SCIM Validator Patch Group - Remove Member test complains about invalid schema

Kevin Osborn 15 Reputation points
2023-12-04T21:58:44.4166667+00:00

With the SCIM Validator, I have the following failed test.

The Schema of the Fetched Group is invalid. Please refer to the filter group response example in https://www.rfc-editor.org/rfc/rfc7644#section-3.7.1

In the details, I see that it is trying to replace the members of a group with other members.

PATCH https://mydomain/scim/Groups/fd8eb340-44a1-415a-b227-8aeb3a454589 1.1
Host: mydomain
Content-Type: application/scim+json; charset=utf-8
{
  "Operations": [
    {
      "op": "replace",
      "path": "members",
      "value": [
        {
          "value": "5454e3f5-58a6-4f89-ad8b-25d2ef1eaeb4"
        },
        {
          "value": "ef8ff40c-0b6e-47fc-89a9-967dca5977e6"
        }
      ]
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

This works fine. It then does GET https://kosborn.thefulcrum.team/scim/Groups/fd8eb340-44a1-415a-b227-8aeb3a454589.

{
  "active": true,
  "displayName": "68U2C28AITYX",
  "id": "fd8eb340-44a1-415a-b227-8aeb3a454589",
  "members": [
```json
{
  "value": "5454e3f5-58a6-4f89-ad8b-25d2ef1eaeb4",
  "type": "User",
  "$ref": "http://mydomain/scim/Users/5454e3f5-58a6-4f89-ad8b-25d2ef1eaeb4"
},
{
  "value": "ef8ff40c-0b6e-47fc-89a9-967dca5977e6",
  "type": "User",
  "$ref": "http://mydomain/scim/Users/ef8ff40c-0b6e-47fc-89a9-967dca5977e6"
}
  ],
  "meta": {
"resourceType": "Group",
"location": "http://mydomain/scim/Groups/fd8eb340-44a1-415a-b227-8aeb3a454589"
  },
  "schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

I have looked at the schema and could not find any problems. Unfortunately, SCIM Validator does not specify what it is actually looking for.

Does anybody have any ideas? Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,624 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Danny Zollner 9,861 Reputation points Microsoft Employee
    2023-12-05T02:49:38.9133333+00:00

    I'm not positive, but it may be the inclusion of the "active" attribute. The group resource's core schema does not have this attribute.


  2. Brandur 0 Reputation points
    2024-06-07T19:07:41.18+00:00

    Kevin, I had the same problem and was able to get the schema passing by removing the $ref attributes under members. Longer answer/bug report follows.

    Microsoft's handling of the members property in a group appears to be quite wrong.

    Along with the invalid schema problem described above, if you put properties in your schema for the SCIM validator to discover, it will complain about them:

    Internal server error: The attribute members[type eq "User"].$ref for Group is not supported by the SCIM protocol. Please refer to the SCIM RFC
    

    enter image description here

    It tells me to refer to the SCIM RFC, but the SCIM RFC quite clearly states these are allowed (see here on page 68):

    {
        "id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
        "name" : "Group",
        "description" : "Group",
        "attributes" : [
          {
            "name" : "displayName",
            "type" : "string",
            "multiValued" : false,
            "description" : "A human-readable name for the Group.
    REQUIRED.",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "members",
            "type" : "complex",
            "multiValued" : true,
            "description" : "A list of members of the Group.",
            "required" : false,
            "subAttributes" : [
              {
                "name" : "value",
                "type" : "string",
                "multiValued" : false,
                "description" : "Identifier of the member of this Group.",
                "required" : false,
                "caseExact" : false,
                "mutability" : "immutable",
                "returned" : "default",
                "uniqueness" : "none"
              },
              {
                "name" : "$ref",
                "type" : "reference",
                "referenceTypes" : [
                  "User",
                  "Group"
                ],
                "multiValued" : false,
                "description" : "The URI corresponding to a SCIM resource
    that is a member of this Group.",
                "required" : false,
                "caseExact" : false,
                "mutability" : "immutable",
                "returned" : "default",
                "uniqueness" : "none"
              },
              {
                "name" : "type",
                "type" : "string",
                "multiValued" : false,
                "description" : "A label indicating the type of resource,
    e.g., 'User' or 'Group'.",
                "required" : false,
                "caseExact" : false,
                "canonicalValues" : [
                  "User",
                  "Group"
                ],
                "mutability" : "immutable",
                "returned" : "default",
                "uniqueness" : "none"
              }
            ],
            "mutability" : "readWrite",
            "returned" : "default"
          }
        ],
        "meta" : {
          "resourceType" : "Schema",
          "location" :
            "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
        }
      },
    

    Just by trial and error, it seems the only members property that Microsoft will accept is type. Even value (the most important property) is not acceptable in the schema, although if you include it in your API response, Microsoft will allow it there.

    I know the Microsoft preference is to return groups with excludedAttributes=members, which is fine, but that shouldn't exclude the possibility of SCIM implementations behaving in valid and desirable ways when this property is not passed.

    I guess my workaround for the time being is to remove $ref and remove most members properties from the schema, but it'd be nice to see this fixed. I assumed the problem was on my end, and sunk quite a few hours into trying to figure out what I was doing wrong before figuring all this out.

    0 comments No comments