What is Okta-specific about this gem?

[leesmith]

Would attempting to use this gem with Azure AD be fundamentally different? Thanks for any insight!

[wernull]

@leesmith since we added the option to use Bearer tokens it should work with Azure but may not handle all the functionality you need. This gem was built specifically to handle the attributes needed to integrate OKTA and does not handle groups. It is not 100% SCIM compliant because of that

[leesmith]

Ok, thanks @wernull! So in your case, you just didn't need the groups feature but Okta supports groups nonetheless? I'm looking at potentially implementing SCIM to work with both Okta and Azure...just trying to plan my attack with all this. Thanks again!

[wernull]

@leesmith correct. We were only concerned with getting the users into our system and provisioning/de-provisioning with only a handful of the standard attributes. We've discussed adding group, custom attributes and whatever else would make us fully SCIM compliant but it is not something we've been able to prioritize ourselves. You should be able to use this with both OKTA and Azure. We're always happy to accept pull request if you need to add something for your needs

[codenem]

@leesmith We're also using this gem, we have overriden some parts to fit our needs. Having looked at the Azure docs several times now, I haven't seen anything preventing using this gem with Azure (after all SCIM is a standard). Apart from some requirements needed to publish your service provider in the Azure app store (e.g. it seems to require more filters than the gem provides, but groups are still optional), nothing should prevent you from using it in a private azure app. We'll start working on this soon too on Azure, and will work on groups as well. We might open some PRs here then.

[leesmith]

@nemile I'm in the same boat! I've been developing our solution using this gem as a guide against both Okta and Azure AD.

Hopefully someone can correct me if I'm wrong but one concrete difference I'm seeing is how Azure and Okta differ in their use of PATCH to /Users/{:id}. Okta (and this gem) essentially only uses PATCH to activate/deactivate users. Azure AD uses PATCH for updating multi-value properties as well as single value properties.

But the difference is documented though and doesn't look too tough to override.

And yes, once I'm done and have my solution deployed, I look forward to hopefully opening some PRs here.

[rreinhardt9]

You all are amazing! We'd be excited to review PRs 🎉 Feel free also to open an issue if you're starting on a specific part and want to discuss approach before investing time in the code itself 👍

The difference with PATCH is how I understand it as well... there is much more in the specification that PATCH can be used for but currently this gem only implements activate/deactivate for okta. But I think it would be a natural extension to add additionally abilities to PATCH as I understand it! Here is where it talks about PATCH in the scim specifications. I was digging in there recently to fix #33

[leesmith]

@rreinhardt9 I will definitely open an issue for discussion before writing any code...should be common courtesy these days. :)

And yes, regarding that #33, it looks like Azure sends the operation in uppercase (Replace) while Okta sends it in lowercase (replace). Hence, I've downcase'ed all operation "op" values coming in before comparing them.

[peterwake]

@leesmith we have a client that has Azure AD and wants to use SCIM to update the users registered on our web app (i.e. push Azure > OurApp). Did you get anywhere with your work? We might be able to work together on this.

[leesmith]

@peterwake Yes, I'm actually in the final stages of testing my app with Azure AD.

Full disclosure though...I used this gem (heavily) as a guide and did not install the gem in my app. Since this gem is geared toward Okta first and foremost, I wanted to implement everything myself so that I could see and understand exactly where this gem (and Okta) differ from Azure AD. Since my first customer will be using Azure AD, I want to make sure that integration is covered before moving on to Okta (which I plan on supporting as well).

Testing is going great though and I hope to be able to contribute back to this gem once I have this in production. I worry though that it might be tough to come up with a solution that is generic enough to be able to handle so many different ways in which an app defines the associations between users and groups. We'll see though.

Let me know if I can help you!

[peterwake]

Hi @leesmith thanks for getting back to me, much appreciated. We just found out about the SCIM possibility for our new client this week so this is all very new to us.

I guess from the timing of your original post to now that it would take us about 6 weeks to get a working prototype and then probably another round of work to get it into production.

Your quote "it might be tough to come up with a solution that is generic enough to be able to handle so many different ways in which an app defines the associations between users and groups" is really interesting. The promise/appeal of SCIM is we could build once for many clients and apps but that might be overly optimistic!

I'll have a bit more of a think and then be in touch.

Best regards Peter