🔥 Streamline your web application's authentication with Jackson, an SSO service supporting SAML and OpenID Connect protocols. Beyond enterprise-grade Single Sign-On, it also supports Directory Sync via the SCIM 2.0 protocol for automatic user and group provisioning/de-provisioning. 🤩
We had an issue where a customer wanted to connect Okta to our self-hosted Jackson instance, and only users and groups ended up in Jackson, not memberships. After logging the actual payloads Okta sent, we discovered that the customer's setup only sent POST and PUT requests to the User and Group resources, while a setup done with the SCIM 2.0 Test App in Okta sent PATCH requests to set memberships.
Is your proposal related to a problem?
We had an issue where a customer wanted to connect Okta to our self-hosted Jackson instance, and only users and groups ended up in Jackson, not memberships. After logging the actual payloads Okta sent, we discovered that the customer's setup only sent
POST
andPUT
requests to the User and Group resources, while a setup done with the SCIM 2.0 Test App in Okta sentPATCH
requests to set memberships.After dumping the payloads sent by Okta, we discovered that the
POST
andPUT
requests had the memberships in thegroups
andmembers
fields. According to the RFC the groups field on the User resource, and the members field on the Group resource contains the memberships.Describe the solution you'd like
It would be nice if the
groups
andmembers
fields in the payloads could be handled in the endpoints for creating and updating:Describe alternatives you've considered
We can always ask the customers to exactly follow the instructions for Okta, but since the field is part of the RFC it would be good to support it.
Additional context
I think this may be related as well: https://github.com/boxyhq/jackson/discussions/1614