Thanks again for this really spectacular piece of engineering; it's enabled us to offer SCIM support to our users and customers and has been a great success for us.

We have found that adding a SCIM-trace feature to our fork of this implementation to really pay off when troubleshooting our customers' various SCIM implementation issues. It logs the HTTP method, URL, request content, and response content into a new log file, scim.log - when it's turned on. The way we did it was this: grokability#1 and we'd be happy to offer up a similar PR back here if there's any interest. It also adds a new parameter to the config/scim.php as scim.trace, and (in our case) read from the environment as SCIM_TRACE, defaulting to false. We also ended up adding a new logging facility to target the new scim.log file.

Please let me know if you'd be interested in such a PR and we'd be happy to contribute it back to this project which has really helped us out. And if not - no worries! No offense will be taken. Thanks again!

**Description **

given an invalid input server rertuns 500 , where it should return 400 error code ( payload is ok)

How to Reproduce
given the request

POST : https://api.scim.dev/scim/v2/Groups

with no payload

the server return

status code 500 + this payload 
{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "detail": "Missing a valid schemas-attribute.",
    "status": 500
}

Even if SCIM is a flexible specification , your sample should stick to the standard in term of mandatory fields to not break the contract (even if scim allows discovery of the contract )

the issue i got is about Group , Group defined data model is composed of

Common Section around id , externalId and meta

and a

Group Specific around displayName ( Mandatory ) and members that can be mandatory or not based on the implementation , and the return of /Schemas/urn:ietf:params:scim:schemas:core:2.0:Group

but name is not mentionned , making it mandatory breaks the "Default" implementation of the RFC and imply to do specific mapping

otherwise got this error

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "detail": "Invalid data!",
  "status": 400,
  "scimType": "invalidSyntax",
  "errors": {
    "urn:ietf:params:scim:schemas:core:2.0:Group:name": [
      "The urn:ietf:params:scim:schemas:core:2.0: group:name field is required."
    ]
  }
}

the GET https://api.scim.dev/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group

should not have as well

"attributes": [
{
"name": "name",
"type": "string",
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server",
"required": true,
"multiValued": false,
"caseExact": false
},

Currently, we use the factory config option to set the factory to create the user object. This however is before the user is actually saved, and our application needs to do a bunch of processes once the user is created.

Would you accept a PR for events for the package, so external code can run after create/update? Or better suggestion if there's an easier way.

Thanks :D

Hi, as far as I could see support for the Group endpoint is missing, or am I looking wrong?

For that reason I'm trying to implement this myself. I will be happy to share once it is finished, but I'm not there yet.

Currently I can create empty groups already (small steps :-) ). Now I'm looking into a GroupConfig that would add/remove the members. Unfortunately, I find the whole mapping structure a bit hard to understand. I'm stuck wit mapping the members to a group. Would you have some bits of advice on how to tackle this?

thanks

I was searching for a library that provides the server capabilities for scim provisioning and found this one.
But we are not using laravel, sois there any change to decouple the server component from laravel?

best regards
Ulf

Error: Class 'ArieTimmerman\Laravel\SCIM\Controllers\SCIMController' not found in file C:\xampp\htdocs\cms\app\Http\Controllers\Microsoft\SCIMController.php on line 6

• My Controller Looks like this:

Hello again - sorry to be blowing up your repo with tons of requests for help, but I promise I'll return the favor and submit PR's with doc updates if we can figure everything out (and if you want me to. Your repo, your rules!).

I'm trying to map the 'manager' attribute in the enterprise namespace - specifically the 'value' sub-attribute within the 'manager' - to the manager_id in my User object.

Here's the validations I'm doing: https://github.com/uberbrady/snipe-it/blob/8f5aadbf26a78c96e843628f8dd32c7ca28b12d4/app/Models/SnipeSCIMConfig.php#L106-L115

And here's where I do the mapping to the field - please pardon the excessive logging which I'll of course remove once I've got everything working how I want - https://github.com/uberbrady/snipe-it/blob/8f5aadbf26a78c96e843628f8dd32c7ca28b12d4/app/Models/SnipeSCIMConfig.php#L141-L168

When I try force a 'provision' with those settings on one of my existing users who has a manager defined, I get:

[2022-03-30 11:35:24] local.ERROR: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException: Write is not implemented for "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager" in /Users/uberbrady/Documents/grokability/snipe-it/vendor/arietimmerman/laravel-scim-server/src/Attribute/AttributeMapping.php:361

I'm sure there's something I must be doing wrong in there - or maybe this could be related to the other PR that I submitted ( #19 ), in that I'm missing some kind of Schema declaration?

