<div dir="ltr"><div dir="ltr">Hello MidPoint Community,<br><br>Mederly, thank you for your referral.<div>I tried to configure an inbound mapping on MidPoint 4.9 to synchronize resource group memberships (stored in an icfs:groups attribute on the __ACCOUNT__ object) into focus assignments (specifically, assigning the RoleType that owns the corresponding group entitlement).<br>I have successfully configured the simulated reference in <capabilities><configured><cap:references> linking the account's icfs:groups attribute to the group's unique identifier (icfs:uid). Let's call this reference UserGroupMembershipRef.<br>The challenge lies in configuring the <inbound> mapping for the icfs:groups attribute within <schemaHandling><objectType name="__ACCOUNT__">. According to the documentation (like the Grouper connector example at <a href="https://docs.evolveum.com/midpoint/reference/master/resources/entitlements/#associationsreferences-versus-attributes">https://docs.evolveum.com/midpoint/reference/master/resources/entitlements/#associationsreferences-versus-attributes</a>), I should use the associationSynchronization evaluator.<br>However, I am encountering contradictory XML validation errors when trying different structures based on the documentation and logical alternatives:<br><br><b>Attempt 1: Following Documentation Structure</b><br>Based on the documentation, I tried this structure for the <inbound> block:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><i><inbound><br></i><i> <name>Sync Group Membership</name><br></i><i> <strength>strong</strength><br></i><i> <target><path>assignment</path></target><br></i><i> <expression><br></i><i> <associationSynchronization><br></i><i> <associationType>UserGroupMembershipRef</associationType> <!-- As per docs example --><br></i><i> <objectRef><br></i><i> <mapping><br></i><i> <name>Find Role Owner</name><br></i><i> <strength>strong</strength><br></i><i> <expression> <!-- As per docs example --><br></i><i> <evaluator>shadowOwnerReferenceSearch</evaluator><br></i><i> </expression><br></i><i> <target><path>targetRef</path></target><br></i><i> </mapping><br></i><i> </objectRef><br></i><i> <correlation><br></i><i> <correlators><items><item><ref>targetRef</ref></item></items></correlators><br></i><i> </correlation><br></i><i> <synchronization><br></i><i> <reaction><situation>unmatched</situation><action>addFocusValue</action></reaction><br></i><i> <reaction><situation>matched</situation><action>synchronize</action></reaction><br></i><i> <reaction><situation>unlinked</situation><action>delete</action></reaction><br></i><i> </synchronization><br></i><i> </associationSynchronization><br></i><i> </expression><br></i><i></inbound></i></blockquote><br><b>Errors Encountered with Attempt 1:</b><br><ol><li>No field 'evaluator' in class class com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType: This error occurs pointing to the <evaluator>shadowOwnerReferenceSearch</evaluator> line within <objectRef><mapping>. It seems the generic <evaluator> tag is not allowed here in 4.9.</li><li>If I could get past the first error, I also previously received Item associationType has no definition (in value CTD ({.../common/common-3}AssociationSynchronizationExpressionEvaluatorType)) pointing to the <associationType> line, suggesting it's also not allowed directly under <associationSynchronization> as shown in the docs.</li></ol><div><br><b>Attempt 2: Using Specific Tags & Removing <associationType></b><br>Based on the errors above, I tried using the specific <shadowOwnerReferenceSearch/> tag and removing <associationType>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><i><inbound><br></i><i> <name>Sync Group Membership</name><br></i><i> <strength>strong</strength><br></i><i> <target><path>assignment</path></target><br></i><i> <expression><br></i><i> <associationSynchronization><br></i><i> <!-- associationType removed based on previous error --><br></i><i> <objectRef><br></i><i> <mapping><br></i><i> <name>Find Role Owner</name><br></i><i> <strength>strong</strength><br></i><i> <shadowOwnerReferenceSearch/> <!