Issue with running Microsoft.SCIM.WebHostSample app about scimreferencecode HOT 18 CLOSED

@AmitavaHazra - if I have understood what you are doing correctly, your earlier message suggested that you are running the sample application locally:
https://localhost:44326/scim/Users?filter=externalId eq testing1

Your Azure AD tenant will not synchronise its Identity Domain with an SCIM endpoint unless it is configured to, see Integrate your SCIM endpoint with the Azure AD.

It does this via server-to-server http requests, so cannot be configured to synchronise with a local instance unless you can somehow make your local instance available at a public DNS location.

from scimreferencecode.

The behavior is expected, SCIM is an API and as we didn't create a landing page that's the browser behavior. While the browser is still open, use the procedure described here to test it with Postman:
https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint

from scimreferencecode.

@marcusca10 , thanks for clarifying this.

Currently when I am triggering a Get request for a valid user form my Azure AD tenant I am getting below response form Postman.
Request:
https://localhost:44326/scim/Users?filter=externalId eq testing1

(testing1 = mailnickname)

{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 0,
"itemsPerPage": 0,
"startIndex": null,
"Resources": []
}

Can you please comment why exactly it is not able to return user while authorization is working well.
PASS
Status code is 200
PASS
Id is requsted

from scimreferencecode.

Authorization is definitely fine, the reason is the filter "externalId eq testing1" does not find any user:
"totalResults": 0
Try ?filter=DisplayName+eq+%22BobIsAmazing%22

from scimreferencecode.

Hi,

But I am searching with correct mailnickname which is available in my azure tenanat. the user is present in azure ad but still its not returning.

from scimreferencecode.

For the original issue, I included Open API support to the web project in the following branch
open-api
Give it a try

from scimreferencecode.

@opatey ,
Thanks for your clarification. If I understood correctly I have to integrate this application in Azure AD.
Now I was integrating it using https://localhost:44356/scim/ as tenant URL and I kept security token blank . I got below error. Is it possible to test this with localhost ?
Also I used bearer token https://localhost:44356/scim/token in Security token but still no luck.

Can you please guide me here.

Error:
You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.

Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application:

from scimreferencecode.

@marcusca10 ,

Thanks for this update. Now please help me to integrate it to Azure AD. Issue has been described on the above comments.

from scimreferencecode.

@opatey ,

I tested below two scenario.

1. I have hosted this sample reference app in app service and added https://microsoftscimwebhostsample20200519173539.azurewebsites.net/scim as tenant URL in enterprise application and kept security token blank. Post that provisioning is working as expected. But how can see those users in app ? currently provisioning log is showing that it provisioned users and group but not sure where to check in the application ?

2. While testing this in postman https://microsoftscimwebhostsample20200519173539.azurewebsites.net/scim/Users?filter=externalId eq amartya1
   it has authentication issue since I am not able to generate bearer token using https://microsoftscimwebhostsample20200519173539.azurewebsites.net/scim/Token endpoint what I was able to do using localhost. It is showing 404 page not found error.
   Can you anyone guide me on this ?

Any help is much appreciated.

from scimreferencecode.

I'm glad you managed to get the sample application provisioned with your users/groups successfully 🎉 that is all the functionality this project provides OOTB, the next step is up to you.

But how can see those users in app ? currently provisioning log is showing that it provisioned users and group but not sure where to check in the application ?

The idea is that you see the users in your existing application's user management area or database.

To do this, take a look at the sample application's In Memory Providers; you need to modify these classes (or register different implementations in the DI container) so that SCIM updates are merged into your own user model or database tables.

For example, my existing application is a .Net Core web application with existing code to create users. Once I had seen the integration working as you have, I put the WebHostSample application to one side and referenced the Microsoft.SystemForCrossDomainIdentityManagement assembly directly in my existing application.

IProvider and IMonitor get some implementations that are relevant to my specific architecture and away I go.

If you are trying to write a new app, this is not the best starting point. You want something more like Create a web app with authentication. This project can then help make it SCIM aware.

Phew! Hope this helps 🤞

from scimreferencecode.

@opatey ,

Thanks for your explanation. I will try to map those provide class with application DB.

But can you please tell me why I could not make request using app service hosted URL in postman

I mean my second question.

While testing this in postman https://microsoftscimwebhostsample20200519173539.azurewebsites.net/scim/Users?filter=externalId eq amartya1
it has authentication issue since I am not able to generate bearer token using https://microsoftscimwebhostsample20200519173539.azurewebsites.net/scim/Token endpoint what I was able to do using localhost. It is showing 404 page not found error.
Can you anyone guide me on this ?

from scimreferencecode.

@opatey , Hi,

I have created asp.net core MVC app for DB CRUD operation.
Reference:
https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/working-with-sql?view=aspnetcore-3.1&tabs=visual-studio

Now I have added reference for SCIM sample app.

Code structure:
Data folder: MvcMovieContext.cs which is DB context class.
Model:
Movie model class which is nothing but representation of DB table.
Seed.cs ( this is just to update DB table)
Controller:
MovieController.cs which is handling all CRUD operation related code.

Unfortunately I am not getting how to use provider related class from Microsoft.SystemForCrossDomainIdentityManagement in my MVC app so that I can make this as SCIM aware.
Since you have done similar thing can you please help me bit more.

from scimreferencecode.

@AmitavaHazra - I am not sure why you are getting 404s from here: https://microsoftscimwebhostsample20200519173539.azurewebsites.net/scim/Token when it works for you locally.

I thought it might be an ASPNETCORE_ENVIRONMENT=Development/Production difference, because the token endpoint absolutely should not be used in production. However /scim/token is issuing bearer tokens in both modes, locally.

One thing I had to do (which you could try) is to remove the RootController class - I found that this controller handled some requests that it shouldn't. I'm not convinced this is your problem though, because I could reproduce it locally.

All this being said, even if you do manage to get the /scim/token endpoint working, the resulting token cannot be accepted at the same time as Bearer tokens from Azure AD with the current code. The default authentication scheme can be configured to trust one, or the other, but not both.

The only other thing I can offer, is if you push this code:

I have created asp.net core MVC app for DB CRUD operation.
Reference:
https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/working-with-sql?view=aspnetcore-3.1&tabs=visual-studio

Now I have added reference for SCIM sample app.

To a public repository and share a link, I will try and look over it for you to see if I can help with this specific aspect:

Unfortunately I am not getting how to use provider related class from Microsoft.SystemForCrossDomainIdentityManagement in my MVC app so that I can make this as SCIM aware.

from scimreferencecode.

I also cannot stress how important it is that you DO NOT deploy something publicly that is:

• Being sent information about your users from Azure AD via SCIM;
• Also accepts bearer tokens returned by /scim/token with no authentication.

This could make your entire organisation's mobile phone numbers publicly available.

from scimreferencecode.

@opatey ,

Actually I used default sample app offered from Microsoft.
https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/working-with-sql?view=aspnetcore-3.1&tabs=visual-studio

If you can check sample code from MS it can also work.

from scimreferencecode.

@opatey ,

Here you go :)
https://github.com/AmitavaHazra/MvcMovieSCIM

It is just sample app from microsft which has DB injection and scaffolding in place. Please help me to make it SCIM aware.

Please change authentication method to None so that you can access it. it is configured as my Azure AD authentication (free trial subscription).

from scimreferencecode.

Please close this case.

from scimreferencecode.

Please close this case since original issue has been resolved. I will open further debug related issue on a new thread .

from scimreferencecode.