Thanks again for making this tool, and for trying to help me out. I very much appreciate it, and my users are really excited to get SCIM going - which I've only been able to do with your library. Thanks again!

it's not uncommon to have multiple e-mail adddresses linked to your Active Directory users. It is also in the spec that a user can have multiple mail addresses.
I noticed that this situation is not handled very well (creation fails). With a small fix I could make it survive the situation, but it would then always take the last mailaddress from the list of addresses, while one might filter for example the primary, or work address (the spec provides ways to filter on those properties). How could I fix that in the mapping, so that it will only validate the primary address?

One of our customers is trying to integrate with JumpCloud, and apparently their SCIM client is very rigid, and requires the "id" attribute to be a string, not an integer.

Unfortunately, that's actually in the Spec here: https://datatracker.ietf.org/doc/html/rfc7643#section-2.2 - specifically:

If not otherwise stated in Section 7, SCIM attributes have the following characteristics:
...
o "type" is "string" (Section 2.3.1).

Furthermore, according to the SCIM spec https://datatracker.ietf.org/doc/html/rfc7643#section-3.1:

This identifier MUST be unique across the SCIM service provider's entire set of resources.

And if you use both Users and Groups, this is going to conflict. We don't currently use Groups, so that won't affect us, and if we do we will probably make the id become something like "group-1", "group-2", etc.

If there is interest, I would be happy to try and cobble together a PR that can implement some of these things. I'm also happy to provide any further details if it might help.

I'm having some trouble getting Okta to pull in attributes with my custom schema. After looking at it for a bit, I noticed the /scim/v2/Schemas route has a lot of the core scim schema attributes, but doesn't include any of the ones I add under the unmapped or my custom namespace which I think might be the issue, but I'm not positive just yet.

It looks like if I understand the SCIM v2 spec, I would have to customize the Tmilos SchemaBuilderV2 somehow in the Schema controller and somehow add my attributes with nested properties like name, type, mutability, etc like the core User has there.

I noticed the scim/v2/ResourceTypes/User endpoint has a schemaExtensions array which is empty too. I'm wondering if that needs to have a value to my namespace or something.

Curious if you have ran into this before. The goal I was hoping to achieve is to be able to have my application attributes such as allow_email to be able to be mapped between services like Okta from another system that integrates their SCIM with my service.

The SCIMConfig does not maps addresses, phoneNumbers, ims, etc. I'm trying to implement this without success. I see the AttributeMapping class does have an eloquentCollection method. Can you share an example on how to map this? Thanks!

here is a short video about it ,

when clicking on a delete statement it just clean the log screen , should display the request at least url and header , and result

Under the groups endpoint you now have an example to add a user to a group, could you also add the remove user from a group? Both the offical documented way as documented in: https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2.2

   {
     "schemas":
      ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations":[{
       "op":"remove",
       "path":"members[value eq \"32368858-e1e5-4f05-9306-682625714ec0\"]"
     }]
   }

And the, as far as I know, not documented variant by the RFC but the used option by many providers:

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "add",
      "path": "members",
      "value": [
        {
          "value": "32368858-e1e5-4f05-9306-682625714ec0"
        }
      ]
    }
  ]
}

There are more options to do it, but from my experience these two are the most used.

This is perhaps not the correct place to report this, but I couldn't find a better place.

This concerns the "User" schema on the scim.dev website.

According to RFC 7643, section 2.3.6. an attribute of the "binary" type has to be declared case sensitive.
Currently, the value attribute of the User schema is define as "caseExact": false, which is incorrect.

This was found using the the scim-for-keycloak SCIM client which validated the schema and throws this error:
The attribute with the name 'urn:ietf:params:scim:schemas:core:2.0:User:x509Certificates.value' has an invalid declaration. Binaries have to be case-exact by definition.

Looking at the RFC, I think the client is correct and the schema is indeed invalid.

Hi there! Thank you so much for this spectacular project! I was able to get it installed into our existing project pretty easily, and was shocked that it managed to figure out how my users were supposed to look with almost no intervention on my part. It's great tech and I can't wait to get it into the hands of our users.

However, where I'm running into a couple of snags is trying to hook it into our existing middleware in order to protect the routes properly. We're already using some API middleware which includes things like API token lookups and throttling and things like that.

