question

JadBoutros-7243 avatar image
0 Votes"
JadBoutros-7243 asked ZollnerD commented

Unable to see attribute mappings when setting up SCIM provisioning

We have a SaaS web-application that supports SSO and SCIM and it's been on the OKTA and OneLogin stores for quite a while. I am now testing it with Azure AD ahead of submitting it to the Azure Gallery and SSO worked like a charm. But SCIM is not working because I am unable to see – let alone change – Mappings in the Provisioning tab of the application on Azure AD. As such, it is connecting to our SCIM backend with the wrong username attribute and failing.

I thought perhaps I was using the free Azure AD license – as I just enrolled – and perhaps not seeing those profile mappings but I upgraded to Standard and I still do not see them. I am attaching a screenshot of the Provisioning tab for the Enterprise app I set-up. Contrast it with the screenshot in point 6 of this SCIM guide https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups - you can see the Mappings section is absent.

Any pointers appreciated, newbie on Azure AD.
Thanks,
Jad


[1]: /answers/storage/attachments/122928-screen-shot-2021-08-12-at-105345-pm.png

azure-ad-saml-ssoazure-ad-user-provisioning
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ZollnerD avatar image
0 Votes"
ZollnerD answered ZollnerD commented

You need to input a URL and credentials prior to exposing the mappings.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Of course, I did that but then the flow forces me to test the connection and the connection errors out because Azure AD is using a UUID instead of the email address in the SCIM requests and I can't change that because the mappings are not available. The mappings are not exposed when you input the URL and credentials.

0 Votes 0 ·

So your SCIM service provider is generating an error because of a GET request with a filter where userName eq "c7c30da2-0a09-4cde-975a-897d307c272f" or something like that? There's nothing in the SCIM spec that says that a userName has to be in user@domain.com format. While your service may not allow a user to be created with a userName that isn't in user@domain.com format, you should still be able to accurately respond and say that no users with userName of "c7c30da2-0a09-4cde-975a-897d307c272f" exist.

1 Vote 1 ·

Thank you @ZollnerD, that is good feedback. I will make the change to our SCIM server accordingly and go from there.

1 Vote 1 ·
Show more comments