jelhub / scimgateway Goto Github PK

While trying to do a manual provisioning as part of testing, I realise that only the userName and active attribute is sent. However from Azure's end, it shows the target attribute which I require to create the user. It seems I might have not configure something but I'm not sure what else needs to be configured on the SCIM gateway for me to receive the rest of the attributes.

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
    "userName": "_____________",
    "active": true,
    "meta": {
        "resourceType": "User"
    }
}

Hi there,

Would be possible to show de scim schemas and wsdls ?

Besides, is there a way to present those via some URI?

Hi jelhub

I am using loki plugin and doing filter request as following :
https://domain/Users?filter=userName+eq+%22bjensen1%22

It works fine when user is found, but when user is not found, its sending 404 response instead of 200 with empty array.
Azure AD expects following response when user is not found :

{
	"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
	"totalResults": 0,
	"Resources": [],
	"startIndex": 1,
	"itemsPerPage": 20
}

Can you please explain regarding this.

Thanks & Regards

I mean vulnerability. Sorry.

SOAP dependency is outdated and insecure. See attachment below (a screen shot). Need to make we pull in a newer version of SOAP that is using a newer version of ejs. ejs is the source of the security issue. BTW, You'll notice SOAP's master branch has been updated.

If you like I could update your project.json and submit a pull request?

Jeff
PS. I'm a co-worker of C. Watson.

PS. More details about the vulnerability can be found here: https://snyk.io/vuln/npm:ejs:20161128

My Identity provider wants to PUT all the Users and Groups in a batch. scimgateway does not seem to support PUT for this, only POST and PATCH. That will not work with their software (ADFS?)

I Tried the Loki plugin with scim 2.0 and this JSON

[
  {
    "externalId": "Donald_D",
    "userName": "Donald_D",
    "active": "true",
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ]
  },
  {
    "externalId": "Huey_D",
    "userName": "Huey_D",
    "active": "true",
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ]
  },
  {
    "externalId": "Dewey_D",
    "userName": "Dewey_D",
    "active": "true",
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ]
  },
  {
    "externalId": "Louie_D",
    "userName": "Louie_D",
    "active": "true",
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ]
  }
]

Hi Jarle,

When a user, JohnDoe is created in Active Directory with SCIM Id mapped to LDAP DN it does not return the DN (for example: CN%3DJohnDoe%3Dxxx%3Dxxx%2CDC%3Dxx) but still JohnDoe.

When the SCIM Id is mapped to, for example, LDAP objectGUID or objectID, it still returns 'JohnDoe'.

Is DN the only attribute which can be used in combination with the SCIM Id attribute?

Regards,

Michael

Pagination is not working as expected in plugin-loki. For e.g. ?startIndex=10&count=5 returns no records when total records > 15.

Hello @jelhub ,

First of all, thank you for including the mongodb plugin!
However, I am testing version 4.0.0 and this endpoint doesn't return any results.

After taking a look at this, I've tried with "ge" instead. But again, no results found.

Note: At MongoDB, I have the two test mode users (bjensen and jsmith).
Could you run this scenario, please?

Best Regards,
Filipe Ribeiro

Hi
The mssql plugin does not return data in my installation.
It appears that the exploreUsers method returns an empty data set before the query is run. If I add logging statements in the Tedious Request callback the data is returned from SQL Server.
I cannot see how to resolve the synchronization with Tedious. Hope you can help.

When the PUT body is passed to the modifyUser function, it is always an empty object because of this line:

Tried using auth.bearerJwt option but it fails as the code is initializing only if secret is specified. Once secret is specified the token validation uses only the secret. Was able to get it working after fixing the code related to auth.bearerJwt initializatin.

modifyUser does not work correctly for PUT requests. It always returns a 204. That is only a valid response for PATCH requests. Per spec, a PUT request must return a 200 with the entire resource within the response body".

"Unless otherwise specified, a successful PUT operation returns a 200
OK response code and the entire resource within the response body,
enabling the client to correlate the client's and the service
provider's views of the updated resource."

