1

Doing testing on SCIM implementation with Confluence and Azure AAD, with authentication with OIDC and ran into following issue:

If a SCIM provisioned account is deleted manually from Confluence, Azure does not seem to have a way to figure out that it has been deleted so it will not create the user again on the next provisioning cycle. Is there a way to clear out Azure's "cache" or storage of existing user so that it sees that the user no longer exists in the application it is SCIMing to?

I attempted removing/re adding user to Provisioning/Users and Groups to see if it would pick it up again and it did not. I tried manually creating the user in Confluence with correct name/username/email to see if the link between Azure and the app could be restored and it did not work.

So my question is - is there anyway to support 2 way syncing from Azure AD and an application using SCIM? Is Azure ale to receive requests from the app that a user has been deleted? If not, what steps need to be done to clear out Azure's cache so that the user can be provisioned again via SCIM?

Let me know if you need more details, thanks.

Elijah Guastella
  • 11
  • 1

1 Answers1

0

Restarting the provisioning job or using Provisioning on Demand should both force the user to be re-evaluated, at which point AAD Provisioning will do a GET /Users/, get an HTTP 404 response (Not Found), and then try to locate via GET /Users&filter=userName eq x@y.com. If there is no user, it will find 0 matches and create a new one, and if one has been recreated it will locate that and then link the two objects in AAD + the SCIM app and will send any needed updates.

Two way sync - including detecting changes in the target (usually SCIM) system and reacting to them - isn't possible. The main triggers for a user being evaluated by AAD Provisioning are if the job is restarted, if the user has changed in AAD, or if Provisioning on Demand is used. External triggers such as changes in the other system are not possible at this time.

Zollnerd
  • 725
  • 4
  • 5
  • Appreciate the comment. I tried to Provision on Demand and restarting the provisioning job and it does not recreate the user in Confluence. `The state of the entry in both the source and target systems already match. No change to the urn:ietf:params:scim:schemas:extension:enterprise:2.0:User 'emailOfUser' currently needs to be made.` Is what shows in the Azure logs. Let me know if there is another log I should look for. Thanks – Elijah Guastella Jun 21 '23 at 19:22
  • That message indicates that the provisioning service went to go query information about that user (SCIM GET /Users/useridvalue) and received a response, and the response had any attributes mapped from AAD -> Atlassian/Confluence already in the state that was expected. You may need to open a support case with AAD to go deeper, it sounds like the user you think is deleted isn't actually deleted according to the SCIM server's response - or there's more than one relevant user account and the deleted one isn't the one being managed by AAD. – Zollnerd Jun 21 '23 at 22:45