Error code 500 on API call for updating roleMappings of an Identity Source

I am making an API call to update the role mappings of an Identity Source. My call is written in Python, using the requests module. I am following the documentation from https://apidocs.morpheusdata.com/reference/updateidentitysources.

I have set the appropriate URL and headers for the call, and I am relatively confident that I have the payload set correctly as well. Just in case, here is a generic rendition of the payload I have set:

roleID: int = 1234
ad_group: str = "someAD"
payload: dict = {"userSource": {"roleMappings": {str(roleID): ad_group}}}

I understand it may be odd to provide a string type ID value, but the documentation indicates it should be.

I have used “Option 2” from the API documentation for defining roleMappings, as the intention here is to add an additional role mapping to the Identity Source without wiping out the existing mappings.

My expectation is that the API will result in a new mapping being made between the role for which I have provided the ID, and the AD Group of the provided name. The AD Group is present within the AD Server which is being used as the Identity Source.

I have two guesses at the error at this point. It could be a permission error, but as I understand it that would result in a 403 error instead of 500. It may also be an issue with the AD Group name, as I only provided the basic name instead of the fully qualified name.

Please let me know what you think, and if there is any additional information required to help diagnose this issue.

I have had some questions about this posed to me directly on another platform, so I’ll add my answers here in case they are helpful.

Q: Have you tried this in postman?
A: I have not tried this in postman. I am running a python script locally, which succeeds at multiple other API calls earlier in the script.

Q: How are you converting the dict to json for the payload submission?
A: Although I am type hinting the payload as a dictionary, it’s in proper formatting for use as a json payload. It is identical in structure to the example payload from the documentation. The following snippet is from the documentation example:

payload = {"userSource": {"roleMappings": {"someID": "someGroup"}}}
response = requests.put(url, json=payload, headers=headers)

I believe my payload is a match for this.

Q: Have you looked at the Morpheus logs?
A: No, and I should have. I will run my code again while inspecting the logs.

Based on inspecting the logs, I was able to make a change to my payload that changed the response from 500 to 400. I was passing the AD Group name twice, instead of role ID and AD Group name.

Got a hold of the fully qualified name of the AD Group and ran again with it, but no improvement

A solution was discovered. Recording it here for posterity, and so updates may be made to the API documentation.

  • When working with an Active Directory Identity Source, you must use the (marked as deprecated) roleMappingNames parameter instead of roleMappings.

  • Within roleMappingNames, for the key-value pair: the value for Role Name should be the short-form basic name of the AD Group, not the fully qualified name.

  • Also, the documentation referring to the above as “Role Name” feels liable to cause misunderstanding since it is easily conflated with a Morpheus Role name. I suggest rephrasing it to make it clear that the name of an Active Directory (or other identity source) Group is being requested.

  • The constructed payload should be run through a json.dumps() to convert the dict to a str or Morpheus will reject the input. Oddly enough, this is the only Morpheus API that has been fussy about it so far. Other API have accepted dict as the payload consistently.

  • The put request as shown in the documentation is written as requests.put(url, json=payload, headers=headers). The parameter field name json must be changed to data or the request will fail.

Much thanks to @ncelebic

1 Like