question

GeoffreyvanWyk-0769 avatar image
0 Votes"
GeoffreyvanWyk-0769 asked AnshulKumarMINDTREELIMITED-5501 commented

When provisioning a new user on demand in Azure AD, not all attributes reach the target application

The new user does get created in the target application, but some of the attributes are not set in the target application. This happens even as the details of the "Perform action" step shows the missing attributes and even if those attributes are not null.

When provisioning on demand is retried for the same user, in other words, the user is updated in the target application, the missing attributes are set as well.

An example attribute which does not get sent during creation is companyName (Azure AD attribute) mapped to company (custom SCIM attribute).

I have confirmed that those attributes are not sent by Azure Active Directory to the custom application by logging to file the request body before any other code touches the request.

azure-ad-user-provisioning
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

ZollnerD avatar image
1 Vote"
ZollnerD answered GeoffreyvanWyk-0769 commented

Can you provide the exact target attribute that is being targeted? Is it just "company"? If so, that attribute is not a part of the SCIM Core Schema. Attributes that are not a part of the SCIM Core Schema as defined in RFC 7643 must have a fully SCIM compliant URI as outlined in section 10.2.1 - https://datatracker.ietf.org/doc/html/rfc7643#section-10.2.1.

Try renaming that attribute in your service and in the AAD provisioning schema for your target system to be something like urn:ietf:params:scim:schemas:extension:MyAppName:2.0:User:company and our service should handle it correctly.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ZollnerD

The exact target attribute is urn:ietf:params:scim:schemas:core:2.0:User:company. The attribute does get sent when the user is updated though.

Department is another attribute not part of the core schema that does get sent when the user is created and gets updated as well.

At first, I used organization and department from urn:ietf:params:scim:schemas:extension:enterprise:2.0:User, but then AD gave an error that my application's response did not comply with the SCIM client's schema. I could not see the what caused the error when comparing a response that worked and one that raised the error.

0 Votes 0 ·
ZollnerD avatar image ZollnerD GeoffreyvanWyk-0769 ·

Company is not a part of the core schema. Appending urn:ietf:params:scim:schemas:core:2.0:User: to an attribute name is not sufficient here. If you look at the core schema docs (https://datatracker.ietf.org/doc/html/rfc7643) and control-F for "company" you will find zero hits.

Department is a part of the enterprise schema extension that is detailed in the same spec (7643), and therefore using urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department is valid. You cannot replace department in that string with company, however, as company is not an attribute defined in the enterprise extension in 7643.

My previous advice still stands - try renaming that attribute in your service and in the AAD provisioning schema for your target system to be something like urn:ietf:params:scim:schemas:extension:MyAppName:2.0:User:company and our service should handle it correctly.

0 Votes 0 ·

Thank you, @ZollnerD . I will try that.

0 Votes 0 ·