-- USING SPECIFIC TAG --><br></i><i> <target><path>targetRef</path></target><br></i><i> </mapping><br></i><i> </objectRef><br></i><i> <correlation><br></i><i> <correlators><items><item><ref>targetRef</ref></item></items></correlators><br></i><i> </correlation><br></i><i> <synchronization><br></i><i> <reaction><situation>unmatched</situation><action>addFocusValue</action></reaction><br></i><i> <reaction><situation>matched</situation><action>synchronize</action></reaction><br></i><i> <reaction><situation>unlinked</situation><action>delete</action></reaction><br></i><i> </synchronization><br></i><i> </associationSynchronization><br></i><i> </expression><br></i><i></inbound></i></blockquote><br><b>Error Encountered with Attempt 2:</b><br><ul><li>Item shadowOwnerReferenceSearch has no definition (in value CTD ({.../common/common-3}InboundMappingType)): This error now occurs pointing to the <shadowOwnerReferenceSearch/> tag within <objectRef><mapping>. The validator rejects the specific tag here as well.<br></li></ul><div><br><b>Summary of Contradiction:</b><br>The MidPoint 4.9 validator seems to reject both the documented <expression><evaluator>shadowOwnerReferenceSearch</evaluator></expression> structure and the logical alternative <shadowOwnerReferenceSearch/> tag within the <objectRef><mapping> context of an inbound associationSynchronization. It also seems to reject the documented placement of <associationType>.<br>I have also confirmed via the Admin GUI documentation 1 that the GUI expression editor is limited and does not support selecting associationSynchronization directly.<br><br><b>Request:</b><br>Could someone please provide the exact, validated XML syntax required in MidPoint 4.9 for an <inbound> mapping (within <schemaHandling>) that correctly uses the associationSynchronization evaluator, including the proper way to configure the nested objectRef mapping with shadowOwnerReferenceSearch (or its equivalent) and specify the associationType (if needed)?<br>Is this a known issue, a documentation inconsistency, or am I missing a different structural approach for 4.9?<br><br>Thank you very much for your help!<br><br>Best regards,<br>Rafael Mantellatto</div></div></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Em qui., 24 de abr. de 2025 às 12:20, Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p>Hello Rafael,</p>
<p>the <association> tag is the way to go. Please see <a href="https://docs.evolveum.com/midpoint/reference/support-4.9/resources/entitlements/" target="_blank">https://docs.evolveum.com/midpoint/reference/support-4.9/resources/entitlements/</a>,
in particular how to define a simulated reference type (of
subject-to-object type, in your case), and then how to define an
inbound mapping to assignments.</p>
<p>Regards,<br>
</p>
<pre cols="72">--
Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
<div>On 24/04/2025 14:52, Rafael Mantellatto
via midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello MidPoint Community,
<div><br>
I am currently working with MidPoint 4.9 and integrating a <a href="https://jumpcloud.com/" target="_blank">JumpCloud</a> resource. I need
assistance with mapping group memberships from the JumpCloud
resource shadow (__ACCOUNT__) to RoleType assignments on the
corresponding MidPoint UserType focus object.</div>
<div><br>
<b>Goal:<br>
</b>The resource shadow (__ACCOUNT__) has an attribute
icfs:groups which contains the identifier(s) of the JumpCloud
group(s) the user belongs to. I want to configure MidPoint so
that during synchronization, it creates/removes AssignmentType
entries under the user's assignment path, where each
assignment's targetRef points to the RoleType object in
MidPoint that corresponds to the JumpCloud group ID.<br>
<br>
<b>Configuration Overview:</b><br>
<ul>
<li style="margin-left:15px">Resource: JumpCloud Connector</li>
<li style="margin-left:15px">MidPoint Version: 4.9</li>
<li style="margin-left:15px">Account Mapping: __ACCOUNT__
(kind: account) maps icfs:groups (String/Multivalue
String).</li>
<li style="margin-left:15px">Role Mapping: __GROUP__ (kind:
entitlement) maps icfs:uid (JumpCloud Group ID) to the
RoleType's identifier attribute.</li>
</ul>
<b>Attempts and Failures:</b><br>
I have tried several approaches within the schemaHandling for
the __ACCOUNT__ object type's icfs:groups attribute, but have
encountered issues:</div>
<div><br>
</div>
<div>1) Direct Inbound Mapping ("As Is"):
<div>
<ul>
<li style="margin-left:15px">Configured <inbound>
with
<target><path>c:assignment</path></target>
and no <expression> (implicit "As Is").</li>