Hi there,

I am using a Open LDAP Container image (osixia/openldap:1.5.0) , the initial tree structure is based on:

dc=example,dc=org

I imported the attached LDIF:
democorp (1).ldif.zip

So, I have new users into my ldap tree, when I do configure my ldap plugin, like this:

        "username": "cn=admin,dc=example,dc=org",
        "password": "NGYzYjU3NTE3NjAwYWU0MmNiMTBmNTcxNGI3MjY5NGU6MjM1YWRjODI1M2FkMDljNjQyMTBlOTYxNjA1ZTZlNTY=",
        "ldap": {
          "userBase": "dc=example,dc=org",
          "groupBase": "",
          "userFilter": "",
          "groupFilter": null,
          "userNamingAttr": "cn",
          "groupNamingAttr": "cn",
          "userObjectClasses": [ 
            "person",
            "organizationalPerson",
            "inetOrgPerson",
            "top"
          ],

When I try to execute an HTTP GET, I am getting the following result:

{
    "Resources": [],
    "itemsPerPage": 0,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "startIndex": 1,
    "totalResults": 0
}

Any idea of what I might be doing wrong? I've been investigating many ways to solve it, but not success so far.

Thanks in advance

Edgar

Hi jelhub

By default, scimgateway creates log file on logs/plugin-loki.log path. Can we provide custom path for log-file ?

Regards

On cloud systems and especially MS Azure the network abstractions sometimes take alternate forms. Within Azure ports are identified as "named pipes" which may take a form other than numeric.

In the isValidconfig function checks for a numeric value:

else if (key === 'port') { // number
//on PaaS sometimes the port is delivered as non-numeric string
//if (!val || typeof (val) !== 'number') return false;
}

This needed to be commented out in order to run the solution on MS Azure. Since the plugin-xxxx.json config is tightly coupled with the plugin-xxxx.js modules would it make sense to move the validation to the plugin-xxxx.js?

In that fashion users can provide their own solution for the validation step that matches their context.

Hi @jelhub

Using LDAP plugin - we can retrieve the AD users/groups details successfully. And We can register the SCIM GW application on Oracle cloud. However during users sync noticed that it is failing with error like "Primary email must be set"

When we invoke get /Users endpoint from browser - we see email details of type and value but no 'primary' information .
I have noticed that in plugin-ldap.js we need to expose the emails.primary attribute in /Users endpoint.

following are attributes mapping from cloud to application
$(account.primaryEmail) --> emails[primary eq true and type eq "work"].value
Please let me know your thoughts on this one.

many thanks

When fetching user (/Users), the groups' attribute is returned containing a list of all the groups the user is part of. Then each of those groups within the users returns a list of all their members.
(Not representative of a complete response, here is an example of how the payload is currently structured)

{
  "id": "fbc56952-0c46-4c00-80b3-fc48fbef8eaa",
  "groups": [
    {
      "value": "383e9f70-a1af-4e26-b068-d2454aca0260",
      "members": [
        {
          "value": "fbc56952-0c46-4c00-80b3-fc48fbef8eaa"
        },
        {
          "value": "b6ccf7e6-ac9e-4db8-b81c-b0167d431a95"
        }
      ]
    }
  ]
}

This can create large responses when the user belongs to many groups with many users (in my case, 120MB for a single user).

I propose changing https://github.com/jelhub/scimgateway/blob/master/lib/scimgateway.js#L791 to remove the members.value. This could be breaking for people relying on it, or it could be hidden behind a feature flag.

Doing this is within the SCIM Schema specification. As outlined in section 4.1.2 https://www.rfc-editor.org/rfc/rfc7643#section-4.1.2, under the heading of groups,

SCIM service provider exposes a "Group" resource, the "value" sub-attribute MUST be the "id", and the "$ref" sub-attribute must be the URI of the corresponding "Group" resources to which the user belongs.

This, in my eyes, would mean that members is at least an optional attribute to return on the user response payload. This is further backed up by the full user representation listed here https://www.rfc-editor.org/rfc/rfc7643#section-8.2. While the specification refers to a non-normative example, it provides an insight into what the specification authors were expecting as part of the standard.

Let me know what you think. I've already implemented the change on my fork (without the feature flag). So happy to carry this forward to a PR if you agree with the above.

Cheers,
Sam

In developing a custom plugin, I would like to fully support the filtering as specified in the SCIM standard. However, it appears that the code only allows for displayname filtering .. and returns a 404 on any filter that doesn't include that attribute.

Is it possible to bypass the filter check, and pass the entirety of the filter querystring onto the plugin for manual parsing?

Hi,

We are looking at using scimgateway to expose SCIM 2.0 interface, and are building a custom plugin to integrate with our own identity service backend. We have a question around a piece of code we came across as we develop our plugin.

