MCP Server Token Propagation This article from SnapLogic engineering explains how token propagation works in SnapLogic's MCP (Model Context Protocol) Server implementation and how to configure it using OAuth 2.0 JWT authentication.
Siemens Mobility is hiring for a Data Integration Engineer to join colleagues in Pune, India.
Checking through SnapLogic docs, this is a known challenge when connecting a Linux-based Groundplex to a Windows SMB share. The error ERR_MOUNTERROR typically points to one of several root causes. Here's a structured checklist to work through: โ 1. Verify Your SMB Account Configuration This is the most common cause (as confirmed by community reports). In SnapLogic Manager, check your SMB Account and make sure all three fields are correct: FieldNotesDomainMust be the Active Directory / NetBIOS domain name of the Windows host. This field is often left blank and causes mount failures on Linux.UsernameThe Windows account username (without domain prefix)PasswordThe correct password for that account
๐ก Even if smbclient works from the Linux command line, SnapLogic uses its own Java-based SMB library (JCIFS), which handles authentication differently โ hence why it can work from CLI but fail in Snap.
โ 2. Check the SMB URL Format Make sure the Directory field in your File Poller uses the correct format:
smb://<server_name_or_IP>/<share_name>/<optional_subfolder>/<share_name>is theSMB share name(e.g.,SharedDocs),nota full filesystem path.
The URL must end with a trailing/.
Avoid using\\server\share(Windows UNC) style โ it won't work in SnapLogic.
Example:
smb://my_server/my_share/my_dir/
โ 3. SMB Protocol Version Mismatch (Very Common on Modern Windows) Modern Windows servers (2012+) often disable SMBv1 by default. SnapLogic's JCIFS library may attempt SMBv1 negotiation by default, which would result in a mount error. You can force a higher SMB version via JVM options in your Groundplex Node Properties (in SnapLogic Manager โ Snaplex โ Update โ Node Properties โ Global Properties): KeyValuejcc.jvm_options-Djcifs.smb.client.minVersion=SMB202 -Djcifs.smb.client.maxVersion=SMB300
โ ๏ธ If you already have a jcc.jvm_options value, append these flags rather than replacing the existing value. Restart the Groundplex node after applying.
โ 4. Network & Port Connectivity Even though smbclient works from the Linux machine, verify that:
Port 445(TCP) is open from the Groundplex host to the Windows server (SnapLogic's JCIFS uses port 445 by default, not 139).
There areno host-based firewall rules(Windows Defender Firewall) blocking the Groundplex's IP specifically.
The Groundplex canresolve the Windows server hostname(DNS). If not, try using the IP address directly in the URL.
โ 5. Linux System Packages (Less Common) While SnapLogic uses Java/JCIFS internally (not OS-level mounting), ensure the Linux Groundplex host isn't missing dependencies that could affect Java's native library resolution:
# Check if cifs-utils / samba-client are installed (optional but useful for diagnostics)
rpm -qa | grep -i samba
apt list --installed | grep -i cifs๐ Summary Checklist #CheckAction1SMB Account Domain fieldFill in the Windows AD domain name2URL formatUse smb://server/sharename/subdir/3SMB versionAdd JVM options for SMBv2/v34Port 445 reachabilityTest from Groundplex host5DNS resolutionTry IP if hostname fails Start with items 1 and 3 as they are the most frequent culprits for this exact error on Linux Groundplexes connecting to modern Windows servers.
Hi Andrei - There are several approaches depending on what type of "account" you're referring to. Let me clarify the options available: Disabling an Account in SnapLogic The approach depends on what type of account you want to disable: ๐ค User Account (preventing login/access) SnapLogic doesn't have a single "disable" toggle for user accounts, but you can effectively prevent a user from accessing the platform using one of these methods:
Revoke Application Access:
Go toAdmin ManagerโUsers
Select the user
ClickUpdate accessand remove all application access (Designer, AutoSync, etc.)
