1

I am in the process of configuring an Scim API with Azure AD. What does this "Test Connection" do when configuring an Enterprise Application?

In my case my API endpoint I want to configure is "https://myapi.company.com/api/v2" where resource URL's are in the form of "https://myapi.company.com/api/v2/scim/[Resource]". I don't include 'scim' in the Tenant URL (as per the image attached) as Azure AD adds that by default when sending requests (which is bit weird in a way). [AzureAD adds /scim/[Resource] e.g. /scim/Users to the base URL provided.] [Reference]1.

When I try (click 'Test Connection' or try to Save without testing connection) 'https://myapi.company.com/api/v2' for tenant URL Test Connection fails.

Error message 'You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.'. Which does not make any sense to me.

As experiments, When try 'https://myapi.company.com/api/v2/scim/' it is successful.

When try 'https://myapi.company.com/api/v2' it is successful.

All 3 URLs above gives 404 when tried from Postman or from browser. Can't understand what AzureAD do with Test Connection.

What does Test Connection do?

Dhanuka777
  • 8,331
  • 7
  • 70
  • 126
  • 2
    I'm having issues with this too. If I leave off the /scim suffix from the URL, it doesn't validate. But if I leave /scim on the end then the actual synchronisation operation fails since it appears to add on another /scim and query "/scim/scim/Users" which is wrong – Brendan Mar 07 '18 at 09:26
  • 1
    After a bit more testing and setting up Application Insights, I found that the "Test Connection" button was trying to query the existence of a Group using the "RetrieveAsync()" method. I previously was throwing a NotImplementedException() from that Method (which returned a 501 error). The the "Test Connection" interpreted that as "invalid credentials". Once I changed that to return null ( `return Task.FromResult((Resource)null);` ) it let me proceed ok without the /scim' end on the URL. – Brendan Mar 07 '18 at 14:05

2 Answers2

1

The test connection sends a request such as this:

GET /Users?filter=userName eq "non-existent user"

and expects a response such as this:

HTTP/1.1 200 OK
{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 0,
    "Resources": [],
    "startIndex": 1,
    "itemsPerPage": 20
}

https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#get-user-by-query---zero-results

colidyre
  • 4,170
  • 12
  • 37
  • 53
user12999568
  • 41
  • 2
0

When you press Test Connection a couple of request will be sent to the Tenant URL(SCIM endpoint):

GET /scim/v2/Groups?excludedAttributes=members&filter=displayName+eq+%22AzureAD_Test-d3951745-df3d-40ae-a0a4-cc3099c34c47%22
GET /scim/v2/Users?filter=userName+eq+%22AzureAD_Test-d3951745-df3d-40ae-a0a4-cc3099c34c47%22

the actual displayName and userName requested are randomly generated, so an empty ListResponse is expected (with status code 200 OK): 

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 0,
    "Resources": [],
    "startIndex": 1,
    "itemsPerPage": 20
}

This behaviour is mentioned in the docs :

Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of Test Connection flow in the Azure portal.

RubenLaguna
  • 21,435
  • 13
  • 113
  • 151