fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Support AzureAD minimum SCIM requirements

Open mooreds opened this issue 2 years ago • 1 comments

Support AzureAD minimum SCIM requirements

Problem

I want to provision my users from Azure AD into FusionAuth.

Solution

Support the required features for Azure AD to be able to provision users into FusionAuth with SCIM.

Alternatives/workarounds

n/a

Additional context

Here's the FusionAuth SCIM APIs: https://fusionauth.io/docs/v1/tech/apis/scim/

This doc lists the requirements of Azure AD:

https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups

Feature Spec section FusionAuth supports in version 1.36
Create users, and optionally also groups section 3.3 yes
Modify users or groups with PATCH requests section 3.5.2. Supporting ensures that groups and users are provisioned in a performant manner. no
Retrieve a known resource for a user or group created earlier section 3.4.1 yes
Query users or groups section 3.4.2. By default, users are retrieved by their id and queried by their username and externalId, and groups are queried by displayName. no
The filter excludedAttributes=members when querying the group resource section 3.4.2.5 no
Accept a single bearer token for authentication and authorization of Azure AD to your application.   maybe, you'd need to hardcode some things, I think: more here
Soft-deleting a user active=false and restoring the user active=true The user object should be returned in a request whether or not the user is active. The only time the user should not be returned is when it is hard deleted from the application. yes
Support the /Schemas endpoint section 7 The schema discovery endpoint will be used to discover additional attributes. yes
Support listing users and paginating section 3.4.2.4. yes
Content type is application/scim+json not application/json as currently used (and is allowed by the spec). This is feedback from a customer testing this out. n/a no

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/1791

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

mooreds avatar Jun 17 '22 22:06 mooreds

Fixes:

  • Support both application/json and appllication/scim+json for Content-Type on the request.
  • Azure uses Expect: 100-continue on a POST request, ensure we handle this state correctly
  • Provide minimal filter support by userName. Azure AD uses this to identify if the user exists prior to creating.

TBD:

  • Possibly support straight API key for easier integration. Currently a JWT is required that is produced via the client credentials grant.
  • Support PATCH, Azure AD makes PATCH requests for periodic synchronization of provisioned users. We don't currently support the SCIM specific PATCH schema.
  • Okta seems to use PUT for user updates, but does use PATCH add members to a group.

robotdan avatar Aug 18 '22 22:08 robotdan