SCIM for ASP.NET

This release fixes an issue where if a request was made to query a resource that:
 - Includes a `startIndex` query parameter

•  Excludes a `cursor` query parameter
• The PaginationOptions enables both Index and Cursor paging
• The PaginationOptions had a DefaultPaginationMethod value of Cursor

e.g. /Users?startIndex=1&count=10

The cursor pagination strategy was used. This release ensures that the index-based pagination strategy is used in this scenario. Additionally, this release fixes the opposite scenario, where if a query included a cursor query parameter but the DefaultPaginationMethod was Index, then the index-based pagination strategy would be used.

This release fixes an issue where the SCIM component would return an error to the SCIM Client if a cursor query parameter wasn't included in a request to query a resource, e.g., /Users, but cursor-based paging was enabled. Now, the SCIM component assumes that a request of /Users and /Users?cursor= are identical, i.e., when the cursor-based pagination approach is used, they both represent the first request in a cursor-paginated query.

Provides an implementation of the SCIM Cursor RFC draft-ietf-scim-cursor-pagination

See documentation for more information

In this release, we modified how patch commands are generated by default. To simplify and reduce the code needed to implement PartialUpdate, 'ADD' and 'REPLACE' PATCH requests without a path will now generate a PatchCommand with a path. For backward compatibility, a flag named EnableWholeObjectPatchCommands has been added to the ScimServiceProviderConfigOptions.

See the documentation  for more information

This release contains the following bug fixes

Patch Command, No Content Exception

This release fixes a bug regarding the `IScimStore.PartialUpdate` method. Returning `null` from `PartialUpdate` will no longer cause the SCIM middleware to throw an `InvalidOperationException` or, if an authentication handler is registered, a `JsonException`. 

Scim Mapping Bug

If a SCIM attribute was mapped to a property that wasn't a string, and a request was made to query a resource by this property, the component generated an error. This issue has been resolved so that now the following setup works as expected:

With the resource and mapping:

public class AppUser
{
    ...
    public int? EmployeeNumber { get; set; }
    ...
}

.MapScimAttributes<AppUser>(ScimSchemas.EnterpriseUser, mapper =>
{
    mapper.Map("employeeNumber", u => u.EmployeeNumber,
        input => int.TryParse((string)input, out int value) ? value : null);
})

The following query will generate successfully:

https://scimHost.test/scim/users?filter=urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber+eq+"1234"&startIndex=1

 

Support for Multi-Tenancy. 

• ITenancyAccessor is used to flow tenancy from middleware to store implementation.
• Implemented Path Based Multi-tenancy

See documentation for more information

We created new abstractions for Authentication and Authorization, allowing greater control over how to authenticate and authorize based on the SCIM request.

See the documentation for more details.

• Support for .NET 8

• Fixes the issue where the SCIM middleware receives a None result from an authenticator and throws a NULL reference exception

Added support for roles and entitlements, as defined in the Roles and Entitlements RFC

• Configurable through the ScimServiceProviderConfigOptions
• Build an in-memory store through the provided ScimAssignmentsStoreBuilder
• Register a store with the component through the AddAssignmentStore method on the ScimSerivceProviderBuilder

• Simplified attribute to property mapping
• Enhanced Azure AD integration compatibilty
• Support for Bulk Operations

In this release, we've focused on updating our component to conform to the standards that Microsoft require for Azure AD integration. This includes a breaking change to the IScimStore. In addition to this, we have also implemented the BULK endpoint.

Support for Azure AD Integration

The SCIM component now passes all of the tests to support Azure AD SCIM integration. We used the SCIM validator provided by Microsoft to run tests against our SCIM component.

You can enable Azure AD SCIM integration in the component by setting the

EnableAzureAdCompatibility flag to true in the ScimServiceProviderConfigOptions.

When you set this flag to true, you enable support for Azure AD's provisioning of users and groups.

To pass the integration tests

• PATCH requests need to return a `200 OK` with the resource that was being modified. The PartialUpdate method in the IScimStore now returns Task<TResource?>. If a resource is returned, then a 200 OK will be generated; otherwise, a 204 No Content is returned
• PATCH requests that include a 'dot notation' syntax produced by Azure AD are now accepted
• The InMemoryScimStore will check the ExternalId for uniqueness when adding or updating resources
• Requests against resources that have extensions will no longer require the extension to be in the request (e.g. during a create request)

Known integration problems

There are a number of known integration problems when using the SCIM validation tool. These are issues that are now known by Microsoft, in their backlog and are working to be resolved.