My first attempt was to turn off the automatic route injection, and try to insert the routes in myself, with the appropriate middleware - but that started failing with strange dependency injection lookup failures that I wasn't able to really get anywhere with. I still have that on a branch if you tell me that's the right way to go, though.

My second attempt was to insert a global middleware which tries to do the appropriate restriction of the routes (as suggested by: #7 ). I basically look for any route that starts with /scim and then I allow only specific routes and block everything else. But my problem here is that the actual lookup of the API keys I think only happens at the route-middleware level, and not at the global-middleware level, so I'm not sure I'm going to be able to get this one to work via API key. I was able to get it to work via regularly-logged-in-user which was nice to test if my logic was working right, but the API keys are going to be the critical path.

My third attempt is going to be to try a simple static key lookup, and I will have to make my users insert that into their .env (presuming I can pull stuff out of the .env or config() at the global middleware layer?) That still gets this amazing feature into my user's hands, but I already have all of this nice Passport stuff with bearer tokens and permissions and whatnot that I really would love to be able to leverage for SCIM integration. And whenever I ask my users to adjust their .env it usually makes it much harder for my users to be able to use that feature (and it adds some burden to our helpdesk, as well).

Any ideas about any kind of different direction I should take, or does one of these seem like the right way to go? I'll be happy to contribute back to this project in any way with whatever our findings are.

Thanks again for making this, and sharing it. It's amazing that you can get SCIM support up and running so quickly with just a few short steps.

In the postman test collection I found in the SCIM pages from Microsoft (https://www.postman.com/collections/3b5c4b838ec66cacd53b) There is a test for en 'Enterprise User' which carries 2 schemas. The regular User schema and an additional EnterpriseUser schema.

If the body lists the Enterprise user first, validation fails, if it is listed after the normal user schema it works. I would expect that this order should not matter. I could work around it by doing multiple validations (one per schema) in stead of only the first, but I'm not very confident if that is the right approach?

Didn't know where to send a notice, so just putting here.

1/31/24

This could absolutely be my own screw-up, but I'd love to get your collective eyes on this issue I've been having with Azure.

I'm getting the following exception when I try to update a user's email address and then force a SCIM provisioning.:

Exception caught! Replace is not implemented for ":urn:ietf:params:scim:schemas:core:2.0:User.emails.value" of type: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException when executing:
PATCH https://msscim.snipe-it.io/scim/v2/Users/21

{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"Replace","path":"emails[type eq \"work\"].value","value":"[email protected]"},{"op":"Replace","path":"addresses[type eq \"work\"].formatted","value":"18/2111"},{"op":"Add","path":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department","value":"Retail"}]}  

The relevant portion of my SCIM config is this:

<?php
/* ....... */
        $config['validations'][$core.'emails'] = 'nullable|array';         // emails are not required in Snipe-IT...
        $config['validations'][$core.'emails.*.value'] = 'email'; // ...(had to remove the recommended 'required' here)

        $mappings['emails'] = [[
            "value" => AttributeMapping::eloquent("email"),
            "display" => null,
            "type" => AttributeMapping::constant("work")->ignoreWrite(),
            "primary" => AttributeMapping::constant(true)->ignoreWrite()
        ]];
/* ..... */

(The entire SCIM configuration can be viewed, if you need it, here: https://github.com/snipe/snipe-it/blob/master/app/Models/SnipeSCIMConfig.php )

I experimented with adding an additional mapping for ['emails']['value'] that I set ignoreRead() on, but that didn't seem to help either.

Am I doing something wrong, or have I maybe run into a bug? It does seem like Microsoft's PatchOp request seems to be correctly formatted (I think?).

Thanks everybody for this spectacular software!!!

Having some issues getting azure SCIM to play with this package, and i've realised it's because the attributes aren't at the root, and microsoft expects them to be.

In this package, they are nested under urn:ietf:params:scim:schemas:core:2.0:User, however in the scim RFC and microsoft examples, all the properties under this namespace are in the root.

Any ideas?
cc @uberbrady if you ran across this in your work

https://datatracker.ietf.org/doc/html/rfc7644#section-3.4

Hey mate, how's it going?
Thanks for providing this package.. could you add any documentation on how to use it?
I added the service provider but still have no route available....

