Error in Manager data synchronization via SCIM
Hello!
My name is Alex Moiseev, and I am experiencing an issue with user synchronization via SCIM with Azure Active Directory. Well, actually with manager synchronization.
As far as I understand, the approach of provisioning of the user is the following.
Step 1. Provisioner tries to get info about the user by id with GET User resource request.
Step 2. Based on information received, Provisioner decides should the whole information about the user be sent or there is a need only to update certain fields.
Step 3. Provisioner send POST or PUT/PATCH request with user details to create/update user on the receiver side.
And everything works more or less ok, but the managers.
In user data to provide there is one field, which is used for manager info:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
When there is no manager on consumer side assigned to the user, everything works perfectly.
The provisioner sends manager info in both cases – with existing and with non-existing user.
If the manager is changed on Azure AD side, we still receive manager data in the field mentioned in PATCH request in order to overwrite stored manager.
But when the manager is removed on Azure AD side, we didn’t receive any information about it – urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager field doesn’t exist in PATCH request.
We thought, that may be because we didn’t add manager information in GET User resource response.
We tried to add manager information there according to the documentation (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) by adding
“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”: {
“manager”: “0”
},
We use “0” in order to make the provisioner to send us information about the manager in each request.
But we’ve got an error there:
Error message
We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint:
{
“schemas”: [
“urn:ietf:params:scim:schemas:core:2.0:User”,
“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”
],
“externalId”: “Worker”,
“id”: “1548197”,
“userName”: “email address removed for privacy reasons”,
“name”: {
“familyName”: “Ker”,
“givenName”: “Wor”
},
“emails”: [
{
“value”: “email address removed for privacy reasons”,
“type”: “work”,
“primary”: true
}
],
“title”: “Developer”,
“locale”: “nl”,
“timezone”: “CEST”,
“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”: {
“manager”: “0”
},
“active”: true,
“displayName”: “Wor Ker”
}
Please refer to the Azure Active Directory SCIM provisioning documentation (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) and adapt the SCIM endpoint to be able to process provisioning requests from Azure Active Directory.
We have reviewed the documentation referenced, and the format for specifying the manager is exactly as indicated in the documentation.
If the “manager” field is removed from the data, the error does not occur.
So, the questions are:
1. How should we provide manager information in the response of GET User resource call?
2. How should we catch the removing of the manager in Azure in a proper way?
I would appreciate your assistance in resolving this issue.
I’d like to know what is causing the error and how to correctly transmit manager information via SCIM.
Thank you in advance for your attention and help!
Yours sincerely,
Alex Moiseev
Hello!My name is Alex Moiseev, and I am experiencing an issue with user synchronization via SCIM with Azure Active Directory. Well, actually with manager synchronization. As far as I understand, the approach of provisioning of the user is the following.Step 1. Provisioner tries to get info about the user by id with GET User resource request.Step 2. Based on information received, Provisioner decides should the whole information about the user be sent or there is a need only to update certain fields.Step 3. Provisioner send POST or PUT/PATCH request with user details to create/update user on the receiver side.And everything works more or less ok, but the managers. In user data to provide there is one field, which is used for manager info:urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager When there is no manager on consumer side assigned to the user, everything works perfectly.The provisioner sends manager info in both cases – with existing and with non-existing user.If the manager is changed on Azure AD side, we still receive manager data in the field mentioned in PATCH request in order to overwrite stored manager.But when the manager is removed on Azure AD side, we didn’t receive any information about it – urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager field doesn’t exist in PATCH request. We thought, that may be because we didn’t add manager information in GET User resource response.We tried to add manager information there according to the documentation (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) by adding “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”: {
“manager”: “0”
},We use “0” in order to make the provisioner to send us information about the manager in each request.But we’ve got an error there: Error message
We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint:
{
“schemas”: [
“urn:ietf:params:scim:schemas:core:2.0:User”,
“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”
],
“externalId”: “Worker”,
“id”: “1548197”,
“userName”: “email address removed for privacy reasons”,
“name”: {
“familyName”: “Ker”,
“givenName”: “Wor”
},
“emails”: [
{
“value”: “email address removed for privacy reasons”,
“type”: “work”,
“primary”: true
}
],
“title”: “Developer”,
“locale”: “nl”,
“timezone”: “CEST”,
“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”: {
“manager”: “0”
},
“active”: true,
“displayName”: “Wor Ker”
}
Please refer to the Azure Active Directory SCIM provisioning documentation (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) and adapt the SCIM endpoint to be able to process provisioning requests from Azure Active Directory.We have reviewed the documentation referenced, and the format for specifying the manager is exactly as indicated in the documentation.If the “manager” field is removed from the data, the error does not occur. So, the questions are:1. How should we provide manager information in the response of GET User resource call?2. How should we catch the removing of the manager in Azure in a proper way? I would appreciate your assistance in resolving this issue.I’d like to know what is causing the error and how to correctly transmit manager information via SCIM.Thank you in advance for your attention and help! Yours sincerely,Alex Moiseev Read More
