SCIM Validator Patch Group - Remove Member test complains about invalid schema

Question

With the SCIM Validator, I have the following failed test.

The Schema of the Fetched Group is invalid. Please refer to the filter group response example in https://www.rfc-editor.org/rfc/rfc7644#section-3.7.1

In the details, I see that it is trying to replace the members of a group with other members.

PATCH https://mydomain/scim/Groups/fd8eb340-44a1-415a-b227-8aeb3a454589 1.1
Host: mydomain
Content-Type: application/scim+json; charset=utf-8
{
  "Operations": [
    {
      "op": "replace",
      "path": "members",
      "value": [
        {
          "value": "5454e3f5-58a6-4f89-ad8b-25d2ef1eaeb4"
        },
        {
          "value": "ef8ff40c-0b6e-47fc-89a9-967dca5977e6"
        }
      ]
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

This works fine. It then does GET https://kosborn.thefulcrum.team/scim/Groups/fd8eb340-44a1-415a-b227-8aeb3a454589.

{
  "active": true,
  "displayName": "68U2C28AITYX",
  "id": "fd8eb340-44a1-415a-b227-8aeb3a454589",
  "members": [
```json
{
  "value": "5454e3f5-58a6-4f89-ad8b-25d2ef1eaeb4",
  "type": "User",
  "$ref": "http://mydomain/scim/Users/5454e3f5-58a6-4f89-ad8b-25d2ef1eaeb4"
},
{
  "value": "ef8ff40c-0b6e-47fc-89a9-967dca5977e6",
  "type": "User",
  "$ref": "http://mydomain/scim/Users/ef8ff40c-0b6e-47fc-89a9-967dca5977e6"
}
  ],
  "meta": {
"resourceType": "Group",
"location": "http://mydomain/scim/Groups/fd8eb340-44a1-415a-b227-8aeb3a454589"
  },
  "schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

I have looked at the schema and could not find any problems. Unfortunately, SCIM Validator does not specify what it is actually looking for.

Does anybody have any ideas? Thanks.

Answer 1

Kevin, I had the same problem and was able to get the schema passing by removing the $ref attributes under members. Longer answer/bug report follows.

Microsoft's handling of the members property in a group appears to be quite wrong.

Along with the invalid schema problem described above, if you put properties in your schema for the SCIM validator to discover, it will complain about them:

Internal server error: The attribute members[type eq "User"].$ref for Group is not supported by the SCIM protocol. Please refer to the SCIM RFC

It tells me to refer to the SCIM RFC, but the SCIM RFC quite clearly states these are allowed (see here on page 68):

{
    "id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
    "name" : "Group",
    "description" : "Group",
    "attributes" : [
      {
        "name" : "displayName",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human-readable name for the Group.
REQUIRED.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "members",
        "type" : "complex",
        "multiValued" : true,
        "description" : "A list of members of the Group.",
        "required" : false,
        "subAttributes" : [
          {
            "name" : "value",
            "type" : "string",
            "multiValued" : false,
            "description" : "Identifier of the member of this Group.",
            "required" : false,
            "caseExact" : false,
            "mutability" : "immutable",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "$ref",
            "type" : "reference",
            "referenceTypes" : [
              "User",
              "Group"
            ],
            "multiValued" : false,
            "description" : "The URI corresponding to a SCIM resource
that is a member of this Group.",
            "required" : false,
            "caseExact" : false,
            "mutability" : "immutable",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "type",
            "type" : "string",
            "multiValued" : false,
            "description" : "A label indicating the type of resource,
e.g., 'User' or 'Group'.",
            "required" : false,
            "caseExact" : false,
            "canonicalValues" : [
              "User",
              "Group"
            ],
            "mutability" : "immutable",
            "returned" : "default",
            "uniqueness" : "none"
          }
        ],
        "mutability" : "readWrite",
        "returned" : "default"
      }
    ],
    "meta" : {
      "resourceType" : "Schema",
      "location" :
        "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
    }
  },

Just by trial and error, it seems the only members property that Microsoft will accept is type. Even value (the most important property) is not acceptable in the schema, although if you include it in your API response, Microsoft will allow it there.

I know the Microsoft preference is to return groups with excludedAttributes=members, which is fine, but that shouldn't exclude the possibility of SCIM implementations behaving in valid and desirable ways when this property is not passed.

I guess my workaround for the time being is to remove $ref and remove most members properties from the schema, but it'd be nice to see this fixed. I assumed the problem was on my end, and sunk quite a few hours into trying to figure out what I was doing wrong before figuring all this out.

Answer 2

I'm not positive, but it may be the inclusion of the "active" attribute. The group resource's core schema does not have this attribute.