When action scripts fail within AnyIdentity, it is essential to understand how to identify and troubleshoot the issue. Multiple issues can arise with an AnyIdentity provider due to the various steps involved. Additionally, AnyIdentity heavily relies on action scripts for functionality, and depending on the complexity of the identity provider, these action scripts can become intricate.
Problems may occur if the provider is not thoroughly tested beforehand. The following guidelines will help identify potential issues and provide steps for troubleshooting.
1. Identify the problem
The problem may not always be immediately apparent. While the action scripts may function correctly in isolation, AnyIdentity may not apply password changes as expected. For instance, if the action scripts are incorrectly built and return inaccurate information, AnyIdentity may use this information to make decisions, assuming everything is functioning properly when it is not.
In some cases, the issue may be more obvious, such as seeing an "Out of sync" warning message for the user in the Devolutions PAM vault or noticing a problem in the PAM logs.
2. Identify the action script involved
Since AnyIdentity operates primarily as a script orchestrator, the majority of its functionality depends on the action scripts. If an error appears in the Devolutions Server console, it is important to first identify which action script is involved. This requires an understanding of how AnyIdentity "maps" functionality to the action scripts through its terminology.
- Scan configuration: Scan configurations use the account discovery action script.
- Synchronization: AnyIdentity uses the term "synchronization" to refer to running the heartbeat action script.
- Password reset: Initiating a password reset in AnyIdentity involves both the password rotation and heartbeat action scripts.
3. Test action scripts outside of AnyIdentity.
After identifying the action scripts involved, it is advisable to test them outside of AnyIdentity to ensure that the issue does not originate from the action script itself. The same parameters defined via Script Parameters when creating the template should be passed to the script. It is crucial to verify that the PowerShell script returns the expected results for AnyIdentity:
- Account discovery: Should output at least one
pscustomobject
object withid
,username
, andsecret
properties. - Heartbeat: Should have
username
andsecret
parameters and return a single boolean value, either$true
or$false
. - Password rotation: Should include parameters for the identity provider endpoint, endpoint username, endpoint password, and a specifically named parameter called
NewPassword
.