How does SCIM work with External Database?

[weixunli]

Hi @Captain-P-Goldfish,

I have the following questions regarding scim-for-keycloak:

Lets say, I have keycloak configured so it connects to an external oracle DB, and I am using scim-for-keycloak on top of that, if a user is removed from the client side, will scim-for-keycloak delete the user from the external oracle DB?

[Captain-P-Goldfish]

The question is actually confusing me. If keycloak uses your oracle database as storage the user will be deleted if a delete-operation is triggered whether the SCIM interface is used or the native keycloak-tools. Or are you talking about Oracle Identity Cloud Services: https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/use-scim-interface-integrate-oracle-identity-cloud-service-custom-applications.html#GUID-FFBCF8FC-D131-4863-B8EB-1EF7A496A731?

[weixunli]

hmmm, the situation is follows:

so if an user is deprovisioned from Azure AD side, and the request is sent to keycloak, will keycloak delete the user stored in the external database?

[Captain-P-Goldfish]

From what I see here I can say: yes. MsAzure has some special request notations though for which several workarounds exist. These workarounds are documented in the webadministration of the enterprise-free-version.

I am currently also reimplementing PATCH of the SCIM-SDK. The changes will enhance the support for MsAzure requests. The reimplementation was initiated though to solve some problems that occur with MsAzures massive concurrent requests on the same resources when synchronizing. I hope to have this fixed soon too.

[weixunli]

Is there a reliable way to setup Azure AD with scim-for-keycloak? From this link https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Use-with-Microsoft-Azure-AD , I was able to get to the point to Test Connection on AZ AD sid

When I try to "test connection" from Azure AD side, i get a 401, and I tried to access User schema under resource types directly I still get 401, see image below

Am I missing something here?

[Captain-P-Goldfish]

there are several possibilities that can lead to this result:

1. The AccessToken is issued by the wrong client
2. The AccessToken is expired
3. No AccessToken is send at all

There is no custom-authentication in the SCIM For Keycloak plugin. It uses the keycloak default implementation and verifies only that the AccessToken was issued for the correct client. The best thing to do would be to test the authentication manually. A very good place to check the issued AccessToken is https://jwt.io. Have you tried this? Are you familiar with the authentication process in detail?

[weixunli]

Hey Captain Gold Fish, thank you for the prompt response. It seems like this scim plugin is not suitable for our project, we won't be pursuing this option any further.

I thank you for the proposed solution, I will look into it if we need to revisit this scim plugin.