The user will be redirected to the sign-up page and won't be able to use the platform
Disable Password-Based Login (if SSO is configured):
Edit the user account and disable password-based login
If SSO is also not configured for them, they effectively cannot log in
Convert to API Access Only:
Edit the user and set them toAPI Access Only
This prevents UI login while keeping the account intact
โ๏ธ Triggered Task (preventing execution) If you want to prevent a Triggered Task from being executed:
InManager, navigate to the folder where the Task resides
Select the Task
ClickDisablein the Assets Toolbar
โน๏ธ This prevents the Task from being triggered without deleting it.
๐ Snap/Integration Account (e.g., REST, Salesforce, DB credentials) SnapLogic does not have a built-in disable option for Snap accounts (credential accounts). Your options are:
Remove permissionson the project containing the account so others can't use it
Move it to a private projectto restrict access
๐ก Recommendation: If your goal is to keep a user account intact but prevent any access, the safest approach is to revoke all application access via Admin Manager. The account remains in the system and can be re-enabled at any time.
iSteer is hiring for a SnapLogic Developer in Bengaluru, India.
How SnapLogic Assigns MCP Servers by Role to Control Agent Access Not every user should connect to every application. This clip covers how SnapLogic governs the agentic layer specifically, assigning MCP servers to users based on their role and securing the full orchestration chain from the user interface to the underlying data.
Hi Karan โ This is a good question, and here's a thorough breakdown based on SnapLogic's task architecture and available documentation: ๐ Understanding the Two Fields When you use the SnapLogic Read Snap with Asset type = TASK, the output document contains both fields because SnapLogic stores scheduling information at two different layers: ๐ schedule Field This is the SnapLogic-level, UI-friendly representation of the task's scheduling configuration. It reflects what you configured in the Create Task dialog, including: Property Example Start date/time 2025-01-01T09:00:00 Repeat frequency Every 1 day, Every 15 minutes Time zone America/New_York End conditions Never, After N runs, On Date/Time Blackout dates Defined time periods Cron expression Human-readable Cron pattern Think of schedule as the source of truth for the SnapLogic platform โ it's what the UI reads and writes. ๐ trigger Field This is the underlying scheduling engine's configuration โ SnapLogic uses Quartz Scheduler internally. The trigger field contains the low-level Quartz trigger definition, which may include: Property Description Quartz cron expression The engine-level cron format (may differ from UI representation) Misfire instructions What happens if a trigger is missed (grace period behavior) Next fire time When the trigger is next expected to fire Trigger state Active, paused, etc. Think of trigger as the runtime execution engine's instruction set โ it's what actually fires the pipeline. โ๏ธ Why Both Exist? They serve different purposes and are maintained somewhat independently: [ SnapLogic UI Schedule Config ] โ "schedule" field โ (translated/compiled into) [ Quartz Engine Trigger Config ] โ "trigger" field In normal operation (creating/editing a task via the UI), SnapLogic keeps these in sync automatically. However, when you read the raw metadata, you see both layers separately. โ ๏ธ Impact of Updating via Metadata Update Snap This is where you need to be very careful. The official SnapLogic documentation explicitly notes: โ Known Limitation: Trying to use the SnapLogic List Snap along with the Update Snap to alter Task field values causes a 400 HTTP error and doesn't update the Tasks as intended. Here's a summary of risks: Action & Risk Update schedule only The Quartz trigger may become out of sync, potentially causing unexpected firing behavior Update trigger only The SnapLogic UI will display incorrect/stale schedule info; the actual execution may differ from what's shown in Manager Update both High risk of inconsistency unless both are carefully coordinated and formatted correctly Using Metadata Update for Tasks May result in a 400 HTTP error per known limitations of the Metadata Snap Pack โ Best Practices & Recommendations
Avoid directly updating trigger or schedule via the Metadata Update Snap for task scheduling changes โ these are tightly coupled and prone to causing sync issues.
Use the SnapLogic Manager UI to update task schedules whenever possible, as it handles both fields atomically.
If programmatic updates are required, consider using the SnapLogic REST API directly (via an HTTP Snap) to update task properties, which gives you more control over the full payload.
When reading task metadata for informational purposes, prefer referencing schedule for the human-readable configuration and trigger only if you need engine-level details (e.g., next fire time).
If you need to copy a task's schedule to a new task programmatically, read the full task object without the Normalized checkbox selected to preserve all internal fields.
