Failed to match an entry in the source and target systems User

Question

Hi there, I get the following error when I provision a user using Azure; however, the user gets created on target!

Please let me know what endpoint this error is complaining about or trying to hit?

Also, do I need to map any fields except userName for this provisioning to work?

Thanks,

Leila

Match user between source and target system
Failed to match an entry in the source and target systems User '******@llaconsultingorg.onmicrosoft.com'
Error code
SystemForCrossDomainIdentityManagementServiceIncompatible
Error message
We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint:
    {
  "Resources": [
    {
      "active": null,
      "enabled": null,
      "externalId": null,
      "id": 1217,
      "meta": {
        "created": "2023-05-23 21:40:26.077231",
        "lastModified": "2023-05-23 21:40:26.545145",
        "location": "https://api.blah.ai/v1/Users/1217",
        "resourceType": "User"
      },
      "roles": null,
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "timezone": "UTC",
      "userName": "******@blah.onmicrosoft.com"
    }
  ],
  "itemsPerPage": 100,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "startIndex": 1,
  "totalResults": 1
}

Answer 1

Looking at the above - the error about deserialization means that when the provisioning service is breaking apart the JSON object(s) in the body, it is encountering unexpected or syntactically incorrect data. Most frequently this is things like a missed comma or a missing bracket, but I can't see any of those here.

What I do see is that the ID attribute looks to be the wrong data type - integer rather than string. While the schema/property definitions of the common attributes in the SCIM spec aren't spelled out in the same way that other attributes are in https://datatracker.ietf.org/doc/html/rfc7643#section-8.7.1, every example of the ID attribute used in the SCIM specification documents is a string.

As a side note, while I don't think it is the cause of the problem, the "enabled" attribute in the payload above is not compliant with the SCIM specification. That attribute is not part of the SCIM core user schema, and the spec says that any attributes that are not part of the core schema for a resource must be represented with the full URI - so something like urn:ietf:params:scim:schemas:extension:AppName:2.0:User:enabled would be valid. The spec ALSO says to not duplicate functionality of existing attributes in the specification with new custom extension attributes, however, which would sway towards a suggested change of removing the "enabled" attribute and utilizing the "active" attribute that is defined in the SCIM spec.

Answer 2

Hello @Leila Sahebjamee , your SCIM endpoint post user endpoint is working but the information returned to Azure AD is not fully compliant with the Azure AD SCIM client. Depending on your configuration a null externalId may not be ok. Validate it to get more information about the error. For more information on how to develop your endpoint a look to Understand the Azure AD SCIM implementation and Handling provisioning and deprovisioning of users.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Answer 3

We had some misconfiguration in our SCIM Schema and after following the guideline in https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#understand-the-azure-ad-scim-implementation we could fix most of the issue.