Azure users fail to provision via SCIM

[kclifford20]

Debug mode

• [X] I have enabled debug mode
• [X] I have read checked the Common Issues page

Describe the bug

Azure users fail to provision via SCIM using default configuration when setup in Azure AD.

Originally there was a mismatch in username, so I've matched that up properly, however it also looks like Azure AD fails to identify that the user already exists in Snipe after matching the username to the Azure AD UserPrincipalName.

Reproduction steps

1. Login to Azure AD
2. Find the Enterprise Application for Snipe IT
3. Select Provisioning
4. Provision on Demand
5. Select a random user
6. Select provision

Expected behavior

The user should match the existing Snipe IT user and update any missing information

Screenshots

No response

Snipe-IT Version

v6.0.0 build 6860 (g722e88a47)

Operating System

Alpine Linux

Web Server

Apache

PHP Version

7.4.29

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

Azure AD error:
Error code

SystemForCrossDomainIdentityManagementServiceIncompatible
Error message

We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint:

(end of error)
---
Laravel.log shows the below:
[2022-05-16 02:16:50] production.ERROR: Weird department reader firing...
[2022-05-16 02:16:50] production.ERROR: Weird manager reader firing...
[2022-05-16 02:17:11] production.ERROR: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException: Missing a valid schemas-attribute. in /var/www/html/vendor/arietimmerman/laravel-scim-server/src/Http/Controllers/ResourceController.php:101
Stack trace:
#0 /var/www/html/vendor/arietimmerman/laravel-scim-server/src/Http/Controllers/ResourceController.php(147): ArieTimmerman\Laravel\SCIMServer\Http\Controllers\ResourceController::createFromSCIM()
#1 /var/www/html/vendor/arietimmerman/laravel-scim-server/src/Http/Controllers/ResourceController.php(164): ArieTimmerman\Laravel\SCIMServer\Http\Controllers\ResourceController->createObject()
#2 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): ArieTimmerman\Laravel\SCIMServer\Http\Controllers\ResourceController->create()
#3 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction()
#4 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\Routing\ControllerDispatcher->dispatch()
#5 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\Routing\Route->runController()
#6 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\Routing\Route->run()
#7 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Routing\Router->Illuminate\Routing\{closure}()
#8 /var/www/html/vendor/arietimmerman/laravel-scim-server/src/Middleware/SCIMHeaders.php(17): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#9 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): ArieTimmerman\Laravel\SCIMServer\Middleware\SCIMHeaders->handle()
#10 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(50): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#11 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Routing\Middleware\SubstituteBindings->handle()
#12 /var/www/html/app/Http/Middleware/CheckPermissions.php(24): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#13 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\CheckPermissions->handle()
#14 /var/www/html/vendor/laravel/framework/src/Illuminate/Auth/Middleware/Authenticate.php(44): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#15 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Auth\Middleware\Authenticate->handle()
#16 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#17 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\Pipeline\Pipeline->then()
#18 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\Routing\Router->runRouteWithinStack()
#19 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\Routing\Router->runRoute()
#20 /var/www/html/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\Routing\Router->dispatchToRoute()
#21 /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\Routing\Router->dispatch()
#22 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}()
#23 /var/www/html/vendor/livewire/livewire/src/DisableBrowserCache.php(19): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#24 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Livewire\DisableBrowserCache->handle()
#25 /var/www/html/vendor/barryvdh/laravel-debugbar/src/Middleware/InjectDebugbar.php(60): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#26 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Barryvdh\Debugbar\Middleware\InjectDebugbar->handle()
#27 /var/www/html/vendor/fruitcake/laravel-cors/src/HandleCors.php(38): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#28 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Fruitcake\Cors\HandleCors->handle()
#29 /var/www/html/app/Http/Middleware/PreventBackHistory.php(23): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#30 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\PreventBackHistory->handle()
#31 /var/www/html/app/Http/Middleware/SecurityHeaders.php(26): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#32 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\SecurityHeaders->handle()
#33 /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#34 /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php(31): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle()
#35 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull->handle()
#36 /var/www/html/app/Http/Middleware/CheckForDebug.php(25): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#37 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\CheckForDebug->handle()
#38 /var/www/html/app/Http/Middleware/CheckForSetup.php(25): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#39 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\CheckForSetup->handle()
#40 /var/www/html/vendor/fideloper/proxy/src/TrustProxies.php(57): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#41 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Fideloper\Proxy\TrustProxies->handle()
#42 /var/www/html/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#43 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\View\Middleware\ShareErrorsFromSession->handle()
#44 /var/www/html/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#45 /var/www/html/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\Session\Middleware\StartSession->handleStatefulRequest()
#46 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Session\Middleware\StartSession->handle()
#47 /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#48 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle()
#49 /var/www/html/app/Http/Middleware/NoSessionStore.php(28): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#50 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\Http\Middleware\NoSessionStore->handle()
#51 /var/www/html/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}()
#52 /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\Pipeline\Pipeline->then()
#53 /var/www/html/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter()
#54 /var/www/html/public/index.php(52): Illuminate\Foundation\Http\Kernel->handle()
#55 {main}
[2022-05-16 02:17:11] production.DEBUG: Validation failed. Errors: []

