Create a SCIM connection from AzureAD to FusionAuth. In this case, FusionAuth is the SCIM server and AzureAD is the SCIM client.
For testing purposes, it is most efficient to provision a user from Azure into FusionAuth. Use the default lambdas and converters that ship with FusionAuth.
See that a new user is created in FusionAuth from the SCIM integration. In my test of this, the user was not created with any enterprise user information. A department was later added to the user which caused FusionAuth to exception.
Go back to your AzureAD enterprise application and add a department field to the user. This meta information only lives in the SCIM enterprise user schema, howeve1r it's possible that any EnterpriseUser attribute could cause this behavior.
Instruct AzureAD to update the user into any SCIM servers that might be listening.
See that AzureAD attempts to provision the updated department information, but fails when FusionAuth returns a 500 error.
This is the error that is printed to the FusionAuth logs
2024-03-01 06:18:40.026 PM ERROR org.primeframework.mvc.PrimeMVCRequestHandler - Error encountered
org.primeframework.mvc.PrimeException: The @JSONResponse field [response] in the action [class io.fusionauth.app.action.api.scim.resource.v2.UsersAction] is null. It cannot be null!
at org.primeframework.mvc.action.result.JSONResult.execute(JSONResult.java:106)
at org.primeframework.mvc.action.result.JSONResult.execute(JSONResult.java:55)
at org.primeframework.mvc.action.result.DefaultResultInvocationWorkflow.perform(DefaultResultInvocationWorkflow.java:105)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
at org.primeframework.mvc.message.DefaultMessageWorkflow.perform(DefaultMessageWorkflow.java:50)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
at org.primeframework.mvc.scope.DefaultScopeStorageWorkflow.perform(DefaultScopeStorageWorkflow.java:60)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
at org.primeframework.mvc.workflow.DefaultErrorWorkflow.perform(DefaultErrorWorkflow.java:44)
at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:119)
at org.primeframework.mvc.PrimeMVCRequestHandler.handle(PrimeMVCRequestHandler.java:73)
at io.fusionauth.http.server.HTTPWorker.run(HTTPWorker.java:50)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Also, notice for atleast that moment, the user is not updated in FusionAuth with the new department value (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department) that the enterprise user was assigned.
andrewpai
commented
3 months ago
What happened?
500error.Also, notice for atleast that moment, the user is not updated in FusionAuth with the new department value (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department) that the enterprise user was assigned.
Version
Latest - 1.48.3
Affects Versions
No response
Additional context
Release notes
SCIM PATCH requests fail when adding a new field that is namespaced under a previously nonexistent extension schema.