Forum Discussion
MicrosoftAzure AD SCIM Validator is in General Availability (GA) Status
You can now validate the compatibility of your SCIM provisioning endpoint and Azure AD code base using our Azure AD SCIM Validator. This tool can be used by ISVs who want to build SCIM compatible servers either for gallery app or generic app and developers building their line of business SCIM apps. https://learn.microsoft.com/azure/active-directory/app-provisioning/scim-validator-tutorial
Can the SCIM Validator be made open source or at least have a location where issues can be filed against it? We've encountered a couple problems with the SCIM Validator and would like some way of reporting issues or discussing misunderstandings with the developers.
The first is that it does not read the schema correctly. For instance, our endpoint describes the 'email' 'primary' attribute as boolean, but SCIM Validator sets it to string, apparently ignoring our schema.
Another is a failure during group testing where it re-creates a user that already exists. It seems not to expect a 409 reply.
It is very hard to tell *what* the tester expects without a diagnostic error or insight into its source code.
Vincent_Drake_Cerberus I'm so glad I'm not alone, and want you to know that you're not alone either! I've spent the past few days trying to figure out what I'm doing wrong. I finally reached the same conclusion that the validator doesn't expect a 409 to be returned after looking through my server logs.
The validator makes a patch request to change a username from 'x' to 'y' as part of a completely different test, and then as part of the failing test, the first thing it tries to do is submit a post request for a user with username 'y'... I can get it to pass by removing the duplicate user throws an error code (and just returning the user instead), but then the Create a duplicate User test obviously fails.
Very strange that the otherwise randomly generated test data is kept between tests.
- I'm also seeing the 409 for 'Patch Group - Remove Member'
I'm also having trouble getting 'Patch Group - Replace Attributes' to work. It looks like it's trying to make a group a member of another group, which is not something we support. We've adjusted the schema to say we only support users as members of a group but that doesn't seem to help
- "Can the SCIM Validator be made open source or at least have a location where issues can be filed against it?"
Did anything like this happen? I'm searching around for any docs / issue tracker and not coming up with anything.
I am also having issues understanding the errors I'm being shown:
1. When I look at the "Show Details" for any of my failed requests they are all showing as POST requests, even though I'm 90% certain they are using other HTTP verbs (DELETE, PATCH, PUT)
2. When I look at the url under "Show Details" it appears to always be the top level URL that I entered into the test field, not the specific URL hit by the test (eg: Update group membership does not show what is used as the id for the path parameter to identify the group) 
owinoakeloVincent_Drake_Cerberus We released a fix that addresses the read schema issues. The new release also addressed the duplicate creation the triggers the 409 error.
To the question on having the making the validator open source, we do not have that in the current plan. We are working on a channel to enable you raise issues.
Where's the best place to ask questions about the results I'm getting from the validator? My POST /Users request is failing validation but I'm not getting a reason for the failure
Turns out the status code should be 201, but the validator doesn't indicate that's the problem
- owinoakelo
This feedback is noted Doogal Vincent_Drake_Cerberus and JameyAbdelnoorJameyAbdelnoor . We are working to address these, and I will share the individual updates.
- Doogalshakil
Looks like there was recently a big update on the Validator. The "Discover Schema" now sets the correct type (string/boolean). Thank you!
However, now we're seeing a new complication. It appears the Validator is trying to add new entries using replace with a value selection filter (valuePath). This was discussed in 708183: SCIM PATCH of Complex Multi-Valued Attribute Includes Filter and Sub Attribute in Path in the context of patching with add. And that discussion makes sense as the spec is a little vague.
However, with replace, RFC 7644 is quite specific in 3.5.2.3:
o If the target location is a multi-valued attribute for which a value selection filter ("valuePath") has been supplied and no record match was made, the service provider SHALL indicate failure by returning HTTP status code 400 and a "scimType" error code of "noTarget".If the valuePath does not match anything, then you need to return 400 noTarget. Microsoft Azure AD SCIM Validator does not appear to expect that reply and expects us to add new entries on replace.
I disagree that:o If the target location path specifies an attribute that does not exist, the service provider SHALL treat the operation as an "add".would change this interpretation as that does not consider the filter; plus the way these are written they get more and more specific as you go down the list.
A specific example:
The current value of emails:"emails": [ { "type": "work", "value": "some_primary_email", "primary": true }and the replace operation:
"Operations": [{ "op": "replace", "path": "emails[type eq \"home\"].value", "value": "some_email" }]NOTE: values do not show email addresses as those get removed (privacy checker) - so they are replaced with "some_primary_email" and "some_email"
This should fail as there is no email of type = home to replace.
