Azure AD SCIM Validator is in General Availability (GA) Status

Hello owinoakelo,

I am testing SCIM operations for Groups using your validator to ensure compatibility with MS Entra. Unfortunately, I currently (for now) do not have access to Entra to test the SCIM API in a real environment, so I have to rely solely on your validator.

I have encountered two issues and would like to kindly ask for some clarification.

1. Tested Operation: Patch Group - Add Member

Content-Type: application/scim+json; charset=utf-8
{
  "Operations": [
    {
      "op": "replace",
      "path": "members",
      "value": [
        {
          "value": "944"
        }
      ]
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

The operation for adding a member to a group should use "op": "Add". However, the validator called the operation with "op":"replace". The documentation here only describes operations for adding and removing members, not a full replacement.

Is this an issue with the validator, or does MS Entra actually send a full replace patch operation for members?

2. Tested Operation: Patch Group - Replace Attributes

Content-Type: application/scim+json; charset=utf-8
{
  "Operations": [],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

The validator sent a patch request with an empty set of operations, meaning no changes are actually requested, yet it expects a Success (200) result code.

Is this an issue with the validator, or does MS Entra actually send such "empty" operations and expect a Success (200) response?

Thank you in advance for your response.
Best regards,

Martin.

owinoakelo  Currently i always get a HTTP 504 Gateway timeout. We currently are implementing SCIM and the Validator would be super helpful. Is there any plan for a fix?

owinoakelo 

hi there, I ran validator tests and all failed due to a custom domain validator we added in the SCIM app. However, when I look at the request details of each test case, I am surprised to see that all calls are POSTs. Captured here as an example, the 'PATCH user' is a POST call. So are other patch cases, filter users, delete a user, etc... Can you think of anything that is causing this behavior? thanks for your help.

owinoakeloSchema Discovery does not seem to work for us, the SCIM validator then fails to execute any tests. However, it does work when using the Default schema option.

Our endpoint supports the following attributes: userName, externalId, active, displayName, emails, roles. If I select Default schema and manually edit the attribute mappings, the SCIM Validator succesfully validates the SCIM endpoint implementation in our application. All 10 tests are completed succesfully.

If I select Schema Discovery, the SCIM validator successfully fetches the attribute definitions from our /Schemas endpoint. However, if I then click Test Schema, the validator always returns an error message: SCIM Validation failed. NetworkError when attempting to fetch resource.
The browser console log shows some CORS errors. I do not see any incoming requests in our application.

Why would Test Schema fail to contact our endpoint when using Schema Discovery?

owinoakelo 

Hello.
These days, I'm working on implementing support for the SCIM protocol into a client application and using the SCIM Validator to check its functionality. A few days ago, the SCIM Validator sent me a multi-value PATCH operation for nested parameters in this format:

 "Operations": [
        {
            "op":"replace",
            "value":
            {
                "name.givenName":"Aron",
                "name.familyName":"Raul",
            }
        }
    ]

Today, I noticed that instead of the original nine tests, a tenth one, "PATCH User- Disable User," has appeared, and the format of the patch replace operation has changed. Now, the multi-value operation for nested parameters looks like this:

"Operations": [
    {
      "op": "replace",
      "value": {
        "name": {
          "givenName": "Trevion",
          "familyName": "Larissa"
        },
      }
    }
  ]

Does an SCIM client that wants to collaborate with AAD need to support both the above-mentioned variations, or will the one from today be sufficient?

For the validator, one of the tests is to attempt to create a duplicate user. The validator expects this to fail when it succeeds and then expects it to succeed when it fails.

Does anyone know what the validator is checking for specifically with this test?

owinoakelo 

We've got a very simple schema that only includes the following user attributes (All required) with no group support:

• • userName
• • active
• • emails[type eq "work"].value
• • name.givenName
• • name.familyName

When I run the validator I'm getting the following error: Unknown test failed. Object ref not set to an instance of an object

        "FailedTests": [

            {

                "$id": "31",

                "Description": "One or more errors occurred. (Object reference not set to an instance of an object.)",

                "Name": "Unknown test failed",

                "Results": [

                    {

                        "$id": "32",

                        "Message": "Internal server error: One or more errors occurred. (Object reference not set to an instance of an object.)",

                        "Outcome": 1,

                        "MoreInformation": ""

                    }

                ],

                "ResponseHeaders": "",

                "ResponseStatus": "One or more errors occurred. (Object reference not set to an instance of an object.)",

                "ResponseBody": "",

                "InitialRequestBody": "",

                "RequestBody": "One or more errors occurred. (Object reference not set to an instance of an object.)",

                "SFComplianceOptional": false,

                "HasTestPassed": false,

                "TestexecutionTime": 0

            }

        ],

I've run through the postman tests directly and they're all passing, or failing for valid reasons i.e.

• Get User Filters fails due to DisplayName not being supported in our schema
• Get User1 Check Patch due to Formatted not being supported in our schema
• Create user1 fails as emailName357 is not a valid email address format

I can change the above 3 tests to use valid data and then they pass as expected

Based on the above, I'm not seeing anything wrong with our implementation. Is the error an issue with the scim validator itself or am I missing something? How do we proceed with getting our implementation approved?

owinoakelo 

I was trying to use SCIM sdk library (https://github.com/Captain-P-Goldfish/SCIM-SDK) and they are adding common attributes (like "id") to the schema. According to specification, some providers MAY include the common attributes. https://datatracker.ietf.org/doc/html/rfc7643#section-3.1

For backward compatibility, some existing schema definitions MAY list
   common attributes as part of the schema.  The attribute
   characteristics (see [Section 2.2](https://datatracker.ietf.org/doc/html/rfc7643#section-2.2)) listed here SHALL take precedence
   over older definitions that may be included in existing schemas.

Unfortunatelly, SCIM validator doesn't handle this case correctly. 

Is there any chance that it could be fixed?

Thank you