Message: Missing a valid schemas-attribute.

Body:

(end of log)
---

Additional context

Existing installation New setup of SCIM given SCIM provisioning is a brand new feature

[zm1868179]

Can Confirm I am seeing the same issue. Brand New install of Snipe It Attempting to Provision from Azure SCIM results in the Same Message Error code SystemForCrossDomainIdentityManagementServiceIncompatible

Error message We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint:

I removed all Mappings in Azure Except just to make sure it wasn't a mapping attribute issue: Display name Maps to displayName Username maps to userName Given Name Maps to name.givenName Family Name Maps to name.familyName

[snipe]

@uberbrady I think you had some insight on this? (And we should add some info to the docs here as well.)

[uberbrady]

We can't handle the displayName attribute very well yet, because it's a synthetic value - the user's first name, a space, and their last name. Snipe-IT only stores the first and last name. Since SCIM also allows you to send a first and last name, that's what we try to respect.

I've updated the docs here: https://dash.readme.com/project/snipe-it/v6.0.0/docs/scim to reflect those (and other) limitations.

[kclifford20]

I've reduced our attributes down to the below and still getting the same error, however not seeing any stack trace in laravel.log this time. userPrincipalName -> userName jobTitle -> title givenName -> name.givenName surname -> name.familyName employeeId -> urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

Laravel.log: [2022-05-18 23:43:12] production.ERROR: Weird department reader firing...
[2022-05-18 23:43:12] production.ERROR: Weird manager reader firing... [2022-05-18 23:43:13] production.DEBUG: SAML is enabled according to loadSettings() [2022-05-18 23:43:13] production.DEBUG: Trying to create a new OneLogin_Saml2_Auth object [2022-05-18 23:43:14] production.DEBUG: Attempting to login via SAML [2022-05-18 23:43:14] production.WARNING: SAML page requested, but samlData seems empty. [2022-05-18 23:43:14] production.WARNING: Something else went wrong while trying to login as SAML user [2022-05-18 23:43:14] production.DEBUG: SAML is enabled according to loadSettings() [2022-05-18 23:43:14] production.DEBUG: Trying to create a new OneLogin_Saml2_Auth object

[uberbrady]

We've cut down that noisy SAML debug logs on the latest. If you try and initiate a 're-sync' using the control panel, does it still end up dropping into 'quarantine'?

[kclifford20]

I've just updated to 6.0.1, each time I attempt a provisional sync, it rejects the attempt with the same error.

We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint:

[zm1868179]

Same as Above my instance was 6.0.1 I removed the display name mapping and tested with the same results using only: Username Given Name Family Name

[snipe]

@kclifford20 - the error message was not present in your reply.

We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client

We have tested this with Azure AD SCIM. There are some fields we had to pull because Azure is not adhering to the SCIM protocol standards, but we have been testing almost exclusively with Azure.

[kclifford20]

We have tested this with Azure AD SCIM. There are some fields we had to pull because Azure is not adhering to the SCIM protocol standards, but we have been testing almost exclusively with Azure.

Haha, typical Microsoft

Can you please add a copy of your setup of SCIM with Azure so I can replicate and test?

[snipe]

@kclifford20 I'm sure we can do that - give us a few tho, we're grabbing dinner real quick :)

[snipe]

Haha, typical Microsoft

Heh, from your words to Gates' ears 😂 😩 🤬

[snipe]

Ah, looks like @uberbrady updated the docs just an hour or so ago - https://snipe-it.readme.io/docs/scim

Not sure if you've checked since then?

Snipe-IT Documentation

SCIM

To enable SCIM support, you first need to generate an API key for a Superuser. As a superuser, go to the user menu near the upper-right, and choose "Manage API keys." Click "Create New Token." Copy the token and paste that in as a "Bearer Token" on your SCIM client's configuration pages. The SCIM cl...

