Forum Discussion

owinoakelo's avatar
owinoakelo
Former Employee
Sep 26, 2022

Azure AD SCIM Validator is in General Availability (GA) Status

You can now validate the compatibility of your SCIM provisioning endpoint and Azure AD code base using our Azure AD SCIM Validator. This tool can be used by ISVs who want to build SCIM compatible ser...
Provisioning
PatM_Cerberus's avatar
PatM_Cerberus
Copper Contributor
Feb 06, 2023

Looks like there was recently a big update on the Validator. The "Discover Schema" now sets the correct type (string/boolean). Thank you!

However, now we're seeing a new complication. It appears the Validator is trying to add new entries using replace with a value selection filter (valuePath). This was discussed in https://learn.microsoft.com/en-us/answers/questions/708183/scim-patch-of-complex-multi-valued-attribute-inclu in the context of patching with add. And that discussion makes sense as the spec is a little vague.

However, with replace, RFC 7644 is quite specific in 3.5.2.3:

   o  If the target location is a multi-valued attribute for which a
      value selection filter ("valuePath") has been supplied and no
      record match was made, the service provider SHALL indicate failure
      by returning HTTP status code 400 and a "scimType" error code of
      "noTarget".

If the valuePath does not match anything, then you need to return 400 noTarget. Microsoft Azure AD SCIM Validator does not appear to expect that reply and expects us to add new entries on replace.
I disagree that:

 o  If the target location path specifies an attribute that does not
      exist, the service provider SHALL treat the operation as an "add".

would change this interpretation as that does not consider the filter; plus the way these are written they get more and more specific as you go down the list.

A specific example:
The current value of emails:

 

 

 "emails": [                     
   {                             
     "type": "work",             
     "value": "some_primary_email",  
     "primary": true             
   }

 

 

and the replace operation:

 

 

"Operations": [{
  "op": "replace",
  "path": "emails[type eq \"home\"].value",
  "value": "some_email"
}]

 

NOTE: values do not show email addresses as those get removed (privacy checker) - so they are replaced with "some_primary_email" and "some_email"

This should fail as there is no email of type = home to replace.

owinoakelo's avatar
owinoakelo
Former Employee
Feb 07, 2023
PatM_Cerberus. The feedback above is correct and our implementation of this capability is not consistent with the standard. We are incorrectly using replace to update multivalued attribute with a filter instead of add. We have this item in our backlog of things to fix. The validator is however supposed to test the compatibility with our provisioning service as is and for that matter an existing scim incorrectness will also show up here. Hope this is clear and to enable the provisioning service to work for your connector, we have to build with the incompatibility in place for now.

Resources