<li style="margin-left:15px">Error: Failed during
reconciliation with java.lang.IllegalArgumentException:
Expected class
com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType
type, but got class java.lang.String. MidPoint expected
an AssignmentType object, not the raw group ID string.</li>
</ul>
</div>
2) <association> Tag:<br>
<ul>
<li style="margin-left:15px">Tried adding an
<association> definition within the <attribute
ref="icfs:groups"> tag in schemaHandling.</li>
<li style="margin-left:15px">Error: Failed to save the
resource XML with a schema validation error: Item
association has no definition (in value CTD
({.../common/common-3}ResourceAttributeDefinitionType)).</li>
</ul>
3) Inbound Script (Returning AssignmentType):<br>
<ul>
<li style="margin-left:15px">Wrote a Groovy script within
<inbound><expression><script><code>...</code></script></expression>
targeting c:assignment. The script aims to:</li>
<ul>
<li style="margin-left:15px">Receive the group ID(s).</li>
<li style="margin-left:15px">Find the corresponding
RoleType OID using midpoint.searchObjects.</li>
<li style="margin-left:15px">Construct and return an
AssignmentType with the targetRef populated.</li>
</ul>
<li style="margin-left:15px">Errors Encountered in Script:</li>
<ul>
<li style="margin-left:15px">Using
midpoint.searchObjects(RoleType.class, objectQuery):
Failed with groovy.lang.MissingMethodException: No
signature of method: ...searchObjects() is applicable
for argument types: (Class,
com.evolveum.midpoint.prism.query.ObjectQuery) ....</li>
<li style="margin-left:15px">Using
midpoint.searchObjects(RoleType.class, queryFilter)
(passing EqualFilterImpl directly): Failed with the same
MissingMethodException.</li>
<li style="margin-left:15px">Using
ObjectQuery.createObjectQuery(queryFilter): Failed with
java.lang.NoSuchMethodError: No signature of method:
static
com.evolveum.midpoint.prism.query.ObjectQuery.createObjectQuery()
is applicable for argument types:
(com.evolveum.midpoint.prism.impl.query.EqualFilterImpl)
....</li>
<li style="margin-left:15px">Using
QueryBuilder.queryFor(...): Failed compilation with
unable to resolve class
com.evolveum.midpoint.prism.query.QueryBuilder.</li>
<li style="margin-left:15px">Conclusion: It seems the
necessary query API (searchObjects, QueryBuilder,
ObjectQuery.createObjectQuery) is not available or
working correctly within the context of this specific
inbound script expression in MidPoint 4.9.</li>
</ul>
</ul>
<b>Relevant XML Snippets:</b><br>
<div style="color:rgb(123,136,161);background-color:rgb(30,33,39);font-family:Consolas,"Courier New",monospace;font-size:12px;line-height:16px">
<div><span style="color:rgb(76,86,106);font-style:italic"><!--</span><span style="color:rgb(97,110,136);font-style:italic"> Within
Resource XML </span><span style="color:rgb(76,86,106);font-style:italic">--></span></div>
</div>
<div style="color:rgb(123,136,161);background-color:rgb(30,33,39);font-family:Consolas,"Courier New",monospace;font-size:12px;line-height:16px"><span style="color:rgb(129,161,193)"><schemaHandling></span>
<objectType id="5"><br>
<kind>account</kind><br>
<displayName>__ACCOUNT__</displayName><br>
<delineation><br>
<objectClass>ri:AccountObjectClass</objectClass><br>
</delineation><br>
<focus><br>
<type>c:UserType</type><br>
</focus><br>
<attribute id="9"><br>
<ref>ri:email</ref><br>
<inbound id="10"><br>
<name>Map User Email</name><br>
<strength>strong</strength><br>
<target><br>
<path>emailAddress</path><br>
</target><br>
</inbound><br>
</attribute><br>
<attribute id="11"><br>
<ref>ri:firstname</ref><br>
<inbound id="12"><br>
<name>Map User
Firstname</name><br>
<strength>strong</strength><br>
<target><br>
<path>givenName</path><br>
</target><br>
</inbound><br>
</attribute><br>
<attribute id="13"><br>
<ref>ri:lastname</ref><br>
<inbound id="14"><br>
<name>Map User
Lastname</name><br>
<strength>strong</strength><br>
<target><br>
<path>familyName</path><br>
</target><br>
</inbound><br>
</attribute><br>
<attribute id="15"><br>
<ref>icfs:uid</ref><br>
<inbound id="16"><br>
<name>Map User UID</name><br>
<strength>strong</strength><br>
<target><br>
<path>extension/jumpCloudUid</path><br>
</target><br>
</inbound><br>
</attribute><br>
<attribute id="17"><br>
<ref>icfs:name</ref><br>
<inbound id="18"><br>
<name>Map User
Username</name><br>
<strength>strong</strength><br>