When we create a user record in our plugin, our plugin returns the full user object (including the ID) of the newly created user in the response. However, this piece of code substitute our id with the userName - jsonBody.id = jsonBody.userName. And do another GET on the same object using the userName field.

https://github.com/jelhub/scimgateway/blob/master/lib/scimgateway.js#L1094-L1101

If userName doesn't exist on the return object, it would do the same with externalId field.

Any reasons the scimgateway needs to:

1. substitute the id returned by the plugin with either userName or externalId and
2. re-retrieve the same object using a different filter

While the plugin returns full user object.

We are just wondering if there's a usecase that scimgateway is catering for that we are not aware of.

Thanks,
Josh

When registering a new app in Okta with SCIM 2.0, it makes a GET call to /Users with startIndex and count keys but no attributes key. This will always fail in the current version of scimgateway.

Relvant part of Okta protocol reference: https://developer.okta.com/docs/reference/scim/scim-20/#retrieving-users

Hi guys,
I set up scimgateway on my local machine, I linked my azure provisioning to my local scimgateway.
Create user, update user works just fine but delete is not working, scimgateway response no content.

Here is the log of delete user on my local scimgateway:

2021-12-22T14:01:40.129 debug: scimgateway[plugin-loki] [Modify User] [email protected]
2021-12-22T14:01:40.130 debug: scimgateway[plugin-loki] convertedBody={"active":false}
2021-12-22T14:01:40.130 debug: scimgateway[plugin-loki] calling "modifyUser" and awaiting result
2021-12-22T14:01:40.130 debug: plugin-loki[undefined] handling "modifyUser" [email protected] attrObj={"active":false}
2021-12-22T14:01:40.131 info: scimgateway[plugin-loki] 176ms [my-azure-ip] token PATCH http://mylocalsimgateway.com Inbound = {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"Replace","path":"active","value":"False"}]} Outbound = {"statusCode":204,"statusMessage":"No Content"}

Is this an issue of azure provisioning or my local scimgateway?

Hi there,

Seems that scim-plugin.js is a proxy/façade for the other scim extensions, am I right?

If it is the goal for scim-plugin.js how to add more than one endpoint as the requests destionation?

Cheers

Edgar

Hi,

Do you know of anyone who has developed a plugin for MongoDB or MySQL? I can't seem to find any references anywhere.

If you develop that ourselves, would you like to add it to your repository?

Cheers.

Our IDP will be sending a token to SCIM Gateway. In the handlers (createUser, updateUser, etc.) we want access to this token since it will then be used to communicate with our back end.

But the handler API is

scimgateway.createUser = async (baseEntity, userObj)

instead of

scimgateway.createUser = async (ctx, userObj)

Is there any other way of accessing the token of the original request to SCIM Gateway?

When modifying users, I would like to keep track of who did the action based on the bearer token used. However, I can't seem to find a method or parameter which will return the bearer token for me to reference the respective user.

Is there a way to do so?

Hello,
I'm currently implementing a custom scimgateway plugin, that must work with SCIM 2.0.

I have run some tests, using Azure AD Provisioning Service as IdP. During tests excution, I identified an issue in parsing body of Users PATCH requests.

Consider the following PATCH body:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "Add",
      "path": "name.givenName",
      "value": "Barbara"
    },
    {
      "op": "Add",
      "path": "name.familyName",
      "value": "Jensen"
    },
    {
      "op": "Add",
      "path": "name.formatted",
      "value": "Barbara Jensen"
    }
  ]
}

After parsing the body, scimgateway invokes my plugin by passing the following object:

{
  name: {
    givenName: undefined,
    familyName: undefined,
    formatted: undefined
  }
}

i.e. all values in the internal object are undefined.

This seems to be caused by the following line:

If i replace element.value[0].value with element.value, i.e.:

} else dot.str(element.path, element.value, scimdata) // handle e.g name.familyName

then it seems to work as expected. Indeed, after applying this change, my plugin code receives the following data:

{
  name: {
    givenName: 'Barbara',
    familyName: 'Jensen',
    formatted: 'Barbara Jensen'
  }
}

I am willing to open a PR for this issue. However, I'm not sure if this change would be correct in any scenario or if it is just a workaround for this case.

