Overview

This document will cover some of the common questions and problems around Automated Provisioning.

If the Troubleshooting Tool, Things to Check sections and Authentication Setup do not provide a suitable answer to your question, contact Support.

Troubleshooting Tool

To assist with troubleshooting, the iQmetrix 3PA Troubleshooting Tool allows you to see the data the WSTrust or OAuth2 endpoint is returning.

  1. Download the zipped folder
  2. Extract the folder
  3. Double click on iQmetrixThirdPartyAuthenticationTest.exe to run the tool
  4. Modify values in the form
  5. Click Submit
  6. Interpret the response

WSTrust Configuration

WSTrust Configuration

Value Required? Description Example
Type Required The type of authentication WSTrust
Authentication URL Required Endpoint for your provider https://adfs.retaillabs.io/adfs/services/trust/13/UsernameMixed
Username Required Username testuser1@retaillabs.io
Password Required Password Password1

OAuth2 Configuration

OAuth2 Configuration

Value Required? Description Example
Type Required The type of authentication Oauth 2
Authentication URL Required OAuth2 endpoint for your provider https://dev-127466.oktapreview.com/oauth2/ausaoaasbu3aA0nqu0h7/v1
Username Required Username qatester02@luketester.com
Password Required Password Password1
ClientId Required Client Id, provided in onboarding package 9kYE48IocKMMi6pdnUe
ClientSecret Required Client Secret, provided in onboarding package y8gXmhNBrztBtul7h53Zg8NT7L3MEl8ZWcY1Io14

Response

The tool will display all data returned from the provided WSTrust or OAuth2 endpoint.

The fields in the response depend on which claims you have configured, as shown in the following table.

UserName: '{Username}'
EmailAddress: '{Email}'
FirstName: '{FirstName}'
LastName: '{LastName}'
AssignedEntityClientEntityId: '{AssignedEntityClientEntityId}'
AssignedEntityClientEntityIds: '{AssignedEntityClientEntityIds}'
SecurityGroupName: '{SecurityGroupName}'
HomePhoneNumber: {HomePhoneNumber}
WorkPhoneNumber: {WorkPhoneNumber}
CellPhoneNumber: {CellPhoneNumber}
ClientUserId: '{ClientUserId}'
Attribute {AttributeName}: '{AttributeValue}'
Attribute {CustomAttributeName}: '{CustomAttributeValue}'
Value RQ Usage Source Example
Username Employee username http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn testuser9a@retaillabs.io
Email Employee email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress testuser9a@retaillabs.io
FirstName Employee first name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Test
LastName Employee last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname User 9aa
AssignedEntityClientEntityId Identifier for a node in the company tree this employee should be assigned to. Either this or AssignedEntityClientEntityIds is required http://iqmetrix.net/claims/assignedEntityClientEntityId KY
AssignedEntityClientEntityIds Identifiers for nodes in the company tree this employee should be assigned to. Either this or AssignedEntityClientEntityId is required http://iqmetrix.net/claims/assignedEntityClientEntityIds KY,MK,FW
SecurityGroupName Name of the security group in your system this employee belongs to http://iqmetrix.net/claims/securityGroupName Dealer
HomePhoneNumber Employee home number http://iqmetrix.net/claims/telephoneNumbers/home 8888888888
WorkPhoneNumber Employee work number http://iqmetrix.net/claims/telephoneNumbers/work 6666666666
CellPhoneNumber Employee cell number http://iqmetrix.net/claims/telephoneNumbers/cell 5555555555
ClientUserId Identifier for the employee in your system http://iqmetrix.net/claims/clientUserId 123123
AttributeName Name of an RQ field Defined in RQ CompensationType
AttributeValue Value for a RQ field http://iqmetrix.net/claims/attributes/(AttrName) Salaried
CustomAttributeName Name of a custom field in RQ Custom field defined in RQ YourCustomField
CustomAttributeValue Value of a custom field in RQ http://iqmetrix.net/claims/attributes/rqCustomField_(AttrName) TheValue
Example
UserName: 'testuser9a@retaillabs.io'
EmailAddress: 'testuser9a@retaillabs.io'
FirstName: 'Test'
LastName: 'User 9aa'
AssignedEntityClientEntityId: 'KY'
SecurityGroupName: 'Dealer'
HomePhoneNumber: [not set]
WorkPhoneNumber: [not set]
CellPhoneNumber: [not set]
ClientUserId: '123123'
Attribute CompensationType: 'Salaried'
Attribute YourCustomField: 'TheValue'

Things to Check

If… Try…
A user can not login Checking Claims
The security role for a user is not updated Mapping your Security Roles
The user is not assigned a security role for a location Mapping your Company Tree
Users are being duplicated in RQ Checking User Ids

Checking Claims

One of the claims: AssignedEntityClientEntityId or AssignedEntityClientEntityIds must be provided so RQ knows at which level to assign the security role for the employee.

For more information, see Claims.

Mapping your Security Roles

Every value that may be returned from your system using the securityGroupName claim must be mapped to a SecurityRoleName in Hub using the following steps:

  1. Log into Hub
  2. Click on Settings in sidebar
  3. Click on Authentication Setup from the options on the page
    • If you do not see Authentication Setup, contact Support to ensure your security roles are mapped correctly
  4. Scroll down to Hub Security Roles Mapping
  5. Ensure each role in your system is mapped to a Hub Security Role
  6. Ensure the values in Identity Provider Role match the names of the roles in your system exactly

Screen shot of security role mapping

Mapping your Company Tree

Every value that may be returned from your system using the assignedEntityClientEntityId or assignedEntityClientEntityIds claim must be mapped as a External Node Identifier in Hub using the following steps:

  1. Log into Hub
  2. Click on Settings in sidebar
  3. Click on Companies from the options on the page
  4. Ensure each value from your system is mapped to a Company Tree Node in the form of an External Node Identifier

Screen shot showing company tree mapping in Hub

Checking User Ids

Every user in your system must have a unique identifier that will be set as a ClientUserId on the appropriate RQ user.

This is necessary for RQ to know which employee is logging in. Non-unique values may result in duplicate employees in RQ.

Was this page helpful?