๐ก Pro Tip: When using the SnapLogic Read Snap for tasks, avoid checking the Normalized checkbox, as it strips internal fields that are necessary for creating or updating assets correctly.
Checking SnapLogic docs, here's a thorough breakdown of what's happening and the known limitations: ๐ "Do Not Start a New Execution If One Is Already Active" โ Known Limitations โ How It's Supposed to Work When this option is enabled on a Triggered Task, SnapLogic should:
Block any new trigger requests while a previous execution is still running.
Return a HTTP 409 error to the caller if the task is already active.
โ ๏ธ Known Limitation: Pipeline Execute Snap Scenario The official SnapLogic documentation explicitly calls out the following limitation: "For Cloud Triggered Tasks in scenarios where multiple pipelines are triggered via the Pipeline Execute Snap, the Do not start another execution checkbox setting is not enforceable." This means if your task is being invoked (directly or indirectly) through a Pipeline Execute Snap, the concurrency guard will not work reliably. ๐งฉ Why You May See Concurrent Executions (~1 second apart) A few factors could explain the behavior you observed: Pipeline Execute Snap If the trigger chain involves a Pipeline Execute Snap, the setting is explicitly not enforced. Race condition at the control plane When multiple requests arrive nearly simultaneously (~1 second apart), the control plane may not have registered the first execution as "active" before the second and third requests are evaluated. Cloud URL throttling Cloud Triggered Tasks go through the control plane, which has a default concurrent API limit of 10. The concurrency check and the "do not start" check are separate mechanisms. Ultra Snaplex behavior Ultra Tasks/Snaplexes are designed for high-throughput, always-on execution. The "do not start" setting is primarily documented in the context of standard Triggered and Scheduled Tasks โ behavior on an Ultra Snaplex may differ. ๐ Additional Considerations
Scheduled Tasks also support this setting, and it has a 3-month enforcement limit (after which a second instance can execute regardless).
The setting is under the Debug section of the Triggered Task configuration โ which hints that it may not be production-hardened for all edge cases.
If you need strict mutual exclusion, consider implementing your own locking mechanism (e.g., using a database flag or a SnapLogic pipeline parameter check at the start of the pipeline).
๐ ๏ธ Recommended Workarounds
Implement an application-level lock โ At the start of your pipeline, check a flag in a database or cache (e.g., Redis, a SQL table) and exit early if already running.
Use a queue-based approach โ Route trigger requests through a message queue (e.g., SQS, Azure Service Bus) and process them serially.
Hi Alan - Here is what SnapGPT recommended, to get you some things to consider quickly: This covers three important areas: secure PEM storage, Python JWT libraries in Script Snap, and wiring it all together. Let me break this down thoroughly. ๐ 1. Secure PEM Storage โ Recommendations Here's a ranked comparison of your options: โ Option A: SnapLogic Secrets Management (Most Secure โ Recommended) If you're on a Groundplex, this is the gold standard:
Integrates withAWS Secrets Manager,Azure Key Vault,HashiCorp Vault, orCyberArk Conjur
The PEM keynever touches SnapLogic storageโ it's fetched at runtime directly from your secrets manager
Supports aSecrets Cachefor performance optimization on frequent calls
โ ๏ธOnly available on Groundplexes, not Cloudplexes
โ Option B: SnapLogic File System (SLFS) (Good for Groundplex/Cloudplex)
Upload the.pemfile to theSnapLogic Manager > Filessection (SLDB)
Reference it in your Script Snap via apipeline parameterpointing to the SLFS path (e.g.,sldb:///your-project/keys/private.pem)
Access is controlled by SnapLogic project-level permissions
The file is encrypted at rest in SnapLogic's secure S3 bucket
โ ๏ธ Option C: Pipeline Parameter (Convenient but Less Ideal)
You can store the PEM string as asensitive pipeline parameter
SnapLogic encrypts sensitive parameters using org-level asymmetric key encryption
However, the key material is visible to anyone with pipeline edit access
Known limitation: Multi-line PEM keys passed via Pipeline Execute Snap require explicit\nnewline characters to be interpreted correctly
Best used only fornon-production/devscenarios
โ Avoid: Hardcoding in Script Never embed the PEM directly in the Script Snap code โ no encryption, fully visible in pipeline config. ๐ 2. Python Libraries Available in Script Snap for JWT/RS256
โ ๏ธ Critical caveat: The Script Snap runs on Jython 2.7.x (JVM-based Python), not CPython. This has major implications for library availability.
