[SCIM] POST of new user fails with HTTP code '405 Method Not Allowed'

[sia-mfierro]

Describe the bug We are planning to utilize MS Entra as the SCIM client and Authentik as the SCIM server (Source in Authentik parlance). POSTing a new user to the https://{hostname}/source/scim/{slug}/v2/Users endpoint returns HTTP/1.1 405 Method Not Allowed

To Reproduce Steps to reproduce the behavior:

1. Go to 'Side menu' -> 'Directory' -> 'Federation and Social Login'
2. Click 'Create' button -> 'SCIM Source' button -> 'Next' button
3. Enter Source's 'Name' and 'Slug' -> click 'Finish' Button'
4. Send HEAD HTTP request with Bearer Token copied from the Source's page, the answer is as follows (please note the presence of POST)

   HTTP/1.1 200 OK
   Allow: GET, POST, PUT, DELETE, HEAD, OPTIONS
   ....

5. Send a POST HTTP request with Bearer Token copied from the Source's page, and the following payload (taken from Microsoft's documentation on the topic)

   {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
         "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
         "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User"],
        "userName":"bjensen@testuser.com",
        "id": "48af03ac28ad4fb88478",
        "externalId":"bjensen",
        "name":{
          "familyName":"Jensen",
          "givenName":"Barbara"
        },
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "manager": "123456"
      },
        "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
        "tag": "701984"
      },
      "meta": {
        "resourceType": "User",
        "created": "2010-01-23T04:56:22Z",
        "lastModified": "2011-05-13T04:42:34Z",
        "version": "W\/\"3694e05e9dff591\"",
        "location": "https://example.com/v2/Users/00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
      }
   }

6. The server returns HTTP 405

   HTTP/1.1 405 Method Not Allowed
   Allow: GET, HEAD, OPTIONS
   ....

Expected behavior HTTP 201 response, I am assuming that the payload would be the newly created user.

Screenshots

Logs

server-1      | {"auth_via": "unauthenticated", "domain_url": "10.0.0.53", "event": "/source/scim/ms-entra/v2/Users", "host": "10.0.0.53", "level": "info", "logger": "authentik.asgi", "method": "POST", "pid": 674, "remote": "10.212.134.193", "request_id": "cce65e7575174c3289272e956133e302", "runtime": 49, "schema_name": "public", "scheme": "https", "status": 405, "timestamp": "2024-12-02T13:55:55.864792", "user": "ak-source-scim-8dbf2f98-a26d-4306-877d-4f535df11c92", "user_agent": "vscode-restclient"}

Version and Deployment (please complete the following information):

• authentik version: 2024.10.4
• Deployment: docker-compose

Additional Context A POST with the following payload works (taken from here) and returns 201 as expected

{
    "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName":"hermione@hogwarts.example",
    "active": true,
    "name":{
        "familyName":"Granger",
        "givenName":"Hermione"
    },
    "emails":[
        {
            "primary":true,
            "value":"hermione@hogwarts.example"
        }
    ]
}

[sia-mfierro]

The following payload (also from Microsoft) also works fine

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
    "externalId": "0a21f0f2-8d2a-4f8e-bf98-7363c4aed4ef",
    "userName": "Test_User_00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
    "active": true,
    "emails": [{
        "primary": true,
        "type": "work",
        "value": "Test_User_11bb11bb-cc22-dd33-ee44-55ff55ff55ff@testuser.com"
    }],
    "meta": {
        "resourceType": "User"
    },
    "name": {
        "formatted": "givenName familyName",
        "familyName": "familyName",
        "givenName": "givenName"
    },
    "roles": []
}