Instructions for running a new scimgateway project as a docker container. This includes a solution for file system persistence (for the plugin configs and loki.db) between container restarts:

Documentation / How to:

https://gist.github.com/visualjeff/796f9b49d1b3ec633f794df719e6e1c6#file-gistfile1-txt

Three files need to be added to a new scimgateway project to dockerize it:

1. docker-compose.yml

https://gist.githubusercontent.com/visualjeff/796f9b49d1b3ec633f794df719e6e1c6/raw/88483166411d7df6d791a7a3a20fccc038b3aad6/docker-compose.yml

2. Dockerfile

https://gist.githubusercontent.com/visualjeff/796f9b49d1b3ec633f794df719e6e1c6/raw/88483166411d7df6d791a7a3a20fccc038b3aad6/Dockerfile

3. DataDockerfile

https://gist.githubusercontent.com/visualjeff/796f9b49d1b3ec633f794df719e6e1c6/raw/88483166411d7df6d791a7a3a20fccc038b3aad6/DataDockerfile

Jeff

Hi, how the best way to create a Group modify method? I couldn't find this method, only modify users.

Hi Jelhub,

Interesting project you have here!
I was wondering. Would it also be possible to create an LDAP provisioner?

I've found https://www.npmjs.com/package/ldapjs and I guess it should be possible but I lack knowledge of NodeJs

hi @jelhub

While trying to update existing user from SCIM GW (plugin LDAP - which reads users/groups from on prem AD).
We are seeing this error on OCI IDCS

'The attribute urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:syncedFromApp.type is immutable.' error occurred at step: 'Update User'

Please note that we are using authorized sync to sync users from SCIM to Oracle Cloud IDCS.

Do we need to remove the existing user and sync it again or update should work fine as-is which is not happening in this case. Please let me know

thanks

• Looking at the current implementation, every plugin needs a config file that describes the standard scimgateway configuration.
• If I want to use multiple plugins in the same gateway application, how can I do that?
• It will contain scimgateway config. for each plugin which can create problems.

PATCH requests come in with urn:ietf:params:scim:api:messages:2.0:PatchOp for the schema value. The router.patch method is simply echoing back the schema that is sent from the server. It needs to be sure to return ['urn:ietf:params:scim:schemas:core:2.0:Group'] for the schema.

I inserted the following:
ctx.body = jsonBody // using original body instead of retrieving actual data
// The schema comes in ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]. That needs to be converted to
// ['urn:ietf:params:scim:schemas:core:2.0:Group'] for the response. Line below was inserted
ctx.body.schemas=['urn:ietf:params:scim:schemas:core:2.0:Group']

This updates the schema to ensure the correct value is returned. Servers validating the schema value will fail until this is done

\Code\my-scimgateway>npm install scimgateway
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '@azure/[email protected]',
npm WARN EBADENGINE required: { node: '10 || 12 || 14 || 16 || 18' },
npm WARN EBADENGINE current: { node: 'v19.2.0', npm: '8.19.3' }
npm WARN EBADENGINE }

up to date, audited 352 packages in 4s

52 packages are looking for funding
run npm fund for details

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

hi @jelhub

Can we enable support for multiple DNs which has "(" and "&" to restrict the scope of AD

• (&(objectclass=group)(cn="role-xyz"))
• (memberOf=CN=role-xyz,OU=Groups,OU=xxx,DC=xx,DC=xxx,DC=xxx)

many thanks

Hi,
I would like to use Okta and Auth0 such that the input is Okta (SCIM 2.0) and the output is Auth0.
I assume that Okta is compatible with scimgateway.
Is there a plugin in the work for Auth0? Assuming Auth0 is extremely popular, I was hoping there is already a plugin available.

Thanks

Hi
Started a fresh install and found that mssql does not work. Tedious is not connecting to server at all.
I guess it has something to do with the new way to make a connection that was introduced in v10.
When using 9.2.1 it works.

https://github.com/tediousjs/tedious/releases
10.0.0 (2021-01-13)
BREAKING CHANGES
Creating a new Connection instance will no longer establish a connection to the server automatically. Please use the new connect helper function or call the .connect method on the newly created Connection object instead.

best regards
Magnus

Using the ability for .npmrc properties to be available via process.env, add a check for a property which can disable postinstall script to simplify keeping up to date.

PR on it's way...

Why is this useful

this is what I added to the README:

When maintaining a set of modifications it useful to disable the postinstall operations to keep your changes intact by setting the property scimgateway_postinstall_skip = true in .npmrc.

What problem it solves

to not have (allows me to delete) plugins and integrations with databases I don’t use

My organization has been experimenting with https://github.com/jelhub/scimgateway as a provisioning solution hosted and connected to MS Azure AAD. We found some limitations with the code and will make recommendations to correct these. This can apply to any cloud provider hosted solution and not just MS Azure.

