Response StatusCode 409 / User already exists

[sven73a]

Hi,

In the protocol SCIM definition the following is stated in paragraph 3.3:

If the service provider determines that the creation of the requested resource conflicts with existing resources (e.g., a "User" resource with a duplicate "userName"), the service provider MUST return HTTP status code 409 (Conflict) with a "scimType" error code of "uniqueness", as per Section 3.12.

When I look in the decompiled DLL "Microsoft.SystemForCrossDomainIdentityManagement.Service.dll" (with dotPeek) at ControllerTemplate<T> I cannot find that statuscode 409 is returned when a user will be created, I cannot even find which exception I have to throw when a user (user with the same unique name) already exists.

Can SystemForCrossDomainIdentityManagement handle the response when the provider tries to create a user which already exists. If so which exception do I have to throw? Do you know what Azure AD expect as response when a user already exists when creating a user?

[craigmcm]

1. The controller should not know whether or not a conflict was encountered in the back-end store. That’s the responsibility of the model, which, in this case, is represented by the SCIM provider, or, more concretely, by the IProvider implementation, which might be derived from ProviderBase or BulkRequestProviderTemplate or implemented from scratch. It would be the provider that would throw an HttpResponseException with the 409 status code in the event of a conflict.

2. Conflicts should never happen, however; the Azure Active Directory provisioning service should never get a conflict response from a SCIM service. For all entries in the provisioning scope, the Azure Active Directory provisioning service should be the master. If that assumption is true, then if Azure Active Directory has an entry that the directory fronted by the SCIM service already has, then the SCIM service should return that object in response to a query that the Active Directory provisioning service will always make prior to any attempt to POST the entry.

Craig McMurtry Developer, Identity Platform

Microsoft Corporation Building 27 (South), Team Room 1030 1 Microsoft Way, Redmond, WA, 98052

Office: +1.425.707.9810|Mobile: +1.425.503.2854|Fax: +1.425.936.7329

From: Sven notifications@github.com Sent: Thursday, November 14, 2019 2:40 PM To: Azure/AzureAD-BYOA-Provisioning-Samples AzureAD-BYOA-Provisioning-Samples@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: [Azure/AzureAD-BYOA-Provisioning-Samples] Response StatusCode 409 / User already exists (#28)

Hi,

In the protocol SCIM definition the following is stated in paragraph 3.3https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc7644%23section-3.3&data=02%7C01%7Ccraigmcm%40microsoft.com%7Cf51b9248de7245b16c3b08d769538beb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637093679860486646&sdata=HsMl8kDMyKS4jAL3CUPd3rZR6iHuwZ%2BCf4A4cGL5uJQ%3D&reserved=0:

If the service provider determines that the creation of the requested resource conflicts with existing resources (e.g., a "User" resource with a duplicate "userName"), the service provider MUST return HTTP status code 409 (Conflict) with a "scimType" error code of "uniqueness", as per Section 3.12.

When I look in the decompiled DLL "Microsoft.SystemForCrossDomainIdentityManagement.Service.dll" (with dotPeek) at ControllerTemplate I cannot find that statuscode 409 is returned when a user will be created, I cannot even find which exception I have to throw when a user (user with the same unique name) already exists.

Can SystemForCrossDomainIdentityManagement handle the response when the provider tries to create a user which already exists. If so which exception do I have to throw? Do you know what Azure AD expect as response when a user already exists when creating a user?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FAzureAD-BYOA-Provisioning-Samples%2Fissues%2F28%3Femail_source%3Dnotifications%26email_token%3DADMRDOYYK5OIXEMO3G4AYBDQTXHTBA5CNFSM4JNSWJ6KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HZOSBAQ&data=02%7C01%7Ccraigmcm%40microsoft.com%7Cf51b9248de7245b16c3b08d769538beb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637093679860496604&sdata=5G9RHZEzz6OTPEHpibX6ToOUWLBaISKHDsWKItF5Ef0%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FADMRDO5H74TD7NYNXDLKFVTQTXHTBANCNFSM4JNSWJ6A&data=02%7C01%7Ccraigmcm%40microsoft.com%7Cf51b9248de7245b16c3b08d769538beb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637093679860496604&sdata=8%2BAZBTR16f9IAQjOIipVqnZsrSCSvUs9yP2CEGCHp2s%3D&reserved=0.

[sven73a]

Tnx for your quick answer. I am going to do some testing :)