SSO user synchronization fails in manufacturing collaboration module

PLM Oracle Agile PLM
, , , , , , , ,
1

We’re experiencing intermittent SSO user synchronization failures in our manufacturing collaboration module on Agile 9.3.4. When new suppliers are onboarded through our LDAP directory, their accounts fail to provision properly in Agile about 30% of the time.

The issue seems related to LDAP connection timing and attribute mapping. Looking at the logs, I see:


LDAP Connection timeout after 15000ms
User attribute 'supplierRole' not mapped
SSO provisioning failed for uid=supplier_042

The SSO provisioning timing appears inconsistent - sometimes users are created immediately, other times it takes 10-15 minutes, and occasionally fails completely. This is blocking our supplier onboarding workflow and causing delays in collaborative engineering projects.

Has anyone dealt with LDAP connection tuning or user attribute mapping issues in the manufacturing collaboration context? We need to understand the proper SSO provisioning timing configuration.

2

Check your LDAP group memberships too. Manufacturing collaboration requires users to be in specific LDAP groups for proper role assignment. If the group membership isn’t synchronized before user provisioning completes, you’ll get partial account creation. The timing issue might be a race condition between group sync and user sync jobs.

3

I’ve seen similar LDAP timeout issues. The default 15-second timeout is too aggressive for large directory queries. Check your ldap.properties file and increase the connection timeout to at least 30000ms. Also verify your LDAP server isn’t experiencing load issues during sync operations.

4

I can provide a comprehensive solution based on your symptoms. You’re experiencing three interconnected issues that need to be addressed systematically.

LDAP Connection Tuning: First, optimize your LDAP connection settings in the SSO configuration. Increase the connection timeout and implement connection pooling:


ldap.connection.timeout=45000
ldap.connection.pool.min=5
ldap.connection.pool.max=20
ldap.read.timeout=30000

These settings prevent timeout failures during peak onboarding periods and maintain persistent connections for better performance.

User Attribute Mapping: The ‘supplierRole’ attribute mapping failure is your core issue. You need to define this in your SSO connector configuration. Edit your sso-config.xml:

<attribute-map>
  <ldap-attr>supplierRole</ldap-attr>
  <agile-attr>userRole</agile-attr>
  <required>true</required>
</attribute-map>

Ensure all manufacturing collaboration required attributes are mapped: supplierRole, companyCode, collaborationType, and accessLevel. Missing any of these causes provisioning to fail silently.

SSO Provisioning Timing: Switch to just-in-time provisioning mode to eliminate the 10-15 minute delays. In your Agile Java client settings, enable:


agile.sso.provisioning.mode=JIT
agile.sso.provisioning.retry.enabled=true
agile.sso.provisioning.retry.attempts=3
agile.sso.provisioning.retry.delay=5000

This configures immediate provisioning with automatic retry logic. The retry mechanism handles transient LDAP connection issues that cause the 30% failure rate you’re seeing.

Additional Recommendations:

  1. Implement LDAP connection health checks before provisioning attempts. Add a pre-provisioning validation step that tests LDAP connectivity and attribute availability.

  2. Enable detailed SSO logging by setting the log level to DEBUG for the com.agile.sso package. This reveals exactly where provisioning fails and provides timing metrics.

  3. Consider implementing an LDAP attribute cache with a 5-minute TTL. This reduces directory queries during bulk onboarding and prevents connection pool exhaustion.

  4. Set up monitoring for SSO provisioning failures. Create alerts when failure rate exceeds 5% so you can proactively address issues.

  5. For the manufacturing collaboration module specifically, ensure your LDAP groups are synchronized before user provisioning. Add a 2-second delay between group sync and user sync jobs in your scheduler configuration.

After implementing these changes, test with a batch of 10-15 supplier accounts to verify consistent provisioning. The combination of increased timeouts, proper attribute mapping, JIT provisioning, and retry logic should eliminate your intermittent failures and reduce onboarding time to under 30 seconds per user.

5

The attribute mapping problem is critical here. Manufacturing collaboration module expects specific LDAP attributes to be mapped correctly. Your ‘supplierRole’ attribute needs to be defined in the Agile user schema and mapped in the SSO configuration. Without proper mapping, the provisioning process can’t complete the user profile creation. Check your SSO connector configuration XML for the attribute mappings section and ensure all required fields are present. The intermittent nature suggests the mapping exists but isn’t being read consistently, possibly due to connection pooling issues.

6

For SSO provisioning timing, you need to consider the synchronization job schedule. The 10-15 minute delay you’re seeing matches a typical sync job interval. Check if your Agile instance is running in just-in-time provisioning mode or scheduled sync mode. Just-in-time should provision users immediately upon first login attempt, while scheduled sync runs at fixed intervals.

7

We had the exact same issue last year. The problem was twofold: LDAP connection pool exhaustion and missing retry logic in the SSO provisioning. When multiple suppliers were onboarded simultaneously, the connection pool would exhaust and new requests would timeout. Additionally, the SSO connector wasn’t configured to retry failed provisioning attempts. I’d recommend enabling debug logging on the SSO connector to see exactly where the provisioning is failing. Look for connection pool metrics in your application server logs as well.