Azure Soft Delete (IsSoftDeleted) -> scimgateway.modifyUser() not triggered

[RalfBrennscheidt]

Hello.

Firstly, love the "scimgateway" and would really like to make it work, but it's driving me crazy (and my assumption is I fundamentally make something wrong) hence i'm in the hope of some help here.

I'm using a bit older version 4.1.9

Intention: Entra ID -> Provisioning -> scimgateway ->

• GET | GetUser (behave as normal in the entra-id plugin -> do a GET to GraphAPI) = works smooth already
• PATCH | ModifyUser (just get the "id" and call an Azure Logic App) = works for normal attribute changes

However, here is the evil part. As we know, when user is "deleted" in Azure it first goes into a Soft delete state (normally) Through the provisioning mapping ("active" -> "Switch([IsSoftDeleted], , "False", "True", "True", "False")" we should receive an attribute of "active" = false in an incoming scimgateway.modifyUser() BUT i never receive this request.

What I see in the Provisioning Logs is this:

This should also not be related to the "SkipOutOfScopeDeletions" as this is an Outbound Provisioning, not Inbound.

Therefore, I would like to kindly ask if there is any idea what's wrong here. Why do I not get an Incoming PATCH request with the "active" : false property (as it would be easy to manage this in code to execute the wished functionality).

Thank you in advance.

[jelhub]

Hi, Does it work using default plugin-loki? If yes, there might be something with your plugin.

Provided Entra ID log shows: This object is not active in the source system and IsActive=False Maybe your plugin did not return active=true on Entra GET user request?

Regards, Jarle

[RalfBrennscheidt]

Hi, are you saying EntraID is doing a getUser BEFORE doing a PATCH (modify) ? Then it is quite logical what is happening here, I assume.

I haven't changed the default getUser in the plugin-azure-ad.js file. So if I delete a user in the portal, of course it is querying MS-Graph of the same tenant and returning a 404 Not found hence user is out of scope, as it was deleted by me before the provisioning cycle has run.

Therefore, I need to completely rewrite the getUser to return users from my target of the sync and return an SCIM conform object.

[jelhub]

Your use-case is a bit odd: Entra is provisioning to it ‘selves using the gateway and plugin-entra-id (previous named plugin-azure-ad)

I could understand if you have been provisioning to another tenant.

Anyhow, please test azure functionality using default plugin-loki.

[RalfBrennscheidt]

Hi.

Default loki was working. Therefore, as i assumed, something fundamentally was wrong in my understanding. Thanks for the support by pointing me in the right direction, really appreciated 🙇🏼

Feel free to close this one.

[RalfBrennscheidt]

Nope, seems i have another issue:

scimgateway.createUser() -> A required attribute is missing from a response. The missing attribute is Identifier.

// ================================================= // createUser // ================================================= scimgateway.createUser = async (baseEntity, userObj, ctx) => { const action = 'createUser' scimgateway.logger.debug(${pluginName}[${baseEntity}] handling "${action}" userObj=${JSON.stringify(userObj)}`)

const reqObj = { "userId": userObj.nickName, "fetchAll": false };

const response = await axios.post(process.env.PROVISIONING_URL, reqObj); if(response.status === 200) { scimgateway.logger.debug(Create: Successful called ${process.env.PROVISIONING_URL} with ${JSON.stringify(reqObj)}); } else { scimgateway.logger.error(Create: Sync failed for: ${pluginName}[${baseEntity}] handling "${action}" userObj=${JSON.stringify(userObj)}) } return null; }`

• ConfigFile:

"map": { "user": { "id": { "mapTo": "id", "type": "string" }, "userType": { "mapTo": "userType", "type": "string" }, "userPrincipalName": { "mapTo": "userName,externalId", "type": "string" }, "accountEnabled": { "mapTo": "locked", "type": "boolean" }, "givenName": { "mapTo": "firstName", "type": "string" }, "surname": { "mapTo": "lastName", "type": "string" }, "displayName": { "mapTo": "displayName", "type": "string" } } }

[jelhub]

Take a look at the info-message in the plugin log file. All requests will have a final info message showing the inbound request and the corresponding outbound response. I assume response is missing the id attribute.

For createUser, scimgateway will return full user object including id that is unique for user-endpoint.

Some IdP's use this createUser response, and store the unique id that will later be used for PATCH /Users/<id>, GET /Users/<id> and DELETE /Users/<id>.

Other IdP's will instead lookup id before any PATCH/DELETE e.g., GET /Users?filter=userName eq "bjensen"&attributes=id,userName

If your plugin do not return full user object with id or minimum the id, scimgateway will try to get the id like mention above and include the id in response (rest of attributes are already known)

Two problems you should fix:

• createUser should return id.
• your plugin seems not to support: GET /Users?filter=userName eq "bjensen"&attributes=id,userName

Ref:

[RalfBrennscheidt]

This helped me to bring the project over the finish line. Thanks again so much!

Now you really can close this one 😄