Reputation: 153
Azure User/Group provisioning with SCIM problem with boolean values
I have written an application compliant to the SCIM standard (https://www.rfc-editor.org/rfc/rfc7644), but integrating with Azure I can see that it fails to update a user if it is disabled, the request that Azure send is the following:
PATCH /Users/:id
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "False"
}
]
}
The SCIM protocol "sais" that the attribute active accept boolean values (https://www.rfc-editor.org/rfc/rfc7643#section-4.1.1), so following the PATCH protocol (https://www.rfc-editor.org/rfc/rfc6902#section-4.3) I expect a boolean value not a string with a boolean written inside it, so the expected request is the following:
PATCH /Users/:id
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Replace",
"path": "active",
"value": false
}
]
}
So the problem is that the given value "False" should be false.
Is this a bug of Azure or am I missing something? If it is a bug, should I try to parse the string and eventually extract a boolean? But if I do that I'm going to be out of standard. How did you manage this problem?
Upvotes: 7
Views: 2533
Answers (3)
Reputation: 1
Trying to figure this out with our application. What is odd about this flag is that when I have a group in the target system with 10 users it will remove up to 9 users. The process outlined here will only fail on the last user in the group and not remove them. No error message of any kind. Just does not remove that last user. I have tried:
-Not(SoftDelete)
-Switch([IsSoftDeleted], , "false", "true", "true", "false")
-Switch([IsSoftDeleted], , "False", "True", "True", "False")
Same experience with each that it will leave the last user in the group.
Upvotes: 0
Reputation: 2562
I also spent a lot of time trying to figure out if Azure was being compliant with the SCIM spec and the answer is that they are not.
The default values that they send for PATCH requests are indeed strings, not booleans as the User JSON schema defines.
You can override the values that get send/mapped into the SCIM schema by:
- Go into your provisioning app
- Mappings >
Synchronize Azure Active Directory Users to customappsso(the name here might be different in your directory) - Find
Switch([IsSoftDeleted], "False", "True", "True", "False") - Replace with
Switch([IsSoftDeleted], , false, true, true, false)(note the additional comma.) - Hit OK and SAVE
NOTE that after saving it will still see quotes around the booleans, but the PATCH request will be sent correctly.
See screenshots for reference
Upvotes: 8
Reputation: 211
The default Azure implementation of SCIM isn't fully compliant with the required SCIM schema.
I found I was able to use the default NOT([IsSoftDeleted]) by using Microsoft's workaround which does aim to be SCIM compliant for PATCH operations (returns booleans rather than strings for the 'active' attribute).
This is achieved by appending the URL parameter ?aadOptscim062020 after the tenant url input.
Upvotes: 4
Related Questions
- How to configure SCIM provisioning for Azure AD and Databricks via terraform?
- Terraform - Impossible to apply rights at the same time as creating groups
- Azure Blueprint parameter requires a value of type 'Bool'
- Azure Active Directory SCIM: Deprovision member of a group not working
- Get groups of user during provisioning on Enterprise application in Azure AD
- SCIM endpoint. Error when testing from Azure AD
- Azure AD users are no longer deactivated when removed from assigned users
- Not Getting option to change to manual SCIM Provisioning
- provisioning using SCIM
- Azure AD User Provisioning with SCIM 2.0