I found a really nice way to override the SCIM Settings that I'd love to add to your documentation if you're interested? Method is here: https://github.com/snipe/snipe-it/pull/10802/files#diff-17714f8ce6354a7c071d6a6f7dc4840494df0850873e6192273db951138bb24f

Let me know if that would be of interest to you all - or not! That's also fine, your library, your rules :)

Hello,

Summary
I'm doing SCIM user provisioning tests using Postman and EntraID with SCIM Playground (https://scim.dev).
It seems "api.scim.dev" API doesn't allow creation of user when we specify the "active" attribute.
In "api.scim.dev" API Schema, it seems to indicate that the "active" attribute is "readWrite"

Encountered error message
I'm encountering error stating that we cannot write to "active" attribute:

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "detail": "Write to \"urn:ietf:params:scim:schemas:core:2.0:User:active\" is not supported",
  "status": 500
}

Schema

{
  "name": "active",
  "description": "A Boolean value indicating the User's administrative status.",
  "type": "boolean",
  "mutability": "readWrite",
  "returned": "default",
  "required": false,
  "multiValued": false,
  "caseExact": false
}

Tests
Tested with Postman and EntraID.
When removing "active" attribute from request (Postman), then the user creation occurs successfully.
On EntraID side, it seems that the "active" attribute will always be part of requests (even if we remove attribute in Entra App schema and remove Attribute mapping).

Question
When checking SCIM schema (api.scim.dev), it seems the "active" attributes should be "readWrite", could it be a bug in solution deployed on "api.scim.dev" that may wrongly consider that attribute to be "readOnly"?

Thanks to all people working on this solution, it allows to test and play with SCIM!
Have an excellent end of Year, best regards,
Fabrice

I'm running into a problem where my users try to enable SCIM provisioning against an already-existing set of users in my application. When the username in our application already exists and already matches what the directory provider is trying to provide, we return an error for the SCIM request. What seems to happen is the SCIM provisioner tries to create the user, fails our model-level validation, and the SCIM provisioner thinks that the user has not been created. They've been able to sometimes work around the problem by 'resetting' the SCIM provisioning (starting, again, from scratch). This may be an Azure AD problem, as that's the only place where I've seen it so far (though it's also where most of our users try to do SCIM from, so that may not mean much).

I feel like another behavior that might work better for my users on the 'create' method would be to look up the already-existing user, and return that user - with the appropriate attributes modified as requested by the 'create' - as the "newly" created user. From SCIM's perspective, it doesn't matter that the userName was an already existing user ID; it's just able to now refer to that user uniquely, and update the attributes appropriately.

I'm happy to take direction if this means I should tweak my implementation however you recommend - or, if this is something that we can provide a PR for, we'll happily provide one, if it's something you'd be comfortable merging.

Thanks again for providing this library - I absolutely would not have been able to add SCIM support to our product without this, and it's been a big draw for our users. I deeply appreciate it.

I would like to set a default value for an attribute before the User entity is created.
In my application Users and Groups are scoped under an Account entity, so I need to set the account_id for both of them before they are stored in the database.
After some tests, I saw that the createFromSCIM method takes only the attributes in the request so if I don't send the account_id, it isn't filled. I want to make this transparent from the outside, the account_id should be the one that belongs to the authenticated user.
Is this something I could set in the SCIMConfig or do I need to act on the User and Group eloquent models?

Hello again! Thanks again for providing this amazing library; there's no way we would've been able to implement SCIM in our product without it.

Unfortunately, however, we're seeing some SCIM responses that look like the following:

{
    "id": 49,
    "meta": {
        "created": "2022-01-27T15:57:41-08:00",
        "lastModified": "2022-10-06T10:35:15-07:00",
        "location": "https:\/\/domain.example.com\/scim\/v2\/Users\/77",
        "resourceType": "User"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ],
    "urn:ietf:params:scim:schemas:core:2.0:User": {
        "userName": "[email protected]",
        "name": {
            "formatted": "User\u00e9 Name",
            "familyName": "Name",
            "givenName": "User\u00e9"
        },
        "title": "Software developer",
        "preferredLanguage": "en",
        "active": true,
        "emails": [
            {
                "value": "[email protected]",
                "type": "work",
                "primary": true
            }
        ],
        "phoneNumbers": [
            {
                "type": "work",
                "primary": true
            }
        ],
        "addresses": [
            {
                "type": "work",
                "formatted": "n\/a",
                "primary": true
            }
        ]
    }
}

But it looks like according to the spec, embedding the User attributes under the urn:ietf:params:scim:schemas:core:2.0:User namespace might not be correct. In section 3 - SCIM Resources, it says (under "Core Resources"):

A resource's core attributes are those attributes that sit at the
top level of the JSON object together with the common attributes
(such as the resource "id"). The list of valid attributes is
specified by the resource's resource type "schema" attribute (see
Section 6). This same value is also present in the resource's
"schemas" attribute.

