Share via

EntraID is sending incompliant SCIM PATCH request when trying to modify attributes

HEIBERG SOMMERSCHILD Henrik 0 Reputation points
2023-11-23T08:12:06.34+00:00

Hi

I am currently trying to provision users and groups from EntraID to an on-prem directory supporting SCIM interface. I’m using the Enterprise App SCIM provisioning to do that.We are testing different scenarios and one of the scenarios is trying to modify two attributes.

This works fine with two standard user-core-schema attributes of type "string” (not complex) : EntraID is sending the right PATCH-request with the right replace-operation-format.But when we try to modify two complex attributes or two custom attributes (from our custom-schema), our SCIM interface reject the operations. It looks like the PATH request sent from Entra ID is not compliant with the SCIM standard. The POST requests works as it should

This is an example to change two attributes from the complex core attribute “name”.This is what Entra ID is sending (and is rejected by our SCIM product):

// PATCH 

{"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"    
],    
"Operations": [ 
       {            
             "op": "replace",            
                    "value": {
                        "name.formatted" : "test test2",                
						"name.familyName" : "test"            
								}        
		}    
		]
		}

This is what it should be I believe according to SCIM standard (working with our SCIM product).

// PATCH   
{    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"    
		],    
	"Operations": [
        {            
			"op": "replace",
            "value": {                 
				"name”: {                  
					“formatted" : "test test2",                  
					"familyName" : "test"            
}        
}    
]}

Alternatively, the “name” should be defined in “path”.

Below another example using two custom attributes from our custom-schema “urn:ietf:params:scim:schemas:extension:myown:2.0:User” This is what Entra ID is sending (and is rejected by our SCIM product). // PATCH

{"schemas": [        
	"urn:ietf:params:scim:api:messages:2.0:PatchOp"    
		],    
		"Operations": [        
			{            
			"op": "replace",            
			"value": {                                			 
   				"urn:ietf:params:scim:schemas:extension:myown:2.0:User.arbeidssted": "test2", 
     			"urn:ietf:params:scim:schemas:extension:myown:2.0:User.section": "test3  
                         		 }            
				}    
]}

This is what it should be I believe according to SCIM standard (working with our SCIM product).

// PATCH

{    "schemas": [        
	"urn:ietf:params:scim:api:messages:2.0:PatchOp"    
	],    
	"Operations": [       
	 {            
		"op": "replace",            
		"value": {                
			"urn:ietf:params:scim:schemas:extension:myown:2.0:User": {                    
				"arbeidssted": "Svinesund",                    
				"section": "Seksjon Svinesund 6"                
		}                        
	}    
]}

The POST request works as it should

{    "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User",      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",        "urn:ietf:params:scim:schemas:extension:myown:2.0:User"    
	],    
	"meta": {        
		"resourceType": "User"    
	},    
			"active": true,    
			"displayName": "Harry Test",    
			"externalId": "5315ce50-9b26-4f27-322a-4898137b454a",    
			"userName": "HATT ",    
			"name": {        
				"familyName": "Smart",        
				"formatted": "Smart, Harry",        
				"givenName": "Harry"    },    
			"urn:ietf:params:scim:schemas:extension:myown:2.0:User": {        
				"mail": harry.holly@test.local,       
			    "title": "Undsersjef"    
}}

Kind regards Henrik Sommerschild
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-11-24T20:43:41.9866667+00:00

    Hello @HEIBERG SOMMERSCHILD Henrik and thanks for your question. Entra ID SCIM implementation conforms to the following specifications:

    • RFC 7644 section 3.10 (Attribute Notation) which states that Complex attributes' sub-attributes are referenced via nested dot ('.') notation, i.e., {urn}:{Attribute name}.{Sub-Attribute name}. For example, the fully qualified path for a User's givenName is "urn:ietf:params:scim:schemas:core:2.0:User:name.givenName".
    • RFC 7644 section 3.5.3.2 (Replace Operation)which states that If the target location specifies a complex attribute, a set of sub-attributes SHALL be specified in the "value" parameter, which replaces any existing values or adds where an attribute did not previously exist. Sub-attributes that are not specified in the "value" parameter are left unchanged.

    Based on the aforementioned I would recommend to ensure your on-premise SCIM implementation follows them too.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.