Azure AD SCIM: SystemForCrossDomainIdentityManagementServiceIncompatible

Question

We have enable user provisioning for an Azure AD enterprise application. User provisioning works well however for specific user following error has occurred.

Result Failure Description Failed to match an entry in the source and target systems User 'xxxxx.com' ErrorCode SystemForCrossDomainIdentityManagementServiceIncompatible

ErrorMessage

Received response from Web resource. Resource: https://testurl.com/scim/1/72065156401523456/v2/Usersfilter=urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department+eq+"P%26O+Production1+-+AGT" Operation: GET Response Status Code: BadRequest Response Headers: Connection: keep-alive Date: Wed, 26 Jul 2023 12:47:10 GMT Set-Cookie:'[Redacted]'; Path=/ AWSALBCORS=77DY/HqQU45cl/tiqbqNX6iirK8NTb6f4ZuN63hIM41N6YDOebLZ3lXut/SCpXTDVMHA7+FzhVXlF6D2tFtgbzKpe2UU+UTWuEZ1INwueriSf7pS44iriaQDweqr; Expires=Wed, 02 Aug 2023 12:47:10 GMT; Path=/; SameSite=None; Secure Cache-Control: no-store, must-revalidate, no-cache, max-age=0 Pragma: no-cache X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff Response Content: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"scimType":"InvalidFilter","detail":"Invalid filter","status":"400"}

any suggestion please

We tried manual provisioning for this specific user but no luck. I'm expecting to sync user to application database as expected.

Answer 1

You've misconfigured the application and are trying to use department as a matching attribute. A matching attribute should uniquely identify a user. userName, externalId and email address are all commonly used for this. Department's value is not unique per user, so it cannot be used as a matching attribute.

The failure specifically is because a request to GET all users where department eq "P%26O+Production1+-+AGT" is failing, as the SCIM server/application does not support filtering on that attribute.