
- <3> is the alias you would like to give your Laserfiche Directory Server HTTPS certificate.
- <4> is the path to the Laserfiche Directory Server HTTPS certificate (.cer) file.
Note: If you wish to bypass this error, you must make sure your provisioning agent does not communicate with Directory Server over HTTPS. To learn more, please see Bypass HTTPS Communication.
Bypass HTTPS Communication
When bypassing HTTPS for Okta's provisioning agent communication with Laserfiche Directory Server, it is recommended the provisioning agent and Laserfiche Directory Server be on the same machine.
Note: It is recommended to have the Okta provisioning agent communicate with Laserfiche Directory Server over HTTPS. The Base SCIM URL link generated in Laserfiche Directory Server is defaulted to the HTTPS Directory Server endpoint.
- Allow HTTP communication for Okta's provisioning agent by appending the agent.config file with allowHttp = true. By default, the location of this file is C:\Program Files\Okta\On-Premises Provisioning Agent\current\user\config\ProvisioningAgent\agent.config
- After this value is added, the Okta On-Premise Provisioning Agent service should be restarted.
- Now, specify http://<lfdsMachine>:5048/lflicmgr/SCIM/v1/<licensingSiteName>/<idpId> as the SCIM connect base URL in Okta, replacing <lfdsMachine>, <licensingSiteName>, and <idpId> in the URL with your information.
Troubleshooting SCIM with Event Viewer App
In order to view the event logs from Laserfiche Directory Server, you must navigate to the Event Viewer app on your Windows machine with Laserfiche Directory Server installed.
- On your machine, open Event Viewer app.
- Click Applications and Services Logs, then click Laserfiche.
- Select Directory Service, then click Server.
- Click Operational trace. Select the error to view the event details. For examples of error events, see the event description images below.
- If a user is registered using SCIM, but there were no more licenses available, then the event description will look like this:
- If the Basic Authentication credentials are changed in Laserfiche Directory Server, but not in Okta, then the event description will look like this:
- If a user is registered using SCIM, but there were no more licenses available, then the event description will look like this: