search

boxyhq / jackson

🔥 Streamline your web application's authentication with Jackson, an SSO service supporting SAML and OpenID Connect protocols. Beyond enterprise-grade Single Sign-On, it also supports Directory Sync via the SCIM 2.0 protocol for automatic user and group provisioning/de-provisioning. 🤩
https://boxyhq.com/docs/jackson/overview
Apache License 2.0
1.87k stars 164 forks source link

SCIM: Support groups and members fields on User and Group #3136

Closed ndreas closed 1 month ago

ndreas commented 2 months ago

Is your proposal related to a problem?

We had an issue where a customer wanted to connect Okta to our self-hosted Jackson instance, and only users and groups ended up in Jackson, not memberships. After logging the actual payloads Okta sent, we discovered that the customer's setup only sent POST and PUT requests to the User and Group resources, while a setup done with the SCIM 2.0 Test App in Okta sent PATCH requests to set memberships.

After dumping the payloads sent by Okta, we discovered that the POST and PUT requests had the memberships in the groups and members fields. According to the RFC the groups field on the User resource, and the members field on the Group resource contains the memberships.

Describe the solution you'd like

It would be nice if the groups and members fields in the payloads could be handled in the endpoints for creating and updating:

Describe alternatives you've considered

We can always ask the customers to exactly follow the instructions for Okta, but since the field is part of the RFC it would be good to support it.

Additional context

I think this may be related as well: https://github.com/boxyhq/jackson/discussions/1614

deepakprabhakara commented 2 months ago

Thanks @ndreas, we'll check this and look to support it if Okta has indeed started sending the right information now for group memberships.

niwsa commented 2 months ago

@ndreas While inspecting the POST request for user.created event I don't see any groups being sent across. Also the group.updated event does show the members but not all (As mentioned here).

Could you share your payload after redacting any sensitive data ?

ndreas commented 1 month ago

@niwsa you're right, the groups field on the payload is always an empty array when a POST request is sent to the /Users endpoint. And we only had two users when testing which all were available in the POST requests to /Groups, so I don't think it's relevant to send you the payloads.

I guess Okta keeps misbehaving. Feel free to close this.

niwsa commented 1 month ago

No worries @ndreas. Thank you for the confirmation.