The first problem we encountered is with the secrets management strategy chosen. With cloud fabric solutions you might not be guaranteed a static hostname be delivered to your app -- this is the case with MS Azure and any strategies used that rely on a static hostname should have a strategy to mitigate the fact when not be guaranteed static.

In the config recovery code (lib/utils.js) we added:

var myhost = process.env.hostname_deg || require('os').hostname();
var chi = require('path').basename(configFile) + myhost;

To ensure a static value on MS Azure this is required.

The hostname_deg value must be set on the environment variables prior to execution.

Couple of dependencies with SAML package need to be updated to resolve these security issues. See attachment below (a screen shot).

Jeff

Hi,

I have created an 'initials' attribute in a custom schema.

The attribute mapped to LDAP attribute in ldap-config.json.

    },
    "initials": {
      "mapTo": "name.initials",
      "type": "string"
    },

Custom attribute in <customschema.json>

[
{
"name":"User",
"attributes":[
{
"name":"name.initials",
"type":"string",
"multiValued":false,
"description":"initials",
"readOnly":false,
"required":false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"caseExact":false
}

  ]

},
{
"name":"Group",
"attributes":[

  ]

}
]

When a user is created the attribute is visible in the output and is correctly written to ldap

"name": {
    "formatted": "John Doe",
    "familyName": "Doe",
    "givenName": "John",
    "initials": "J"

But all GET operations regarding the USER or USERS does not show this specific custom attribute in the request.

I understand that the custom attributes are imported in the core schema during startup. Am I doing something wrong or could this be a bug or by design? Is it possible to configure that a custom attribute will be shown in the GET results?

Latest version of SCIM Gateway is being used for testing.

Thank you for your work!

Michael

Why is this requested

We store secure values in a secretes engine as individually managed units. Assembling all those values into files at deployment time is not a best practice.

The proposed solution

The predominant way to provide these secretes is by mounting them directly in the file system as individual files with raw text values. I'd like to propose to extend the process.env.|file. model adding process.text. which would allow a file to be read as just a (UTF-8) string.

When posting a patch to replace all group memberships per the following:

{ "op":"remove", "path": "members" }, { "op":"add", "path":"members", "value": { "value": "Group1" } }

The gateway can process the filters individually, but not together. Per the SCIM standard, the operations should be accepted, and processed sequentially based on the input. As this is part of a custom plugin, perhaps the easiest way to deal with this is to allow bypassing the built in parse of the operations, and pass the entire body to the handler in the plugin. This could be based on a flag in the plugin configuration for ease of use.

Any documentation to run this as a docker container ?

The body parser is set to use the default json limit of 1mb for incoming payloads. There are cases which large groups that you could exceed that size.

https://github.com/jelhub/scimgateway/blob/master/lib/scimgateway.js#L578-L582

Adding in the jsonLimit limit to a higher amount or a configurable amount would be useful.

hi @jelhub

Thanks for SCIM GW. I have synced users from on-prem AD to Oracle IDCS
while verifying the sync user information - "Federated" option is disabled in IDCS

Inorder to enable this - I'm wondering if we need to create the following custom attribute on on-prem AD by updating the schema or just map custom attribute in SCIM GW.

• Mapping type: Constant
• Constant value: true
• Target attribute: urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:isFederatedUser

please share your thoughts
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/oracle-cloud-infrastructure-console-provisioning-tutorial

thanks

Hi @jelhub

Now with the plugin - ldap I see the users/groups are synched to Oracle IDCS
however when tried to login to OCI console - it throws "Invalid username / password"

do we need to mapping for password attribute as well from SCIM GW to IDCS. please let us know.

many thanks

You can debug a running docker container (using Visual Studio Code) if you add the following file (docker-compose-debug.yml) to your project:

version: '2'
services:
  scimgateway:
    ports:
      - "8880:8880"
      - "5858:5858"

When you start-up the app using this command:

docker-compose -f docker-compose.yml -f docker-compose-debug.yml up -d
Start Visual Studio Code and follow these debugging instructions: https://code.visualstudio.com/docs/nodejs/nodejs-debugging

Jeff

PS. Hopefully users might find this helpful.

