SCIM PATCH of Complex Multi-Valued Attribute Includes Filter and Sub Attribute in Path

DanP110 26

In testing SCIM PATCH operations with Azure, we're seeing operations in the form:

{
  "op": "Add",
  "path": "emails[type eq \"work\"].value",
  "value": "bob@someplace.com"
}

I would read this as "add the value bob@someplace.com to any complex value that already exists in the multi-valued attribute emails and has a type attribute with the value work; if no complex value already exists within emails that matches the criteria, then do nothing". This seems really odd, because it doesn't actually result in the addition of a work email to the list of emails if it doesn't already exists or emails is unassigned. And even if it DID, technically we are not being provided a type or any other part of the complex value (i.e. the filter does not provide values for type - what if the filter was "type ew \"ork\""). In short, it feels like this isn't right.

My understanding is that an add operation should be performed on the multi-valued attribute itself (i.e. the path should not contain a filter or sub-attribute), and then the value would be - in this case - an array of complex values that should be added to emails. For example, to add an email we should see something like:

{
  "op": "Add",
  "path": "emails",
  "value": [{ "type": "work", "value": "bob@someplace.com" }]
}

If there happened to already be a duplicate value (e.g. another work address), then it would effectively be a replace of that value. I believe all of this is consistent with 3.5.2.1 in RFC 7644, which doesn't even really address filters on an add operation, whereas filters are heavily discussed in 3.5.2.2 and 3.5.2.3. The examples in 3.5.2.1 also align with not having a filter on an add operation.

Given that Azure is likely doing this with many published systems, I'm wondering if somebody could help me understand what I'm missing. What would the intended behavior of the first patch in this post be when run against an unassigned emails attribute? Should we try to extract values for "type" from the filter itself knowing Azure only uses "eq"?

Thanks for any assistance!

Danny Zollner 9,521 Reputation points Microsoft Employee

2022-02-01T18:46:26.213+00:00

Hi DanP - acknowledging that this has been seen. I'm one of the product managers who works closely with our Azure AD Provisioning service and our SCIM client. I'll respond with an answer to this when I am able - these topics can be complicated and need time dedicated to investigating.

Thanks!
DanP110 26 Reputation points

2022-02-02T15:08:49.027+00:00

Thank you! I look forward to and am still interested in understanding.
Alexander Behrens 1 Reputation point

2022-03-18T11:25:29.417+00:00

@Anonymous Do you have an answer to this?
Alexander Behrens 1 Reputation point

2022-03-18T11:30:00.427+00:00

Hello @DanP110 ,

We are running in the same issues. We have implemented a SCIM server based on the RTF specifications. But now our clients want to patch attributes using filter expressions. Based on the specification our server rejects Add operations if the filter does not yield any results. Unfortunately this does not seem like how the AD SCIM client is working. It looks like it wants the SCIM server to create entries, if the filter does not match. We are very hesitant to patch our SCIM server in order to work that way, because it will break other clients who only want to update attributes if the filter expression does match.

Cheers,
Alex
DanP110 26 Reputation points

2022-03-18T13:28:20.217+00:00

We moved forward by implementing specific functionality behind a feature flag to deal with what appears to be a deviation from the spec. That code counts on the filter expression to extract an actual type value as I originally mentioned. It's almost like Azure is treating the full expression like it was a simple attribute name. After dealing with multiple other clients, we have ended up with a few feature flags like this (e.g. there is a flag to control if a POST to re-create an existing user results in a 409 conflict or gets treated like it was an UPDATE; spec says 409, client wants UPDATE).

1 answer

Danny Zollner 9,521 Reputation points Microsoft Employee

2022-03-22T21:06:48.977+00:00
Thanks for your patience here.

In short - I think what you wrote above is a reasonable interpretation of what should be expected here. This part of the SCIM spec feels a bit tricky no matter how you look at it, but there are certain parts of the SCIM spec (RFC7644 3.5.2.1) tied to the Patch Add operation that are relevant here:

If the target location does not exist, the attribute and value are added.

If the target location specifies an attribute that does not exist (has no value), the attribute is added with the new value.

When interpreting what those mean - you then end up trying to define "target location", which doesn't have a strict definition inside of any of RFCs 7642/43/44. This in turn may be where the trouble is - if "target location" is considered to be emails[type eq "work"].value - if the location does not exist, then the attribute(emails[type eq "work"]) is added, and the value (of the "value" sub-attribute) is added.

