Azure AD User Provisioning with SCIM 2.0

Question

I'm trying SCIM 2.0 provisioning with Azure AD

As premise, I have SCIM a server for my product and I'm implementing PATCH endpoints for use with Okta and Microsoft Azure AD.

I'm done testing with Okta, so I'm trying with Azure AD now.

I read this post active-directory-scim-provisioning and the SCIM 2.0 Specification Section 3.5.2.

I set up an enterprise application on our Azure AD with the following mapping

Then, Azure AD sends the following JSON POST request to create users assigned to the application to my server:

POST:

{
  "active": true,
  "displayName": "$DISPLAY_NAME", 
  "emails": [
        {                                                                                                                                                                                                                                                                       
            "primary": true,
            "type": "work",
            "value": "$EMAIL"
        }
    ],
    "externalId": "$EXTERNAL_ID",
    "meta": {
        "resourceType": "User"
    },
    "name": {
        "formatted": "$FORMATTED"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ],
    "userName": "$USER_NAME"
}

I can process the POST request correctly, but I am unable to consume the PATCH request from Azure AD.

PATCH:

{                                                                                                                                                                                                                                                                               
    "Operations": [
        {   
            "op": "Replace",
            "path": "name.givenName",
            "value": [
                {   
                    "$ref": null,
                    "value": "$VALUE"
                }   
            ]
        },  
        {   
            "op": "Replace",
            "path": "name.familyName",
            "value": [
                {   
                    "$ref": null,
                    "value": "$VALUE"
                }   
            ]   
        }   
    ],  
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]   
}

Is it correct (according to the specification) that the value attribute is of type Array, even if the target is a single-valued attribute? Is the use of the $ref attribute correct in this case?

Or did I misunderstand the specification?

I wondered the same thing. Did you find an answer from MS? Also, they send booleans as strings, e.g. "True" instead of true. — thesmart, Aug 04 '18 at 17:41
@thesmart Unfortunately No I didn't, I just implemented special logic for support strange format. — Daichi, Aug 05 '18 at 00:39

score 2 · Answer 1 · answered Jan 18 '19 at 15:19

2

They have fixed it Dec 18 2018 :)

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

answered Jan 18 '19 at 15:19

Ashkan Sirous

7,211
5
41
64

score 1 · Accepted Answer · answered Oct 16 '18 at 16:47

They made a mistake on the value implementation for non-complex objects. You can read more about it here https://social.msdn.microsoft.com/Forums/lync/en-US/e2200b69-4333-41ea-9f51-717d316c7751/automatic-user-provisioning-scim-restful-patch-payload-issue?forum=WindowsAzureAD

Azure AD User Provisioning with SCIM 2.0

2 Answers2