Error in Outbound Provisioning via Salesforce for User Provisioning

[NilukaSripalim]

Describe the issue: When attempting Outbound provisioning via Salesforce, users are encountering issues with provisioning, and error logs are being generated. This problem persists even with the 5.11 product version.

ERROR {org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector} - Received response status code: 400 text: Bad Request
[2024-02-14 15:03:23,743] [ef021e0c-939b-43d4-a132-07d1ddf5193e] ERROR {org.wso2.carbon.identity.provisioning.ProvisioningThread} -  Provisioning for Entity salesforceis7@test.com For operation = POST org.wso2.carbon.identity.provisioning.IdentityProvisioningException: Authentication failed
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.setAuthorizationHeader(SalesforceProvisioningConnector.java:377)
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.createUser(SalesforceProvisioningConnector.java:229)
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.provision(SalesforceProvisioningConnector.java:105)
    at org.wso2.carbon.identity.provisioning.ProvisioningThread.call(ProvisioningThread.java:85)
    at org.wso2.carbon.identity.provisioning.ProvisioningThread.call(ProvisioningThread.java:34)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)

How to reproduce:

1. Attempt outbound provisioning via Salesforce.
2. Note the error encountered during user provisioning.

Expected behavior: Users should be provisioned successfully without encountering any errors.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [wso2is-7.0.0-beta7-SNAPSHOT. - Build #5068
• OS: Mac
• Database: MSSQL, H2
• Userstore: LDAP, JDBC

---

[Thumimku]

There are couple of issues with the current connector:

1. [Improvement] Current connector is using OAuth user name password flow to get access token from Salesforce, Since its a machine to machine communication we should use Client Credentials.
2. OAuth user name password flow is blocked by default in Sales force we need to enable it ( Doc Issue)
3. Password field in the connector should be text not boolean (bug).
4. Current Doc is not explaining how to do attribute mapping for salesforce.

[NipuniBhagya]

3. Password field in the connector should be text not boolean (bug).

I will send a fix for this.

[Thumimku]

When fixing the issue, found below blocker I am testing the connector cause there is a issue with SSL connection. This issue is not related to the fix This is not with the fix but with the SAN verification.

[2024-02-16 10:41:04,285] [bcffd041-019e-4696-a9b8-a9a8124ef35a] ERROR {org.wso2.carbon.identity.provisioning.ProvisioningThread} -  Provisioning for Entity sample2@gmail.com For operation = POST org.wso2.carbon.identity.provisioning.IdentityProvisioningException: Error in decoding response to JSON
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.authenticate(SalesforceProvisioningConnector.java:439)
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.setAuthorizationHeader(SalesforceProvisioningConnector.java:365)
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.createUser(SalesforceProvisioningConnector.java:229)
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.provision(SalesforceProvisioningConnector.java:105)
    at org.wso2.carbon.identity.provisioning.ProvisioningThread.call(ProvisioningThread.java:85)
    at org.wso2.carbon.identity.provisioning.ProvisioningThread.call(ProvisioningThread.java:34)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <wso2-5f-dev-ed.develop.my.salesforce.com> doesn't match any of the subject alternative names: [a.sfdc-lywfpd.edge.salesforce.com, *.my.salesforce.com, *.force.com, *.d.forceusercontent.com, *.c.forceusercontent.com, *.livepreview.salesforce-communities.com, *.cloudforce.com, *.builder.salesforce-communities.com, *.database.com, *.a.forceusercontent.com, *.sandbox.force.com, *.lightning.force.com, *.documentforce.com, *.secure.force.com, *.preview.salesforce-communities.com, *.visualforce.com, *.container.lightning.com, *.b.forceusercontent.com]
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at org.wso2.carbon.identity.provisioning.connector.salesforce.SalesforceProvisioningConnector.authenticate(SalesforceProvisioningConnector.java:408)
    ... 9 more

[Thumimku]

Had to debug in to the issue.

Wildcard certificates are only for one level. *.example.com will match foo.example.com and bar.example.com, but will not match foo.bar.example.com.

Here in salesforce our domain is wso2-5f-dev-ed.develop.my.salesforce.com and one of wildcard certificate SAN is *.my.salesforce.com. The domain I have is 2 level above which causes the problem.

[Thumimku]

I tried with certs without "-k" and succeeded which means there is no certificate issue in the OS.

Check following snapshot where we got only 2 DNS but above has several. I think this is clearly a cert mismatch maybe a wrong cert is taken from the truststore

[Thumimku]

Doc issue tracked here: https://github.com/wso2/product-is/issues/19689