Which makes it sound like the various things in that User namespace belong at the top level of the JSON. Additional namespaces (such as Enterprise) are being handled correctly, however.

So it sounds to me like there are two different ways of fixing this. One is we can put together some changes to the ScimConfig.php file so that the User resources for the User part of the config are at the top level of the JSON, and not under the User namespace. This should probably be enough to fix it - I was able to add externalId support at that top-level to our own implementation easy enough; we'd just have to repeat that for the other examples.

Another way to do it might be to build-in the knowledge of stuff like this: https://datatracker.ietf.org/doc/html/rfc7643#section-4.1 into the software itself - specifically:

SCIM provides a resource type for "User" resources. The core schema
for "User" is identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:User". ...

And then laravel-scim-server can see that you're returning a User, and that you're returning attributes from the User core schema, and (somehow?) auto-promote those various attributes to the top level.

If you'd be interested in PR's for either of those solutions, I'd be happy to take a stab at either one. Or, if you don't want to do either of them, that's fine too! We can just probably fix it on our end and that would probably be enough.

Thanks again for providing this software and having it be open source! It's helping us immensely.

When setting up user provisioning for an enterprise application in Azure Active Directory, in addition to the Tenant URL there is also a field for a secret. Does this package already handle securing the endpoints with a secret?

In the example https://github.com/idaas-nl/idaas.nl/blob/893b18731464f810da9eae2e4e466b1f00fe9241/app/SCIMConfig.php#L426 members get added to group. This works for a patch on Group that modifies the list of its users.

However, for a POST (create) on Group (if it has a members attribute), the $object does not have an id yet when it passes in this 'Add' callable to add its members.

How could I tackle this? The group object is only saved when all attributes have been handled. Should I customise the ResourceController for this case, or can this somehow also be handled in the CustomSCIMConfig?

From: https://semver.org/

MAJOR version when you make incompatible API changes
MINOR version when you add functionality in a backward compatible manner
PATCH version when you make backward compatible bug fixes

1. v0.6.8...v0.6.9
   This version has not fixed any bug
   Expected: minor version
   Actual: fix version

2. v0.6.4...v0.6.5
   This version has introduced a new feature.
   The feature uses PHP8 specific syntax

Expected - composer json updates the minimum php required version
Expected - minor version bump
Expected - phpunit tests catch this kind of backwards incompatible changes.

Actual: patch bump
Actual: tests pass
Actual: composer json mentions support for php7 (which is false)

Based on these notes, I would conclude that this library might be unreliable to use in projects where SEMVER versioning is used as a best practice.

I've tried something like this:

/** @test */
public function scim_v2_can_create_a_user()
{
    $this->withoutExceptionHandling();
    
    $data = [
        'schemas' => [
            'urn:ietf:params:scim:schemas:core:2.0:User',
            'arietimmerman:ice'
        ],
        "urn:ietf:params:scim:schemas:core:2.0:User" => [
            "userName" => "[email protected]",
            "password" => "test123",
        ],
        "name" => [
            "formatted" => "John Doe"
        ],
        "displayName" => "John Doe",
        "emails" => [
            "value" => "[email protected]",
            "type" => "other",
            "primary" => true
        ],
    ];
    
    $response = $this->withToken($this->token)->post('/scim/v2/Users', $data,['Content-Type'=> 'application/json+scim']);
    
    $response->assertOk();
}

Which fails with:

ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException : Missing a valid schemas-attribute.

Many thanks!

Thank you for publishing this package - my use case is supporting multiple clients connecting to our server, each with their own subset of users that need to be kept separate.

At the middleware level, where I authenticate the calls, I can manipulate the filter in search queries to restrict the results to the correct subset. I can also plug into the update/create events fired by the package to attach the correct client to the created users. But I need to also prevent direct viewing/update of a user that is not part of this client's subset.

PolicyDecisionPoint->isAllowed(...) seems like it's designed to fulfill that role, but it's just a placeholder class in the package. Is it meant to be extended and injected, with its signature kept stable over time? What would be your recommended way of doing so?

Thanks in advance for any pointer you might have, and for sharing that very useful package.

I have installed it into Lumen, but when I visit /scim/v2/Users I get a 404 response.