[zm1868179]

@snipe Just got home but while you wait on @kclifford20 who possible has a similar setup here is my SCIM setup in Azure if it helps.

[snipe]

@zm1868179 ALL of this helps, for sure. We tested this a lot (and @adagioajanes has been amazing helping us get this off the ground) but there is still a lot of configuration fiddliness, so the more info we can get, the better. Thanks so much.

[zm1868179]

Wait this is odd So I just tried it again with a User that did not exist in Snipe IT (I was trying with my Azure Admin user that I Manually created in Snipe IT for SAML and it worked.

Just tried to provision again with the account it created successfully and now I get a different error.

So it looks like it can create an Account (that doesn't already exist in SnipeIT but not delete or update them currently)

[zm1868179]

OK I worked with Microsoft Engineering My Instance is hosted in an Azure Web app Instance. We had to add some things to the Web.config

We added the following:

The full line for the PHP Handle is below as its cut off in the image

      <modules runAllManagedModulesForAllRequests="true">
            <remove name="WebDAVModule"/> <!-- add this -->
        </modules>
  <handlers>        
    <remove name="WebDAV" />    
        <remove name="OPTIONSVerbHandler" />
        <remove name="PHP74x86_via_FastCGI" />
        <add name="PHP74x86_via_FastCGI" path="*.php" verb="GET,PUT,POST,DELETE,HEAD" modules="FastCgiModule" scriptProcessor="C:\Program Files (x86)\PHP\v7.4\php-cgi.exe" resourceType="Either" requireAccess="Script" />
      </handlers>
  <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
        <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization"/>
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS"/>
      </customHeaders>

This allowed the php PUT and DELETE requests to work in the web app web server itself (Tested outside of snipe it with a custom test.php file) as by default put and Delete are not allowed but it seems the issue is how snipeit routes the request for an PUT Request or Delete Request

The error returned by Azure SCIM when doing an provision of an existing account so an update request is this:

Error message StatusCode: MethodNotAllowed Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.

[zm1868179]

Disregard what I said We were able to get the Patch Request to work however we now get a mapping error for things that I am not mapping

This is the correct web.config to allow HTTP Verbs on Azure Web Apps:

        <modules runAllManagedModulesForAllRequests="true">
            <remove name="WebDAVModule"/> <!-- add this -->
        </modules>
  <handlers>        
    <remove name="WebDAV" />    
        <remove name="OPTIONSVerbHandler" />
        <remove name="PHP74x86_via_FastCGI" />
        <add name="PHP74x86_via_FastCGI" path="*.php" verb="GET,PUT,POST,DELETE,HEAD,OPTIONS,PATCH" modules="FastCgiModule" scriptProcessor="C:\Program Files (x86)\PHP\v7.4\php-cgi.exe" resourceType="Either" requireAccess="Script" />
      </handlers>
  <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
        <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization"/>
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS, PATCH"/>
      </customHeaders>

It will now Pass syncing and Creating with no errors however If I change info on an existing user it doesnt update the info as Azure says no data has changed

[cambierr]

Any change to get the provisioning working for already-existing users ?

[uberbrady]

I'm working on SCIM stuff right now, against Azure AD. I already have a few changes I'd like to put up, but there's definitely still more work to be done.

[mattytr2]

I'm also very interested in this as we dropped our legacy ldap server and now we need to provision users manually. We are also using Azure and we experience the same problems.

[snipe]

@uberbrady would the change we just pushed yesterday address this issue?

[uberbrady]

Yeah, possibly. I'm cautiously optimistic about it.

[kclifford20]

Unsure if doing the below will bring your changes over to my staging instance, but I'm still getting errors updating existing people in Snipe via SCIM.

git checkout develop git pull php upgrade.php

Error Failed to create User '(redacted)' in customappsso

Error code

SystemForCrossDomainIdentityManagementServiceIncompatible Error message

We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint: (end of error)

One thing that I've found is that the SCIM API works absolutely fine to update objects it's created - It's just objects that weren't created by SCIM that fails to update.

[musyne]

Slightly different behaviour here using default configuration when setup in Azure AD and Snipe-IT 6.0.6, I get an error about streetAddress and country missing:

Error code SystemForCrossDomainidentityManagementServicelncompatible

Error message StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details Web Response ("schemas". l"urn:ietf.params:scim:api:messages:2.0:Error"),"detail:."Invaliddata!","status*:400,"scimType"."invalidSyntax","errors". f'urn:ietf.params:scim:schemas:.core:2.0:User.addresses.O.streetAddress"["Theurn:ietf.params:scim:schemas:core:2__0:User:addresses.O.streetAddressmustbea string." , urn:ietf:params:scim:schemas:core:2.0:User:addresses.0.country":|"The urn:ietf.params:scim:schemas:core:2 O:User:addresses.0.country must be a string.")