What Azure AD's SCIM client should do here is still being investigated, but any changes won't materialize for at least a few quarters. Regardless of whether the spec supports the way our client does this, there's a simpler and more widely compatible solution to achieve the same goal. For the time being, what Azure AD's SCIM client expects is a patch add on a filtered path - such as emails[type eq "work"].value - should add values to both the "type" (if no value of "emails" already exists with a type sub-value of "work") and the "value" sub-values.
Please sign in to rate this answer.
Alexander Behrens 1 Reputation point

2022-03-24T08:10:15.25+00:00

Hello @Anonymous

thank you very much for your response. Your explanations make a lot of sense and I agree that the specification is ambiguous to say the least. There are two things that we find quite tricky with adding a new multi-value entry based on a filter:

If the target location does not exist we have to parse the filter to construct a new object from that filter. In the case of AD the filter is straight forward "[KEY] eq "[VALUE]"". But filters are endlessly complex: https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2 . It is technically very complex if not impossible to write a parser that constructs the desired object with any filter given.

We have to probably add AD specific code to our SCIM server that creates values based on a "[KEY] eq "[VALUE]"" filter. But this breaks the expected behaviour of other SCIM clients that have a different interpretation of RFC7644 3.5.2.1. There is not a single "right" way to read the specification, but we would need to keep a list of SCIM clients on our side and treat requests differently based on their origin. Obviously we do not want this either because there is a possibly endless list of different SCIM clients and interpretations out there.

Alexander Behrens 1 Reputation point

2022-03-24T08:10:56.33+00:00

Are one of the two following solutions possible with the AD SCIM client:

Is it possible to patch the entire multi-value attribute instead of patching objects inside of the array? Instead of patching "emails[type eq "work"]" we want AD to patch the entire "emails" attribute.

If the SCIM client detects that there is a mismatch between its copy of the user and the copy on the SCIM server can we instruct it to PUT the new object on the server instead of PATCHing the difference?

Cheers,
Alex

Danny Zollner 9,521 Reputation points Microsoft Employee

2022-03-24T14:43:51.347+00:00

A few things I forgot to mention above:

AAD Provisioning's SCIM client expects that the "type" sub-attribute's value is unique - i.e.: only one entry with type = work could exist. This isn't defined anywhere in the SCIM spec, but it's how the client works today and will for the foreseeable future.

AAD Provisioning treats complex objects a bit weirdly - as you can see from the way the mappings are structured, such as the target being emails[type eq "work"].value - the service can maps a source attribute (usually a single-valued string) to a sub-attribute of a complex attribute, using the dotted sub-attribute notation (i.e.: .value).

We're working on making the handling of complex attributes by our service more robust, so that the IT Admins using it can have more control over how data is mapped from source to target.

Danny Zollner 9,521 Reputation points Microsoft Employee

2022-03-24T14:51:35.097+00:00

To answer your two specific solution questions:

1) No, not today. See my earlier response where I mentioned that "What Azure AD's SCIM client should do here is still being investigated, but any changes won't materialize for at least a few quarters" - this is the leading example of a change we could make here that I have identified, but we haven't finalized what we're going to do here yet. The bigger problem is that, since the Azure AD Provisioning SCIM client is (for the most part) a single client that is integrated with hundreds/thousands of different SCIM implementations, any changes need to be carefully thought out and rolled out slowly, usually as an opt-in, to avoid regressing functionality for currently working integrations.

2) Barring some older integrations that are grandfathered in for now, we do not support using PUT for updates, only PATCH. PUT has a number of problems when provisioning between systems, especially when there is no guarantee that the client (AAD SCIM) has full control over every attribute value of the object in the target system.

Given the behavior I outlined in my second bullet point in my previous comment - based on AAD SCIM out-of-the-box settings any filters you see for this behavior will likely end up being the [KEY] eq [VALUE] format that you described above, so any AAD-specific code you write to accommodate this can probably only go that deep.

DanP110 26 Reputation points

2022-03-25T16:05:23.423+00:00

This helpfully ratifies what I said we did with the feature flag above. I had stated that our ". . . code counts on the filter expression to extract an actual type value...", and you are confirming this is valid when you say that Azure specifies a single entry (one entry) with a unique (and full) value. Basically we can count on our "fix" being your preferred go forward solution.

For what it is worth, I do think that @Alexander Behrens statement that ". . . filters are endlessly complex . . ." and that ". . . we have to parse the filter to construct a new object from that filter . . ." is really the material part of this. I think it is what proves that the current Azure behavior was not the intent of the specification, and our testing with other systems seems to point at the add of the full object being the appropriate behavior.

Regardless, we have worked around this already in exactly the way you suggested. I suspect other issues (e.g. not being able to send/clear "empty" values) likely trump this for the broader community. If a fix ever comes hopefully it could just be a behavior behind a feature flag as Microsoft has done before on stuff like this.

Thank you again for your feedback on this @Anonymous , it is very much appreciated!
Sign in to comment