What's available natively (Jython + JVM): LibraryAvailable?Notesjava.security / javax.cryptoโ YesFull JVM crypto โ can do RSA signingorg.bouncycastleโ Likely (if on Groundplex)Powerful crypto librarybase64, hashlib, hmacโ Yes (Jython stdlib)Basic crypto primitivesjsonโ YesStandard JythonPyJWTโ NoCPython-only, not installable in Jythoncryptography (Python pkg)โ NoRequires CPython C extensionspython-joseโ NoCPython-only โ Recommended Approach: Use Java Crypto via Jython Since Jython has full access to the JVM, you can use Java's built-in RSA signing directly:
from com.snaplogic.scripting.language import ScriptHook
import java.security.KeyFactory as KeyFactory
import java.security.Signature as Signature
import java.security.spec.PKCS8EncodedKeySpec as PKCS8EncodedKeySpec
import java.util.Base64 as Base64
import json
class JWTScript(ScriptHook):
def __init__(self, input, output, error, log):
self.input = input
self.output = output
self.error = error
self.log = log
def base64url_encode(self, data):
encoder = Base64.getUrlEncoder().withoutPadding()
if isinstance(data, str):
data = data.encode('utf-8')
return encoder.encodeToString(data).rstrip('=')
def sign_jwt(self, header, payload, pem_key_str):
# Strip PEM headers and decode
pem_clean = pem_key_str \
.replace("-----BEGIN PRIVATE KEY-----", "") \
.replace("-----END PRIVATE KEY-----", "") \
.replace("-----BEGIN RSA PRIVATE KEY-----", "") \
.replace("-----END RSA PRIVATE KEY-----", "") \
.replace("\n", "").strip()
key_bytes = Base64.getDecoder().decode(pem_clean)
key_spec = PKCS8EncodedKeySpec(key_bytes)
kf = KeyFactory.getInstance("RSA")
private_key = kf.generatePrivate(key_spec)
header_enc = self.base64url_encode(json.dumps(header))
payload_enc = self.base64url_encode(json.dumps(payload))
signing_input = "%s.%s" % (header_enc, payload_enc)
signer = Signature.getInstance("SHA256withRSA")
signer.initSign(private_key)
signer.update(signing_input.encode('utf-8'))
sig_bytes = signer.sign()
signature = self.base64url_encode(sig_bytes)
return "%s.%s" % (signing_input, signature)
def execute(self):
while self.input.hasNext():
data = self.input.next()
pem_key = data.get("pem_key") # passed in from pipeline param or SLFS
header = {"alg": "RS256", "typ": "JWT"}
payload = {"sub": "service-account", "iss": "your-client-id", "iat": 1234567890}
token = self.sign_jwt(header, payload, pem_key)
self.output.write({"jwt_token": token})
hook = JWTScript(input, output, error, log)๐ก Note: If your PEM is in PKCS#1 format (BEGIN RSA PRIVATE KEY), you may need BouncyCastle to parse it. PKCS#8 format (BEGIN PRIVATE KEY) works directly with Java's KeyFactory.
๐ 3. Recommended End-to-End Architecture
[Pipeline Param / SLFS]
โ (PEM key injected)
[Script Snap โ Jython RS256 JWT signing]
โ (outputs JWT token)
[Mapper Snap โ builds Authorization header]
โ
[HTTP Client Snap โ REST call with Bearer token]๐ Summary Recommendations ConcernRecommendationPEM StorageSecrets Management (Groundplex) > SLFS > Pipeline ParamJWT Signing LibraryUse Java Signature (SHA256withRSA) via Jython JVM interopPEM FormatConvert to PKCS#8 for easiest Java compatibilitySecure Python ModeBe aware of scripting.python.security.enabled โ if enabled on your Snaplex, some modules may be blockedNewlines in PEMWhen passing via Pipeline Execute, use explicit \n characters