I have implemented user provisioning/deprovisioning with SCIM like so :
users_controller.rb
class Scim::UsersController < Scim::ScimController
before_action :set_scim_provider
def index
startIndex = params[:startIndex].to_i
startIndex = 1 if startIndex < 1# if the user send a startIndex < 1, it is bad data, we don't take it.
itemsPerPage = params[:count].to_i
if itemsPerPage < 1 || itemsPerPage > @scim_provider.max_results
itemsPerPage = @scim_provider.default_number_of_results
end
scim_users = @scim_provider.identity_provider.communaute_accesses.from_scim
if params["filter"]
parser = Scim::QueryFilter::Parser.new
rpn_array = parser.parse(params["filter"])
tree = parser.tree
if tree.length == 3 and tree[0]== 'eq' and tree[1] == 'userName'
userName = tree[2]
scim_users = scim_users.where(provider_identifier: userName.delete('"'))
else
fail 'e'
end
end
paginated_users = scim_users.order(:created_at).offset(startIndex - 1).limit(itemsPerPage)
r = {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": scim_users.size,
"Resources": paginated_users.map { |ca| @scim_provider.representation_for_user(ca) },
"startIndex": startIndex,
"itemsPerPage": itemsPerPage
}
render_json_result(r, 200)
end
def create
if @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @body_params['userName'])
render_409_conflict("uniqueness")
else
ca = @scim_provider.identity_provider.communaute_accesses.find_by(provider_identifier: @body_params['userName'], communaute_id: @scim_provider.identity_provider.communaute.id)
if ca.nil?
ca = @scim_provider.identity_provider.communaute_accesses.create(provider_identifier: @body_params['userName'], communaute_id: @scim_provider.identity_provider.communaute.id)
end
ca.update_last_raw_value("scim", @body_string)
ca.extract_values_from_scim
ca.queue_send
end
render_json_result(@scim_provider.representation_for_user(ca), 201)
end
def show
user = @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @body_params['userName'])
if user
render_json_result(@scim_provider.representation_for_user(user), 200)
else
render_404_not_found(params[:id])
end
end
def update
ca = @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @body_params['userName'])
uc = UserCommunaute.find_by(provider_identifier: @body_params['userName'])
ca.update_last_raw_value("scim", @body_string)
ca.extract_values_from_scim
unless ca.nil?
if ca.pending?
ca.update_last_raw_value("scim", @body_string)
ca.update(active: false)
if ca.active == false
fail "Unable to delete this user because of activeness" if ca.active == true
ca.destroy!
end
render_json_result(@scim_provider.representation_for_communaute_access_patch(ca), 200)
end
end
unless uc.nil?
uc.update(active: @body_params['active'])
if uc.active == false
uc.user.communaute_accesses.from_scim.destroy_all
uc.user.user_communautes.from_scim.destroy_all
render_json_result(@scim_provider.representation_for_user_communaute_patch(uc), 200)
end
end
end
end
Explanations:
When updating a user, SCIM sends a PATCH request like this:
{"schemas"=>["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations"=>[{"op"=>"Replace", "path"=>"active", "value"=>"False"}]}
(@body_params
in the code)
Which is what i am expecting. But, for a while, i was receiving the userName
also in the body response during the PATCH operation.
This is how I fetch the correct user in my DB.
Actual result:
I don't receive the userName
anymore when SCIM hits my update
action.
Expected results:
Being able to receive information about the user during the PATCH operation to fetch the userName
and find the right user in my database.
I have tried almost everything. When SCIM hits the index
action, which it does everytime before going anywhere else, it does return me a userName
et everything ends up as a 200 OK.
Then, when passing through update
, it sends me nothing.
What I have tried last is to isolate the userName
as an instance variable in the index
action to fetch it after in the update
like so:
# index
...
if params["filter"]
parser = Scim::QueryFilter::Parser.new
rpn_array = parser.parse(params["filter"])
tree = parser.tree
if tree.length == 3 and tree[0]== 'eq' and tree[1] == 'userName'
@user_name = tree[2]
scim_users = scim_users.where(provider_identifier: @user_name.delete('"'))
else
fail 'e'
end
end
...
# update
def update
ca = @scim_provider.identity_provider.communaute_accesses.from_scim.find_by(provider_identifier: @user_name)
uc = UserCommunaute.find_by(provider_identifier: @user_name)
ca.update_last_raw_value("scim", @body_string)
ca.extract_values_from_scim
...
But, @user_name
in update
seems to disappear as its value is nil
.
I am deprovisioning from Azure Active Directory and Okta in a production environment. Mapping is ok in both platforms. Provisioning is working like a charm.
Please refer to https://developer.okta.com/docs/reference/scim/scim-20/#update-a-specific-user-patch for PATCH /Users/{userId}. Could you not make use of the userId in the url to identify the user ?