Update Manager through SCIM does not work.

Hi.

I'm running Identity Manger 9.1.

When creating a new user, Manager gets inserted. But when updating a Manager, nothing happens. I've enabled Trace to find out more and the log says that the op is Remove and seen below.

2023-03-20 13:32:21.7721 TRACE (SystemConnector SCIM-BCBF30 Job dc147a1f-19f1-4c4a-a54b-c7809c05cd35) : 		Target:"SCIM" Method:"OnCommitObject" Number:"2550101" Message:"Method OnCommitObject called." 
2023-03-20 13:32:21.8190 DEBUG (SystemConnector SCIM-BCBF30 Job dc147a1f-19f1-4c4a-a54b-c7809c05cd35) : 		Target:"SCIM" Method:"Send" Number:"2550121" Message:"Sending PATCH request using URI https://services.acme.com/api/scim/v2/Users/f0ca13ff-070c-4b21-a2f4-be51e5aa1413" 
2023-03-20 13:32:21.8347 DEBUG (SystemConnector SCIM-BCBF30 Job dc147a1f-19f1-4c4a-a54b-c7809c05cd35) : 		Target:"SCIM" Method:"Send" Number:"2550122" Message:"Sending data {
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "replace",
      "value": {
        "locale": "sv_SE"
      }
    },
    {
      "op": "replace",
      "value": {
        "preferredLanguage": "sv-SE"
      }
    },
    {
      "op": "remove",
      "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User~manager"
    }
  ]
}"

This is what the Sync log looks like:

Sequence number Schema type   Object                                                                                  Processing method     Schema property   Value new (long)
6               User          CN=f0ca13ff-070c-4b21-a2f4-be51e5aa1413,O=User,DC=https://services.acme.com/api/scim/v2 Update                locale            sv_SE
6               User          CN=f0ca13ff-070c-4b21-a2f4-be51e5aa1413,O=User,DC=https://services.acme.com/api/scim/v2 Update                preferredLanguage sv-SE
6               User          CN=f0ca13ff-070c-4b21-a2f4-be51e5aa1413,O=User,DC=https://services.acme.com/api/scim/v2 Update                urn:ietf:params:scim:schemas:extension:enterprise:2.0:User~manager~value  963aa740-d8c8-41d3-ac7a-160a8712e27f

Any help is appreciated!

/Henrik

Parents
  • Hi Henrik,

    the issue has been fixed with BUG #36108 and the fix is also part of upcoming service pack version 9.1.1.

    regards,

       Tino

  • Hello  ,

    may it be the case that the fix may also fix the following problem? It is version 9.0.

    We currently have the issue by updating attributes from "schema extensions", target system says, it does not know the attributes as (as it seems) OIM does not say it that these are from schema extensions. More precisely the error message says,

    "

    Error returned: {
    "status" : "400",
    "scimType" : "invalidPath",
    "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ],
    "detail" : "Provided attribute with name 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' does not exist according to the schema"
    }
    Error returned: ...
    HTTP request returned state "ProtocolError". This state shows processing errors. URI : xyz/scim//Users/3731d064-f4de-4d7c-a0ff-98f5b789ea77
    Error returned: The remote server returned an error: (400) Bad Request.
    Sending data {
    "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
    {
    "op": "replace",
    "value": {
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "costCenter": "test"
    }
    }
    }
    ]
    }

    "

    Thanks in advance

  • Hello Alexey,

    I think this is the same root cause and the fix should solve it also.

    Regards,

      Tino

  • After installing CU2 we still observe the issue.

    The SCIM server seems to not like the way attributes get sent. Based on documentation there are 2 ways attributes can be sent,

    - without using the "path" param

    - using the "path" param

    see e.g. https://is.docs.wso2.com/en/6.0.0/apis/scim2-patch-operations/#replace-user-attributes

    SCIM connector sends data without using path parameter, i.e.

    "Operations": [
    {
      "op": "replace",
      "value": {
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
          "costCenter": "test"
        }
      }
    }

    and it does not work, server says "Provided attribute with name 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' does not exist according to the schema". The same error message comes back when we reproduce the PATCH via Postman.

    By using "path" parameter (tested via Postman) it does work with no error message, i.e.

    "Operations": [
    {
      "op": "replace",
      "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter",
      "value": "test"
    }

      is it something one can configure in OIM to switch from one to another option?

  • Hi Alexey,

    have you refreshed the SCIM target system schema in your sync project after applying the CU?

    regards,

     Tino

  • Hi Tino,

    yes and even more, I have created sync project anew.

    Do you mean, after CU2 one should expect the option including "path" parameter?

    Best Regards,

    Alexey

  • Hi Alexey,

    the "path" parameter is not always used. According  RFC 7644 Sec. 3.5.2 the usage is optional. (www.rfc-editor.org/.../rfc7644 ): "The "path" attribute is OPTIONAL for "add" and "replace" and is REQUIRED for "remove" operations."

    Our serialization handles schema extensions like "complex properties" as shown in Example 3 "Replace the country attribute in the Enterprise user schema (without using the path param)" -> see e.g. is.docs.wso2.com/.../

    So your serialized SCIM data body looks OK for me.

    regards,

       Tino

  • Hello Tino,

    yes, it is the standard, it says "path" is optional for "replace".

    You can also see the both options ("using path" and "without using path") on e.g. https://is.docs.wso2.com/en/6.0.0/apis/scim2-patch-operations/#replace-user-attributes .

    The fact is, even simply by using Postman tool and trying to send PATCH using "path" (as I commented before) - the target system (SAP Cloud Identity Services), understands it and data gets updated. Any by sending PATCH without "path" (as shown before), it says "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User does not exist".

    And it kind of means, the target system in our case seems to understand only one way of formating the request (while standard says "path" is optional).

    Do you see anything else we could do to integrate the system?

    Best Regards,

    Alexey

  • Hi Alexey,

    if you are able to configure the SAP SCIM providers /ServiceProviderConfig endpoint settings that way the output sends a disabled "patch" flag like this


     "schemas":[
    "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
       ],
       "patch": {
          "supported":  false
       }, ...
     

    the SCIM connector will always send PUT requests for update. May be the SAP provider can handle it if the complete object will be transferred.

    regards,

       Tino

  • Hello Tino,

    thanks for the reply. No we do not have access to configure the endpoint, but yes we did try to switch from PATCH to PUT (for this it is enough to omit /ServiceProviderConfig during sync project configuration).

    Unfortunately it did lead to other issues (bugs in OIM?). If you have access to SR#02104663 (comment from "May 31, 2023 03:56 AM"). In this case OIM sends complete object as what you would expect (including attrbiutes from schema extensions), but it does not send "schema names" (they must be listed in "schemas" attribute on the object sent) for the schema extensions and the target system says "invalid user attributes".

    Best Regards,

    Alexey

  • Hi Alexey,

    so it should be handled with the SR. Maybe it has been fixed already, in my 9.0 version I see the schemas array in PUT request.

    regards,

       Tino

Reply Children
No Data