1

Im currently trying to implement the SCIM protocol for synchronizing Users & Groups from AzureAD into my application.

For development I use a MS tutorial and the RFC for SCIM:

For validation of my endpoints I use Microsofts AzureAD SCIM Validator: https://scimvalidator.microsoft.com/

Running the validation I only get one error message: https://i.stack.imgur.com/Ru5KU.png

The belonging Group was created by SCIM Validator using the following request:

POST /scim/Groups 1.1
Host: ngrok-free.app
Content-Type: application/scim+json; charset=utf-8
{
  "displayName": "3TCVOGSGK5K3",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

The PATCH request in question is

PATCH /scim/Groups/66f04454-be03-446b-885b-dad2f37568f9 1.1
Host: ngrok-free.app
Content-Type: application/scim+json; charset=utf-8
{
  "Operations": [
    {
      "op": "replace",
      "path": "members[type eq \"untyped\"].value",
      "value": "P781Y6CGE6C6"
    },
    {
      "op": "replace",
      "value": {
        "displayName": "BXCXL6SD5JFM"
      }
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

Which gets the following response by my endpoint

Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Date: Thu, 08 Jun 2023 17:51:30 GMT
Pragma: no-cache
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0
Transfer-Encoding: chunked
Content-Type: application/scim+json
Expires: 0

{
  "displayName": "BXCXL6SD5JFM",
  "id": "66f04454-be03-446b-885b-dad2f37568f9",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

What I do when recieving the request is replacing all members of the group with the one mentioned in the value ("P781Y6CGE6C6").

I dont know what the wanted behavior is for this request - maybe anyone understands it better and can explain it to me?

Best Regards

CuX
  • 11
  • 2

1 Answers1

0

Did you manually add the expression to the group resource's members attribute? Azure AD's SCIM implementation does not utilize the type sub-attribute on the members attribute.

Azure AD's SCIM implementation shouldn't call replace on the members attribute for groups, and I suspect that the reason it is doing so in this case is because you have edited the attribute path to members[type eq "untyped"].value. Try reverting back to the default set of attributes for groups in the SCIM validator. Having just looked at the SCIM validator while writing this, I only see displayName and externalId listed in the attribute list for the Group resource. Despite members not being listed there, I believe it is still tested.

Zollnerd
  • 725
  • 4
  • 5
  • Thanks for your reply @Zollnerd! Your first question was guiding me in a new direction (no, I did not add the expression manually) - I had a look at my Group Schema, which was missing the "type" value. That was the reason why it said type eq "untyped" ... Unfortunately after adding "type" to the Schema, the Scim Validator has the same behavior as before, now saying `The value of members[type eq "User"].value is Missing from the fetched Resource` ... Do you have any further ideas? – CuX Jun 09 '23 at 19:30
  • Another approach im trying now is to omit the "members" attribute, I will let you know if that works better. – CuX Jun 09 '23 at 19:39
  • Type isn't an attribute on the group schema - it's a sub-attribute of the complex "members" attribute. The SCIM Validator does test memberships even though the members attribute isn't listed there. For context, I'm a product manager at Microsoft on the AAD Provisioning team, although I don't specifically own this. I've discussed w/ the dev team for this and we'll make a change in the future to make the fact that members is tested/included clear. – Zollnerd Jun 12 '23 at 17:34
  • The only attribute you likely need for groups testing are displayName - and externalId if you have implemented it. members will be tested even if it isn't present in the UI. – Zollnerd Jun 12 '23 at 17:34