Azure AD SCIM Validator is in General Availability (GA) Status

You can now validate the compatibility of your SCIM provisioning endpoint and Azure AD code base using our Azure AD SCIM Validator. This tool can be used by ISVs who want to build SCIM compatible ser...

Provisioning

owinoakelo

Former Employee

Feb 15, 2023

PatM_Cerberus Yes, the azure provisioning service currently uses replace for patch operations and expects the endpoint to add if needed. That's why the scim validator makes the same request and it supports the capability of the feature flag.

PatM_Cerberus

Copper Contributor

Feb 16, 2023

owinoakelo We have been working to allow Azure's specific replace semantics.

We've noticed when using Schema Discovery, the system now correctly captures that primary is a Boolean.

phoneNumbers[type eq "work"].primary boolean

However, when it replaces phoneNumbers, we're seeing:

{
  "Operations": [
    {
      "op": "replace",
      "path": "phoneNumbers[type eq \"work\"].value",
      "value": "767.814.5465"
    },
    {
      "op": "replace",
      "path": "phoneNumbers[type eq \"work\"].primary",
      "value": "(974)693-6276 x6968"
    }
  ],
  "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ]
}

Notice that the boolean primary value is a text string. We specifically have handlers for Azure sending "True" or "False", but this value is not acceptable and we're failing it.

I believe this is a problem with the Azure AD SCIM Validator, but curious if Azure AD would try to send such a bad value.

Email values now seem to work properly - we're getting true/false booleans for primary in those.

owinoakelo
Former Employee
Feb 22, 2023
PatM_Cerberus , you are right. This is an issue with the SCIM validator. The Azure code base will respond with a Boolean as expected. We have added this in our backlog of fixes and will address it. Thanks for highlighting this.

Forum Discussion

Azure AD SCIM Validator is in General Availability (GA) Status

Resources