This document will cover some of the common questions and problems around Automated Provisioning.

If the Troubleshooting Tool, Things to Check sections and Authentication Setup do not provide a suitable answer to your question, contact Support.

Troubleshooting Tool

To assist with troubleshooting, the iQmetrix 3PA Troubleshooting Tool allows you to see the data the WSTrust endpoint is returning.

  1. Download the zipped folder
  2. Extract the folder
  3. Open iQmetrixThirdPartyAuthenticationTest.exe.config with Notepad or another text editor
  4. Modify values, see Configuration
  5. Double click on iQmetrixThirdPartyAuthenticationTest.exe to run the tool
  6. Interpret the Response


<?xml version="1.0"?>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/>
    <add key="WsTrustEndpoint" value="{WsTrustEndpoint}"/>
    <add key="Username" value="{Username}"/>
    <add key="Password" value="{Password}"/>
Value Required? Description Example
WsTrustEndpoint Required WSTrust endpoint for your ADSF system https://adfs.retaillabs.io/adfs/services/trust/13/UsernameMixed
Username Optional Username. If not provided, you will be prompted for credentials when you run the tool testuser9a@retaillabs.io
Password Optional Password. If not provided, you will be prompted for credentials when you run the tool Password1


The tool will display all data returned from the provided WSTrust endpoint.

The fields in the response depend on which claims you have configured, as shown in the following table.

Using endpoint {ConfigWsTrustEndpoint}
'{ConfigUsername}' succeeded
UserName: '{Username}'
EmailAddress: '{Email}'
FirstName: '{FirstName}'
LastName: '{LastName}'
AssignedEntityClientEntityId: '{AssignedEntityClientEntityId}'
AssignedEntityClientEntityIds: '{AssignedEntityClientEntityIds}'
SecurityGroupName: '{SecurityGroupName}'
HomePhoneNumber: {HomePhoneNumber}
WorkPhoneNumber: {WorkPhoneNumber}
CellPhoneNumber: {CellPhoneNumber}
ClientUserId: '{ClientUserId}'
Attribute {AttributeName}: '{AttributeValue}'
Attribute {CustomAttributeName}: '{CustomAttributeValue}'
Value RQ Usage Source Example
WsTrustEndpoint Used to access your ADFS system Config file https://adfs.retaillabs.io/adfs/services/trust/13/UsernameMixed
ConfigUsername Used to access your ADFS system Config file or login prompt testuser9a@retaillabs.io
Username Employee username http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn testuser9a@retaillabs.io
Email Employee email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress testuser9a@retaillabs.io
FirstName Employee first name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Test
LastName Employee last name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname User 9aa
AssignedEntityClientEntityId Identifier for a node in the company tree this employee should be assigned to. Either this or AssignedEntityClientEntityIds is required http://iqmetrix.net/claims/assignedEntityClientEntityId KY
AssignedEntityClientEntityIds Identifiers for nodes in the company tree this employee should be assigned to. Either this or AssignedEntityClientEntityId is required http://iqmetrix.net/claims/assignedEntityClientEntityIds KY,MK,FW
SecurityGroupName Name of the security group in your system this employee belongs to http://iqmetrix.net/claims/securityGroupName Dealer
HomePhoneNumber Employee home number http://iqmetrix.net/claims/telephoneNumbers/home 8888888888
WorkPhoneNumber Employee work number http://iqmetrix.net/claims/telephoneNumbers/work 6666666666
CellPhoneNumber Employee cell number http://iqmetrix.net/claims/telephoneNumbers/cell 5555555555
ClientUserId Identifier for the employee in your system http://iqmetrix.net/claims/clientUserId 123123
AttributeName Name of an RQ field Defined in RQ CompensationType
AttributeValue Value for a RQ field http://iqmetrix.net/claims/attributes/(AttrName) Salaried
CustomAttributeName Name of a custom field in RQ Custom field defined in RQ YourCustomField
CustomAttributeValue Value of a custom field in RQ http://iqmetrix.net/claims/attributes/rqCustomField_(AttrName) TheValue
Using endpoint https://adfs.retaillabs.io/adfs/services/trust/13/UsernameMixed
'testuser9a@retaillabs.io' succeeded
UserName: 'testuser9a@retaillabs.io'
EmailAddress: 'testuser9a@retaillabs.io'
FirstName: 'Test'
LastName: 'User 9aa'
AssignedEntityClientEntityId: 'KY'
SecurityGroupName: 'Dealer'
HomePhoneNumber: [not set]
WorkPhoneNumber: [not set]
CellPhoneNumber: [not set]
ClientUserId: '123123'
Attribute CompensationType: 'Salaried'
Attribute YourCustomField: 'TheValue'

Things to Check

If… Try…
A user can not login Checking Claims
The security role for a user is not updated Mapping your Security Roles
The user is not assigned a security role for a location Mapping your Company Tree
Users are being duplicated in RQ Checking User Ids

Checking Claims

One of the claims: AssignedEntityClientEntityId or AssignedEntityClientEntityIds must be provided so RQ knows at which level to assign the security role for the employee.

For more information, see Claims.

Mapping your Security Roles

Every value that may be returned from your system using the securityGroupName claim must be mapped to a SecurityRoleName in Hub using the following steps:

  1. Log into Hub
  2. Click on Settings in sidebar
  3. Click on Authentication Setup from the options on the page
    • If you do not see Authentication Setup, contact Support to ensure your security roles are mapped correctly
  4. Scroll down to Hub Security Roles Mapping
  5. Ensure each role in your system is mapped to a Hub Security Role
  6. Ensure the values in Identity Provider Role match the names of the roles in your system exactly

Figure 1: Security Role Mapping in Hub

Mapping your Company Tree

Every value that may be returned from your system using the assignedEntityClientEntityId or assignedEntityClientEntityIds claim must be mapped as a External Node Identifier in Hub using the following steps:

  1. Log into Hub
  2. Click on Settings in sidebar
  3. Click on Companies from the options on the page
  4. Ensure each value from your system is mapped to a Company Tree Node in the form of an External Node Identifier

Figure 2: Company Tree Mapping in Hub

Checking User Ids

Every user in your system must have a unique identifier that will be set as a ClientUserId on the appropriate RQ user.

This is necessary for RQ to know which employee is logging in. Non-unique values may result in duplicate employees in RQ.

Was this page helpful?