<target><br>
<path>name</path><br>
</target><br>
</inbound><br>
</attribute><br>
<attribute id="19"><br>
<ref>ri:suspended</ref><br>
<inbound id="20"><br>
<name>Map User Status</name><br>
<strength>strong</strength><br>
<expression><br>
<script><br>
<code>if (input == null) {<br>
return 'enabled'<br>
}<br>
<br>
// No JumpCloud, suspended=true significa usuário
desabilitado<br>
// No MidPoint, precisamos retornar 'disabled' quando
suspended=true<br>
return input ? 'disabled' : 'enabled'</code><br>
</script><br>
</expression><br>
<target><br>
<path>activation/administrativeStatus</path><br>
</target><br>
</inbound><br>
</attribute><br>
<attribute id="170"><br>
<ref>icfs:groups</ref><br>
<inbound id="196"><br>
<name>Map User Membership to Role
Assignment (Script)</name><br>
<strength>strong</strength><br>
<expression><br>
<script><br>
<code>import
com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType<br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType<br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType<br>
import com.evolveum.midpoint.prism.path.ItemPath<br>
import com.evolveum.midpoint.prism.PrismContext<br>
<br>
<a href="http://log.info/" target="_blank">log.info</a>("SCRIPT(SeparateFilter)
STARTED - Input: {}, User: {}", input, focus?.getName())<br>
<br>
PrismContext prismCtx = midpoint.getPrismContext()<br>
if (prismCtx == null) {<br>
log.error("PrismContext is null! Cannot proceed.")<br>
return null // Ou [] se esperar lista<br>
}<br>
<br>
// Lista temporária para normalizar a entrada<br>
def normalizedInput = []<br>
if (input != null) {<br>
if (input instanceof Collection) {<br>
normalizedInput.addAll((Collection)input)<br>
} else {<br>
normalizedInput.add(input)<br>
}<br>
}<br>
<br>
// Filtrar valores nulos e depois strings vazias/em branco<br>
def groupIdsToProcess = normalizedInput<br>
.findAll { it != null } // Primeiro, remove nulos<br>
.collect { it.toString().trim() } // Converte para
String e remove espaços extras<br>
.findAll { !it.isEmpty() } // Remove strings vazias
resultantes<br>
<br>
if (groupIdsToProcess.isEmpty()) {<br>
<a href="http://log.info/" target="_blank">log.info</a>("No valid group IDs
found to process after filtering.")<br>
return [] // Retorna lista vazia de Assignments<br>
}<br>
<br>
<a href="http://log.info/" target="_blank">log.info</a>("Processing filtered
group IDs: {}", groupIdsToProcess)<br>
def assignments = [] // Lista para guardar AssignmentType<br>
def roleIdentifierPath =
ItemPath.create(RoleType.F_IDENTIFIER)<br>
<br>
groupIdsToProcess.each { groupId -><br>
<a href="http://log.info/" target="_blank">log.info</a>("Searching Role with
identifier '{}' = {}", roleIdentifierPath, groupId)<br>
<br>
def queryFilter<br>
try {<br>
queryFilter = prismCtx.queryFor(RoleType.class)<br>
.item(roleIdentifierPath).eq(groupId)<br>
.buildFilter()<br>
} catch (Exception e) {<br>
log.error("Error building query filter for Role ID
{}: {}", groupId, e.getMessage())<br>
return // continue para o próximo ID<br>
}<br>
<br>
def results<br>
try {<br>
// Tentando passar o ObjectFilter diretamente -
FALHA AQUI!<br>
results = midpoint.searchObjects(RoleType.class,
queryFilter)<br>
} catch (Exception e) {<br>
log.error("!!! FAILED HERE: Failed
midpoint.searchObjects (direct filter) for Role ID {}: {}
({})",<br>
groupId, e.getMessage(),
e.getClass().getName())<br>
return // continue<br>
}<br>
<br>
// Código abaixo não é alcançado devido ao erro acima<br>
if (results.isEmpty()) {<br>
log.warn("No Role found for JumpCloud Group ID: {}",
groupId)<br>
} else if (results.size() > 1) {<br>
log.warn("Multiple Roles found for JumpCloud Group
ID: {}. OIDs: {}. Ambiguous.",<br>
groupId, results.collect { it.getOid() })<br>
} else {<br>
def matchingRole = results.get(0)<br>
<a href="http://log.info/" target="_blank">log.info</a>("Found Role: {} (OID:
{})", matchingRole.getName(), matchingRole.getOid())<br>
<br>
def roleRef = new ObjectReferenceType()<br>
roleRef.setOid(matchingRole.getOid())<br>
roleRef.setType(RoleType.COMPLEX_TYPE)<br>
<br>
def assignment = new AssignmentType()<br>
assignment.setTargetRef(roleRef)<br>
<br>
assignments.add(assignment)<br>
<a href="http://log.info/" target="_blank">log.info</a>("Prepared
AssignmentType for Role: {}", matchingRole.getName())<br>
}<br>
} // Fim do loop .each<br>
<br>
