question

LeifHorpestad-3598 avatar image
0 Votes"
LeifHorpestad-3598 asked LeifHorpestad-3598 answered

Repeating Create requests for Groups : Azure AD SCIM Provisioning

Hi,

We have created a SCIM endpoint for our custom application connecting to Azure AD's SCIM client. We have created an Enterprise Application for our custom application and successfully connected the provisioning. We are creating users and groups successfully.

What we see in the logs is that after the groups have been successfully created and users successfully added to the groups, Azure AD is sending an additional CREATE-request to create the group one more time. Since the group is already created in our custom application, this additional create-request will return an http409 from our custom application causing a "failure" log entry in Azure AD's provisioning log.

We are having a hard time understanding why Azure AD is sending two CREATE-requests since the first CREATE-request is successfully executed.
In the Azure AD's provision logs (exported to JSON), we see that the "targetIdentity > identityType" is different in the two CREATE-requests. First one has "identityType": "urn:ietf:params:scim:schemas:core:2.0:Group" while the last one has "identityType": "Group".

Has anyone seen this issue before, or do anyone know what could cause this issue?

azure-ad-user-provisioning
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZollnerD avatar image
1 Vote"
ZollnerD answered LeifHorpestad-3598 commented

I'd recommend checking that your response to the POST is fully in line with what we and the SCIM spec expect. See: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#create-group

Key things from that - #1 - make sure you're responding with a 201/Created, #2 - make sure you're including an ID value in the response, #3 - make sure you have the right schemas present in the schemas property.

If none of those are it, please open a support case via portal.azure.com for help.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LeifHorpestad-3598
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?


Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

Hello and thank you both for replying to my post. We are still having the issue, and actually the response was one of the first thing we verified. Please find our response from the POST group request below.

The latest testing indicates that it might be related to if the group has members or not. We are testing more in this now, but it seems that we only get double POST requests if the group has members.

 {
     "schemas": [
         "urn:ietf:params:scim:schemas:core:2.0:Group"
     ],
     "id": "POSTMAN-TEST-LEIF1",
     "externalId": "POSTMAN-TEST-LEIF1",
     "meta": {
         "resourceType": "Group",
         "created": "2021-07-01T08:52:13.248Z",
         "lastModified": "2021-07-01T08:52:13.248Z",
         "version": "1625122333248",
         "location": "https://ourapplication/scim/v2/Groups/POSTMAN-TEST-LEIF1"
     },
     "displayName": "POSTMAN-TEST-LEIF1",
     "members": []
 }
0 Votes 0 ·
LeifHorpestad-3598 avatar image
1 Vote"
LeifHorpestad-3598 answered

Hi,

Actually the example above was produced using Postman. I find this tool to be quite useful to view details on responses.

We have come close to the solution, and it appears that even though the initial POST request to create groups was marked as "successful" in Azure AD's provisioning log, Azure AD still runs a Get-query to verify if the groups is actually returned from the custom application - and in our case that GET-query were implemented slightly incorrectly resulting in that the wrong ID were used in the Get query - thus no group were found - resulting in Azure AD trying to create it again.. We fixed that and now we no longer are getting double POST-requests for groups.

We still get double PATCH (Update) requests for users added to the group though, but we believe that might be related to the response we have for GetGroup - in that we return an empty "members" array instead of leaving the "members"-attribute completely out of the response. We are continuing to look into this and since we are having some progress I think it would make sense to just close this question for now and I could rather open a new question if we are stuck in the future. :-)

Big thanks to everyone that has taken the time to read this post and provided answers!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.