- owinoakeloPatM_Cerberus. The feedback above is correct and our implementation of this capability is not consistent with the standard. We are incorrectly using replace to update multivalued attribute with a filter instead of add. We have this item in our backlog of things to fix. The validator is however supposed to test the compatibility with our provisioning service as is and for that matter an existing scim incorrectness will also show up here. Hope this is clear and to enable the provisioning service to work for your connector, we have to build with the incompatibility in place for now.
owinoakelo Thank you for your fast reply.
To clarify, are you saying that using PATCH replace to add multi-valued entries is:
a.) what Azure's SCIM implementation currently does as of Feb 2023 (we have not seen this in practice)
or
b.) an issue with the Azure AD SCIM Validator only
If option "a", is this affected by the feature flag _aadOptscim062020_? And if so, does the Validator accept/use those feature flags? (I wasn't able to see a difference with/without the flag after the last update.)
I suspect I found a bug in SCIM Validator. What should I do?
Please refer to the image below.
- owinoakelo
norfas Thanks for highlighting this. This has to do with the communication of the error. Question, when you did the patch operation, did you commit the updates that we sent over to your db? This error is mostly likely coz you did not commit the updates and so what you returned to us in the shown response is not the true state of your db.
- owinoakelo
Thank you for your response, it helped!
FYI I did commit the updates to our db, but the Validator were issuing an extra HTTP GET request that was processed by our Cache layer that still had an old value.
It would be nice if your Validator were more transparent as to what it does exactly (or maybe open-sourced?)...
But this specific problem is resolved for me now, thank you again.
Just running through the validator, and noticed that for CREATE operations, when the status code returns 200 it fails the test, however the test result doesn't inform us that it's looking for a 201 status (we had to try a lot of things before we figured it out)
On another note, I am not convinced that the Validator treats complex multiValued 'members' attribute for Groups correctly, if they are exposed in Schema.
Specifically, if I have Group.members[type ="User"] collection defined in Schema like shown below, then the Validator would attempt to generate a Patch request as shown on the screenshot with some bogus(?) value in the Replace operation for users. That bogus value such as "QQ7M8HRCRACN" looks like a display name for a group, rather than User ID that I would expect it to be.
Or am I missing SCIM spec completely here, and this Replace request has totally different semantics?See image attached.
To compare, Add Member operation on Group looks fine, with proper User ID:
My schema for the group is as follows:
{ "name": "Group", "description": "Group", "meta": { "resourceType": "Schema", "created": "0001-01-01T00:00:00", "lastModified": "0001-01-01T00:00:00" }, "id": "urn:ietf:params:scim:schemas:core:2.0:Group", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Schema" ], "attributes": [ { "caseExact": false, "type": "string", "description": "A human-readable name for the Group. REQUIRED.", "mutability": "readWrite", "name": "displayName", "multiValued": false, "required": true, "returned": "default", "uniqueness": "server" }, { "caseExact": false, "type": "complex", "description": "A list of members of the Group.", "mutability": "readWrite", "name": "members", "multiValued": true, "required": false, "returned": "request", "uniqueness": "none", "subAttributes": [ { "caseExact": false, "type": "string", "description": "The significant value for the attribute", "mutability": "readWrite", "name": "value", "multiValued": false, "required": false, "returned": "default", "uniqueness": "none" }, { "caseExact": false, "type": "string", "description": "A label indicating the attribute's function", "mutability": "immutable", "name": "type", "multiValued": false, "required": false, "returned": "default", "uniqueness": "none", "canonicalValues": [ "Group", "User" ] } ] } ] }- owinoakeloThe Patch Group: Replace Attributes has a risk of replacing all group members. Due to this risk, this test will be removed from the test suite. Please also note that our provisioning service does not support any Patch Group: Replace attributes operation. You can therefore ignore this test for now until we remove it from the suite.
`urn:ietf:params:scim:schemas:extension:companyName:2.0:User:authCodes[type eq "Card"].value`
When using customExtensions to support multi-valued complex attributes, this removes the URI prefix in the request body, I believe this may be a bug, is this problem isolated to the scim validator, or would the same problem occur with the producton provisioning service?
I mark some attributes as immutable but SCIM validator still send PATCH request with Patch Operation to `replace` those fields.
How can I get rid of it?
And the Validator reports some values missing in the Fetched Resource, but they do exist there.
- owinoakelo
chanhle The experience with immutable attributes is an issue with the validator and we are working to fix it. You can ignore such calls
On the second issue with the patch response: The actual flow is we send a PATCH request>You acknowledge and send a response> we send a GET to confirm that you committed the patch> we compare what we sent in the PATCH with what you return in the GET. This error means that some of the changes have not been done on the identities that GET calls.
