• State Suggested Answer
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 96 subscribers
  • Views 700 views
  • Users 0 members are here
Options
Related

SCIM Assignments via PATCH instead of PUT with no ServiceProviderConfig

haaf
6 months ago

We are attempting to connect One Identity to Snowflake via the standard SCIM connector.  Everything is working fine except when we try to assign a User to a Group.  This results in a frozen job for the Ad-Hok provisioning.

 

Snowflake does not have a ServiceProvicerConfig endpoint, so when One Identity does the assignment, it uses its default “PUT” to send all group-assignments for the User instead of "PATCH".  Snowflake only supports a PATCH with additions/removals.

 

How can we get the One Identity SCIM connector to use a PATCH to do group-assignments instead of a PUT... WHEN NO ServiceProvicerConfig IS AVAILABLE?

 

My hope is that there is a flag that we can add to DPRRootObjConnectionInfo to specify PATCH=True.

 

We opened a sev-2 case with Support, but they told us that they can not assist with this type of issues. 

Has anyone run into this issue?

  • 0 6 months ago

    Hi haaf,

    the SCIM connector has been specified to connect SCIM V2.0 providers. (https://support.oneidentity.com/technical-documents/identity-manager/9.1.1/configuration-guide/104)

    Thw RFC7644, sec. 3.2, defines an endpoint "/ServiceProviderConfig" (https://www.rfc-editor.org/rfc/rfc7644#section-3.7.4) which provides a service provider structure according RFC7643, sec. 5 (https://www.rfc-editor.org/rfc/rfc7643#page-27 ). If your system is not providing this data it is not compatible with this specification. The SCIM connector is using defaults in this case but without functional guarantee. Switch over to using PATCH instead of PUT operation is allowed via "/ServiceProviderConfig" declaration only.

    Regards,

      Tino

  • 0 6 months ago

    Tino,

    We passed this response on to SnowFlake and their response is that the SCIM 2.0 does refer to a ServiceProviderConfig Endpoint, but it says that it is optional.   (https://www.rfc-editor.org/rfc/rfc7644#section-4  ...SCIM defines three endpoints to facilitate discovery of SCIM service provider features and schema that MAY be retrieved using HTTP GET)

    Snowflake says that since it is optional, One Identity should provide a switch to cause the connector to use PATCH instead of PUT.  This could be via a config-parm or via some way to load a ServiceProviderConfig file in the wizard (as is possible in with the schema & resource-type).

    There must be a workaround for this problem.

    ---Richard

  • 0 6 months ago in reply to haaf

    Hi Richard,

    the above quote is saying, this client may GET information from provider (not MUST, but SCIM connector does the GET) and there is not the word "optional" used in the definition of endpoint "/ServiceProviderConfig".

    Anyway, the PATCH feature is defined as optional and  therefore as an opt-in to declare by service provider. If there is no declaration the client software should decide to use the PUT operation to be sure.

    3.5.2.  Modifying with PATCH

   HTTP PATCH is an OPTIONAL server function that enables clients to
   update one or more attributes of a SCIM resource using a sequence of
   operations to "add", "remove", or "replace" values.  Clients may
   discover service provider support for PATCH by querying the service
   provider configuration (see Section 4).

    Shouldn't this topic be a feature request to SCIM provider?

    Regards,

       Tino