There are interpretations and assumptions that the Azure AD SCIM Client makes based on the SCIM specfications that the SCIM component doesn't conform to by default. In an effort to provide compatibility with the Azure AD SCIM Client and the validation tool, a flag is availabe to enable compatiblity. This page details how to enable Azure AD integration compatibility, and what functionality is enabled by doing so.
Enabling Azure AD Compatibility
To enable Azure AD compatibility, set the EnableAzureAdCompatibility
flag to true in the ScimServiceProviderConfigOptions
passed in when calling AddScimServiceProvider
public void ConfigureServices(IServiceCollection services)
{
services.AddScimServiceProvider(
"/SCIM",
new ScimLicensingOptions("Demo", "eyJTb2xkRm9yIjowLjAsI .... "),
new ScimServiceProviderConfigOptions
{
...
EnableAzureAdCompatibility = true
...
}
);
}
When the SCIM component is set to be compatibile with Azure AD, there are three features enabled.
Accepted PATCH syntax
Azure AD requests include the use of dot notation within property names to indicate property structure. Take the following as an example:
{
"op": "replace",
"value": {
"userName": "ettie@sawayn.us",
"name.honorificPrefix": "Anthony",
"name.honorificSuffix": "Stanford",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber": "G6G00I9RNZ0L",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.displayName": "DAV5Z5JXNJ47"
}
}
The value
above is equivalent to the following:
{
"userName": "ettie@sawayn.us",
"name": {
"honorificPrefix": "Anthony",
"honorificSuffix": "Stanford"
}
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "G6G00I9RNZ0L",
"manager": {
"displayName": "DAV5Z5JXNJ47"
}
}
}
Extension Schema Validation
Extension schema validation is turned off when Azure AD compatibility is enabled. For example, when using the default resource for the in-memory SCIM store
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
services.AddScimServiceProvider("/SCIM", new ScimLicensingOptions("Demo", "eyJTb2xkRm9yIjowLjAsI .... "))
.AddScimDefaultResourcesForInMemoryStore();
}
When the user model is registered, the EnterpriseUser
extension schema is also registered. By default, the SCIM components expects that any full representation of a user includes the extension schema and properties. This means that if you intend to enable Azure AD compatibility, you also need to bear in mind that all requests made to the SCIM component will no longer validation the extension schemas if not present in the request.
The example below shows the expectations in both scenarios for when a create request is made to the /Users
endpoint.
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"userName": "bjensen",
"externalId": "bjensen",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "DSQR02DDMHBZ",
"department": "AB2CJGNH1764",
"costCenter": "CF9EOQ9JWPW4",
"organization": "QWVM73ADSIYJ",
"division": "RR364K2Z3A93"
}
}
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "bjensen",
"externalId": "bjensen",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara"
}
}
ExternalId uniqueness in the InMemoryScimStore
When Azure AD provisions users and groups, it expects resources to be unique by their ExternalId
. The implementation of this uniqueness must be carried out by the store. When the EnableAzureADCompatibility
flag is set to true, the InMemoryScimStore implementation will require uniqueness based on the ExternalId
property. If you have a custom store implementation, then you too must ensure that uniqueness is also dictated by this property.