CODEWITHSUNDEEP
azureazure-active-directorysamlscimscim2
Joel Mora
Joel Mora

Reputation: 91

Azure Active Directory SCIM Mapping

I am trying to implement SCIM in AAD and am having a hard time mapping the fields. When a user is added to a group. In this example i want the following to happen:

(pretty much what scim does)

  1. User is provisioned, the user is created.

  2. User deprovisioned, user deleted

  3. User is added to group, the group changes

  4. User is removed from group, the group changes.

here is the api information

getUsers

Method: get

URL: /scim/v2/Users?filter=userName+eq+%22example%40example.com%22

response:

{
    "totalResults": 1,
    "startIndex": 1,
    "itemsPerPage": 1,
    "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ],
    "Resources": [
        {
            "emails": [ { "value": "[email protected]" } ],
            "appGroups": [ "Unicorn Team" ],
            "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ],
            "name": { "familyName": "Family", "givenName": "Given" }, // SCIM requires names, but no real names are stored; you'll always get back these placeholder values
            "active": true,
            "id": "[email protected]",
            "userName": "[email protected]",
            "status": "success"
        },
        ... // more users
    ]
}

addUsers

Method: post

url /scim/v2/Users

body

{
  "userName": "[email protected]",
  "appGroups": [ "Unicorn Team", "Rainbow Team" ],
  "active": true
}

response:

{
    "emails": [
        {
            "value": "[email protected]"
        }
    ],
    "appGroups": [
        "Unicorn Team", 
        "Rainbow Team"

    ],
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
        "familyName": "Family",
        "givenName": "Given"
    },
    "active": true,
    "id": "[email protected]",
    "userName": "[email protected]",
    "status": "success"
}

User Config: 

 "users": [
    {
      "email": "[email protected]",
      "groups": ["Unicorn Team", "Rainbow Team"]
    },
],
"groups": [
    {
      name: "Unicorn Team",
    },
    {
      name: "Rainbow Team",
    },
    {
      name: "X",
    },
    {
      name: "Y",
    },
    {
      name: "Z",
    },
 ]

putUsers

method: put

URL: /scim/v2/Users/example%40example.com

body:

{
  "userName": "[email protected]",
  "appGroups": [ "Unicorn Team", "X" ],
  "active": true
}

User Config: 

 "users": [
    {
      "email": "[email protected]",
      "groups": ["Unicorn Team", "X"]
    },
],
"groups": [
    {
      name: "Unicorn Team",
    },
    {
      name: "Rainbow Team",
    },
    {
      name: "X",
    },
    {
      name: "Y",
    },
    {
      name: "Z",
    },
 ]

patchUsers

method: patch

URL: /scim/v2/Users/example%40example.com

body:

{
  "active": false
}

response:

{
    "emails": [
        {
            "value": "[email protected]"
        }
    ],
    "appGroups": [
        "Unicorn Group"
    ],
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
        "familyName": "Family",
        "givenName": "Given"
    },
    "active": false,
    "id": "[email protected]",
    "userName": "[email protected]",
    "status": "success"
}

User Config

 "users": [

],
"groups": [
    {
      name: "Unicorn Team",
    },
    {
      name: "Rainbow Team",
    },
    {
      name: "X",
    },
    {
      name: "Y",
    },
    {
      name: "Z",
    },
 ]

Azure Docs: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups

Upvotes: 2

Views: 499

Answers (1)

neverEugene
neverEugene

Reputation: 91

In order to add user to group in SCIM AZURE AD implementation, you have to implement /Groups endpoint, as appears here:
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#update-group-add-members HTTP Patch request as appears in the reference.

Upvotes: 0

Related Questions