Hope this clarifies the issue.
I am sorry. but when I monitor the requests from the validator , I don't see the second `GET request` you mentioned as below
we send a GET to confirm that you committed the patchAnd even when I manually send a GET request which has the same path (/scim/Users/<UserID>) with the PATCH request, the response is correct and the same as the response of the PATCH request (sent by the validator).
Could you help me verify again this case?
PATCH request body
{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "replace", "path": "emails[type eq \"work\"].value", "value": "email address removed for privacy reasons" }, { "op": "replace", "path": "roles[primary eq \"True\"].display", "value": "3WF31QEVRLRR" }, { "op": "replace", "path": "roles[primary eq \"True\"].value", "value": "HISMH3ZHYVXI" }, { "op": "replace", "path": "roles[primary eq \"True\"].type", "value": "M4PBMUTFLU7N" }, { "op": "replace", "value": { "userName": "email address removed for privacy reasons", "active": false, "externalId": "b76619a5-6635-450c-9f61-bb3cb7882460", "displayName": "AIPZKDL1CCXH", "preferredLanguage": "Q17Q2L9WRNLS" } } ] }The PATCH response body
{ "id": "601E76C3-0BF5-40DD-B0BB-74C766B7E1C9", "externalId": "b76619a5-6635-450c-9f61-bb3cb7882460", "userName": "email address removed for privacy reasons", "active": false, "preferredLanguage": "Q17Q2L9WRNLS", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "meta": { "resourceType": "User", "location": "/scim/Users/601E76C3-0BF5-40DD-B0BB-74C766B7E1C9" }, "emails": [ { "value": "email address removed for privacy reasons", "type": "work" } ], "roles": [ { "value": "HISMH3ZHYVXI", "display": "3WF31QEVRLRR", "type": "M4PBMUTFLU7N", "primary": "True" } ], "displayName": "AIPZKDL1CCXH" }The GET response body
{ "id": "601E76C3-0BF5-40DD-B0BB-74C766B7E1C9", "externalId": "b76619a5-6635-450c-9f61-bb3cb7882460", "userName": "email address removed for privacy reasons", "active": false, "preferredLanguage": "Q17Q2L9WRNLS", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "meta": { "resourceType": "User", "location": "/scim/Users/601E76C3-0BF5-40DD-B0BB-74C766B7E1C9" }, "emails": [ { "value": "email address removed for privacy reasons", "type": "work" } ], "roles": [ { "value": "HISMH3ZHYVXI", "display": "3WF31QEVRLRR", "type": "M4PBMUTFLU7N", "primary": "True" } ], "displayName": "AIPZKDL1CCXH" }
I've not checked the validator for a while but trying it today I get a couple of failures I didn't get in the past. "Filter for an existing user" and "Filter for an existing user with a different case" aren't returning any users but when I use the same request I do get the user returned. Is this a problem with the validator?
- owinoakelo
Doogal Sorry, I don't follow. Is it possible to include some screenshots to help understand the issue?
owinoakelo, sorry it was my mistake. I've now realised we are doing some caching in our back end so the user the validator creates is not immediately returned for the following /Users request
Hi there,
I've been running the SCIM validator against my endpoint and have spotted something that I believe may be a bug, but would like to confirm on here.
I'm using the discover schema functionality, my schema gets discovered and in the mappings i'm shown the following:
With the JSON from my '/Schemas' endpoint returning the following for the 'primary' sub attribute on 'phoneNumbers':
{..."name": "primary","type": "boolean",...}When I run the SCIM validator, I can see that the validator is sending the following value for a 'phoneNumber' when adding a User through POST
{
"type": "work",
"value": "1-227-170-3259 x696",
"primary": "(882)058-8632 x34575"
}As you can see, the primary property is a string. This doesn't appear to be the case for the 'primary' property in the 'emails' array in the same request
{
"type": "work",
"value": "email address removed for privacy reasons",
"primary": true
}For a bit more detail, emails in the schema discovery mapping screen shows the following:
And my '/Schemas' endpoint returns the following for the 'primary' sub attribute for the emails array:
{..."name": "primary","type": "boolean",...}Any help would be greatly appreciated
- owinoakelo
alexjones You are right. We have an issue with the 'phoneNumber' 'primary' attribute which should be sent as a Boolean, but SCIM Validator sends it as string, ignoring the schema. We have this captured in our backlog of issues to be addressed this quarter (ending in September)
Brilliant, thanks for your response.
Is the issue backlog publicly available? Be it read-only or otherwise?
I had another couple of questions but don't want to raise them if they've already been raised before