Hi,

I am using 3.2.9

I can return /Users and /Groups, however, unlike the test rest/loki plugin, I get no User Schema in response(null):

{"Resources":[[{"uri":"/principal/internal/user/adam.arnold","id":"11","userName":"adam.arnold","type":"user","AlternateId":"ec29f73d-ec39-4327-9e35-13c0d21b2021","IdP":"internal"},null],[{"uri":"/principal/internal/user/pjones","id":"10","userName":"pjones","type":"user","AlternateId":"236ef0fc-0915-43a0-bbcf-1bdf0fe0d6d7","IdP":"internal"},null],
"totalResults":6,"itemsPerPage":6,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"meta":{"resourceType":"User"}}

This is my ExploreUser js:
// =================================================
// exploreUsers
// =================================================
scimgateway.exploreUsers = async (baseEntity, attributes, startIndex, count) => {
const action = 'exploreUsers'
scimgateway.logger.debug(${pluginName}[${baseEntity}] handling "${action}" attributes=${attributes} startIndex=${startIndex} count=${count})
const ret = { // itemsPerPage will be set by scimgateway
Resources: [],
totalResults: null
}
const method = 'GET'
const path = /principal?verbose=true&depth=5&page_size=50&page_number=1
const authorization ='Bearer '+access_token
const options = {
headers: {
'Authorization': authorization , // body must be query string formatted (no JSON)
'Content-Type': 'application/json' , // body must be query string formatted (no JSON)
'Accept': 'application/json' // body must be query string formatted (no JSON)
}
}
const body = authorization
// const body = JSON.stringify(data)
try {
const response = await doRequest(baseEntity, method, path, body,options)
const res = JSON.stringify(response.body)
const obj = JSON.parse(res)
// const err = new Error(Response message: ${response.statusMessage} - ${JSON.stringify(response.body)})
console.log('User Count :'+obj['IdentityProviders'][0]['PrincipalTypes'][0]['Users'].length)
// throw (err)
if (response.statusCode < 200 || response.statusCode > 299) {
const err = new Error(Error message: ${response.statusMessage} - ${JSON.stringify(response.body)} - ${access_token})
throw (err)
} else if (!response.body.IdentityProviders) {
const err = new Error(${action}: Got empty response on REST request)
throw (err)
}
if (!startIndex && !count) { // client request without paging
startIndex = 1
count = obj['IdentityProviders'][0]['PrincipalTypes'][0]['Users'].length
}
console.log('count = '+count)

const arrAttr = attributes.split(',')

// const arrAttr = parsedAttr.split(',')
for (let index = startIndex - 1; index < obj['IdentityProviders'][0]['PrincipalTypes'][0]['Users'].length && (index + 1 - startIndex) < count; ++index) {
const retObj = obj['IdentityProviders'][0]['PrincipalTypes'][0]['Users'][index]
console.log('endpointMapper test : '+scimgateway.endpointMapper('inbound', 'Uri', scimgateway.endpointMap.SecretsSafeUser) )
console.log('endpointMapper test : '+scimgateway.endpointMapper('inbound', retObj, scimgateway.endpointMap.SecretsSafeUser) )
let parsedAttr = scimgateway.endpointMapper('inbound', retObj, scimgateway.endpointMap.SecretsSafeUser)
//const [scimUser] = scimgateway.endpointMapper('inbound', retObj, scimgateway.endpointMap.SecretsSafeUser)
if (!attributes) ret.Resources.push(parsedAttr)
else { // return according to attributes (userName or externalId should normally be included and id=userName/externalId)
console.log('EEEEEEEEEEEEEEEEEE else 154')
let found = false
const obj = {}
for (let i = 0; i < arrAttr.length; i++) {
const key = arrAttr[i].split('.')[0] // title => title, name.familyName => name
if (retObj[key]) {
obj[key] = retObj[key]
found = true
}
}
if (found) ret.Resources.push(obj)
}
}
// not needed if client or endpoint do not support paging
ret.totalResults = obj['IdentityProviders'][0]['PrincipalTypes'][0]['Users'].length
ret.startIndex = startIndex
return ret // all explored users
} catch (err) {
const newErr = err
throw newErr
}
}

The server is failing the simplecloud.info compliance SCIM 1.1 tests relating to PATCH tests 7-16 when configured for plugin-test.

Hi @jelhub

Thanks for scimgateway.
One question I have is can we provision auth0 users/groups to Oracle Cloud Infra (OCI) since auth0 doesn't support SCIM 2.0 protocol

Please share your thoughts

thanks, shahid