<a href="http://log.info/" target="_blank">log.info</a>("SCRIPT(SeparateFilter)
FINISHED - Returning {} AssignmentType objects.",
assignments.size())<br>
return assignments</code><br>
</script><br>
</expression><br>
<target><br>
<path>c:assignment</path><br>
</target><br>
</inbound><br>
</attribute><br>
<correlation><br>
<correlators><br>
<items id="46"><br>
<name>Correlate by
username</name><br>
<description>Correlaciona
usuários pelo username</description><br>
<enabled>true</enabled><br>
<item id="47"><br>
<ref>c:name</ref><br>
</item><br>
</items><br>
</correlators><br>
</correlation><br>
<synchronization><br>
<reaction id="23"><br>
<name>Update User on
Linked</name><br>
<situation>linked</situation><br>
<actions><br>
<synchronize id="49"><br>
<objectTemplateRef
oid="00000000-0000-0000-0000-000000000380"
relation="org:default" type="c:ObjectTemplateType"><br>
<!-- Person Object
Template --><br>
</objectTemplateRef><br>
</synchronize><br>
</actions><br>
</reaction><br>
<reaction id="25"><br>
<name>Create User on
Unmatched</name><br>
<situation>unmatched</situation><br>
<actions><br>
<addFocus id="26"><br>
<objectTemplateRef
oid="00000000-0000-0000-0000-000000000380"
relation="org:default" type="c:ObjectTemplateType"><br>
<!-- Person Object
Template --><br>
</objectTemplateRef><br>
</addFocus><br>
</actions><br>
</reaction><br>
<reaction id="50"><br>
<name>Link User on
Unlinked</name><br>
<situation>unlinked</situation><br>
<actions><br>
<link id="51"><br>
<objectTemplateRef
oid="00000000-0000-0000-0000-000000000380"
relation="org:default" type="c:ObjectTemplateType"><br>
<!-- Person Object
Template --><br>
</objectTemplateRef><br>
</link><br>
</actions><br>
</reaction><br>
</synchronization><br>
</objectType>
<div style="line-height:16px">
<div><span style="color:rgb(129,161,193)"></schemaHandling></span></div>
</div>
</div>
</div>
<div>
<div><br>
</div>
<div><b>Error reconciling a user:</b><br>
<img src="cid:ii_19669fed3fdcb971f161" alt="image.png" width="543" height="113" style="outline: 0px;"><br>
<br>
<b>Question:</b></div>
Given the limitations encountered with inbound scripts and the
<association> tag validation error in MidPoint 4.9, what
is the recommended approach to correctly map an external group
membership attribute (like icfs:groups containing identifiers)
to UserType/assignment referencing the corresponding RoleType?<br>
Should this logic be moved to a Synchronization Reaction
(e.g., using <script> within an action) or an Object
Template? Is there a different way to configure an association
or mapping that avoids the API limitations within the inbound
script context?<br>
Any guidance or examples would be greatly appreciated.<br>
<br>
Thank you,<br>
Rafael Mantellatto</div>
</div>
<br>
<div style="text-align:justify"><b>Important - This message, along
with any other attached information, is confidential and
protected by law, and only its recipients are authorized to
use it. If you received it in error, please inform the sender
and then delete the message. Note: there is no authorization
to store, forward, print, use and/or copy its content.</b></div>
<br>
<p><br>
</p>
<p><b>Importante - Esta mensagem, juntamente com qualquer outra
informação anexada, é confidencial e protegida por lei, e
somente os seus destinatários são autorizados a usá-la. Caso a
tenha recebido por engano, por favor, informe o remetente e em
seguida apague a mensagem. Observação: não há autorização para
armazenar, encaminhar, imprimir, usar e/ou copiar o seu
conteúdo.</b><br>
</p>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div></div>
<br>
<p></p><div style="text-align:justify"><b>Important - This message, along with any other attached information, is confidential and protected by law, and only its recipients are authorized to use it. If you received it in error, please inform the sender and then delete the message. Note: there is no authorization to store, forward, print, use and/or copy its content.</b></div><br><p></p><p><br></p><p><b>Importante - Esta mensagem, juntamente com qualquer outra informação anexada, é confidencial e protegida por lei, e somente os seus destinatários são autorizados a usá-la. Caso a tenha recebido por engano, por favor, informe o remetente e em seguida apague a mensagem. Observação: não há autorização para armazenar, encaminhar, imprimir, usar e/ou copiar o seu conteúdo.</b><br></p>