Discover Schema

When using the 'Discover Schema' functionality, you must update the mappings generated by the validation tool. The `primary` sub-attribute of the `phoneNumbers` attribute has a bug where a string is generated for the 'primary' value sent in a PATCH request to the SCIM component. You can set the `value` text box of the rows that refer to the `primary` sub-attribute so that the correct value is sent over the wire.

When using the 'Default Mappings' functionality, there are three erroneous mappings. These are:

• roles[primary eq "True"].display
• roles[primary eq "True"].value
• roles[primary eq "True"].type

Add with filter

The SCIM Validation tool sends two requests, one POST to create and one PATCH to modify using an add operation. The body looks like this:

Create Request

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "[email protected]"
}

PATCH Request

 {
"op": "add",
"path": "emails[type eq \"work\"].value",
"value": "email address removed for privacy reasons"
}

The initial request for this JSON doesn't include any items for the email property. When the filter evaluates, there are no items in the collection so adding a value to the 'value' property fails

Replace with filter

The SCIM Validation tool sends two requests, one POST to create and one PATCH to modify using an `replace` operation. The body looks like this:

Create Request

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "[email protected]"
}

PATCH Request

{
"op": "add",
"path": "emails[type eq \"work\"].value",
"value": "email address removed for privacy reasons"
}

The initial request for this JSON doesn't include any items for the email property. When the filter evaluates, there are no items in the collection so adding a value to the 'value' property fails

Replace with filter

The SCIM Validation tool sends two requests, one POST to create and one PATCH to modify using an `replace` operation. The body looks like this:

Create Request

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "[email protected]"
}

PATCH Request

{
"op": "replace",
"path": "roles[primary eq true].type",
"value": "I6T3MZAC1HXV"
}

The initial request for this JSON doesn't include any items for the roles property. When the filter evaluates, there are no items in the collection so adding a value to the 'type' property fails

Replace with no value

The SCIM Validation tool sends two requests, one POST to create and one PATCH to modify using an `replace` operation:

Create Request

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "[email protected]"
}

Partial Update Request

{
"op": "replace",
"path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager",
"value": ""
}

Due to the interpretation of the SCIM specifications, the SCIM Component is currently not set up to handle empty values for `replace` operations. Microsoft are aware of the differing interpretations around this operation and are working on allowing a toggle between a `remove` and `replace` operation in this context.

Support for BULK operations

The SCIM component now supports the BULK endpoint. More documentation for this functionality can be found in the SCIM documentation

• When adding members to a group via a `PATCH` operation, the `type` property is no longer required

• Fixed issue with SCIM client not sending resource id in URL for update operation

When updating a resource using PUT the id is expected to be in the URI not in the body

PUT /SCIM/Users/{id}

• Resolved bug that when generating the location for a resource, the PathBase was not being considered

• Added support for .NET 7
• Enhanced mapping for filters to support comparing values  with transformed store values
  • E.g. active attribute modelled in store as isDisabled

• Patch operation of add with no path failed with a bad request, now succeeds.

• Support ended for Core 3.1 and .NET 5

Provides a workaround for a bug in the Azure AD SCIM client when using a resource extension schema

Error: Missing extension schema(s) - xxxxxx "

New configuration option IgnoreMissingExtensionSchemas, set to true will resolve this issue

https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#editing-the-list-of-supported-attributes

The custom extension schema header is omitted in the example below as it is not sent in requests from the Azure AD SCIM client. This issue will be fixed in the future and the header will be sent in the request.

• Fixed issue of extension schemas not being returned from the schemas endpoint

• Filtering and paging users was not returning the correct totalResults.

• Fixed issue that prevented SCIM endpoint root containing multiple path segments
  • Error received when attempting to access a specific resource
    resource id not found

• Fixed issue, when creating a resource via POST, any extension schema attributes created by the store were not being returned in the POST response. 

The first non-preview release allows applications to be provisioned with User and Group information ahead of time, using the SCIM2 protocol. The component enables Azure AD and Okta to provision your applications with identity data.

Samples can be found here

Please report any issues to [email protected]