Reputation: 11
PATCH /Groups for AzureAD SCIM synchronization fails
Im currently trying to implement the SCIM protocol for synchronizing Users & Groups from AzureAD into my application.
For development I use a MS tutorial and the RFC for SCIM:
- https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups
- https://datatracker.ietf.org/doc/html/rfc7644
For validation of my endpoints I use Microsofts AzureAD SCIM Validator: https://scimvalidator.microsoft.com/
Running the validation I only get one error message: https://i.sstatic.net/Ru5KU.png
The belonging Group was created by SCIM Validator using the following request:
POST /scim/Groups 1.1
Host: ngrok-free.app
Content-Type: application/scim+json; charset=utf-8
{
"displayName": "3TCVOGSGK5K3",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
The PATCH request in question is
PATCH /scim/Groups/66f04454-be03-446b-885b-dad2f37568f9 1.1
Host: ngrok-free.app
Content-Type: application/scim+json; charset=utf-8
{
"Operations": [
{
"op": "replace",
"path": "members[type eq \"untyped\"].value",
"value": "P781Y6CGE6C6"
},
{
"op": "replace",
"value": {
"displayName": "BXCXL6SD5JFM"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}
Which gets the following response by my endpoint
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Date: Thu, 08 Jun 2023 17:51:30 GMT
Pragma: no-cache
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0
Transfer-Encoding: chunked
Content-Type: application/scim+json
Expires: 0
{
"displayName": "BXCXL6SD5JFM",
"id": "66f04454-be03-446b-885b-dad2f37568f9",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
What I do when recieving the request is replacing all members of the group with the one mentioned in the value ("P781Y6CGE6C6").
I dont know what the wanted behavior is for this request - maybe anyone understands it better and can explain it to me?
Best Regards
Upvotes: 1
Views: 881
Answers (1)
Reputation: 912
Did you manually add the expression to the group resource's members attribute? Azure AD's SCIM implementation does not utilize the type sub-attribute on the members attribute.
Azure AD's SCIM implementation shouldn't call replace on the members attribute for groups, and I suspect that the reason it is doing so in this case is because you have edited the attribute path to members[type eq "untyped"].value. Try reverting back to the default set of attributes for groups in the SCIM validator. Having just looked at the SCIM validator while writing this, I only see displayName and externalId listed in the attribute list for the Group resource. Despite members not being listed there, I believe it is still tested.
Upvotes: 0
Related Questions
- Azure AD provisioning sends SCIM replace operation when adding user to group
- Azure AD SCIM: SystemForCrossDomainIdentityManagementServiceIncompatible
- SCIM 2.0 and external AD groups
- Repeating Create requests for Groups : Azure AD SCIM Provisioning
- Patch request in SCIM with Azure AD
- wso2 IS as KM can't use SCIM
- Azure Ad fails to update users using Patch on microsoft.systemForCrossDomainIdentityManagement nuget package
- Azure AD User Provisioning with SCIM 2.0
- PATCH request for SCIM 2.0
- Add/create custom user profile details to wso2 IS