From Azure if I fill something in "Default value if null (optional)" for the mapping of streetAddress and country then the provisioning works.

Not sure if I should open a new issue or if it fits here.

[zm1868179]

Thought I would give an update on 6.0.7

It seems with Snipeit Hosted in an Azure App Service Container

Azure SCIM provisioning does work it will create users if they do not exist however it will not update them

When it runs again for an update pass I will get the following error:

Error code SystemForCrossDomainIdentityManagementClientNonServiceFailure

Error message StatusCode: MethodNotAllowed Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.

All Http Verb Methods are allowed per the web.config

 <system.webServer>
        <modules runAllManagedModulesForAllRequests="true">
            <remove name="WebDAVModule"/> <!-- add this -->
        </modules>
  <handlers>        
    <remove name="WebDAV" />    
        <!--<remove name="OPTIONSVerbHandler" />-->
        <remove name="PHP74x86_via_FastCGI" />
        <add name="PHP74x86_via_FastCGI" path="*.php" verb="GET,PUT,POST,DELETE,HEAD,UPDATE,OPTIONS,TRACE" modules="FastCgiModule" scriptProcessor="C:\Program Files (x86)\PHP\v7.4\php-cgi.exe" resourceType="Either" requireAccess="Script" />
      </handlers>
  <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*"/>
        <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization"/>
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS, UPDATE, HEAD, TRACE"/>
      </customHeaders>
    </httpProtocol>
   </system.webServer>

[uberbrady]

The latest master version does have a fix for this, I'm curious to hear if that solves people's problems.

[zm1868179]

Just updated to the latest version User Creation is still fine however User Updating is still broken

Error code SystemForCrossDomainIdentityManagementClientNonServiceFailure

Error message StatusCode: MethodNotAllowed Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used. This operation was retried 2 times. It will be retried again after this date: 2022-07-26T09:43:06.6750192Z UTC

[zm1868179]

I was able to get updating working now turns out it was another Azure Web App Services issue.

Just in case if anyone else hosts Snipeit on Azure Web Apps you must edit the web.config in the public folder and add the following info the tag:

<handlers>        
    <remove name="PHP74x86_via_FastCGI" />
    <add name="PHP74x86_via_FastCGI" path="*.php" verb="GET,PUT,POST,DELETE,HEAD,UPDATE,OPTIONS,TRACE,PATCH" modules="FastCgiModule" scriptProcessor="C:\Program Files (x86)\PHP\v7.4\php-cgi.exe" resourceType="Either" requireAccess="Script" />
  </handlers>

Azure Web Apps by default only lets you do get and post by PHP so you have to add this in the web.config to override and add the other http verbs

[snipe]

Hmm... thanks for the extra info! The web.config is checked into the repo though, so changes to that will get overwritten in future upgrades. I think it might be better to handle that at the IIS level, just to avoid any conflicts. (Our customers are hosted on Linux, so they wouldn't have had to touch that file.)

[snipe]

Hi there - We haven't heard back in a bit, so I'm going to close this ticket for now, but will re-open it if you're still having issues.

[mthriemer]

Hi,

we are using an hosted snipe-it version. And we are facing the same error. Creating the users is possible but updating not.

How and where can we change the things zm1868179 is talking about? if possible could you write a step by step guide?

Thank you and best regards

[JacobS-Caruso]

+1 same as LeitWolf90. We have a hosted Snipe-IT instance, we're using Azure AD, SCIM provisioning works to CREATE but throws errors for any UPDATE...

[zm1868179]

Hi,

we are using an hosted snipe-it version. And we are facing the same error. Creating the users is possible but updating not.

How and where can we change the things zm1868179 is talking about? if possible could you write a step by step guide?

Thank you and best regards

In your azure web app go to development tools section in the menu and select advanced tool then click the go link that will take you to the kudu console for your web app.

Once there click on debug console then PowerShell on the top menu browse to site/wwwroot/public and click the pencil icon on the web.config file and paste in the settings I mentioned earlier after that go back to the azure web app and restart it and it should be good.

[JacobS-Caruso]

I dont think we have access to that, Snipe-IT hosts for us, we do not get to see that interface?

In your azure web app go to development tools section in the menu and select advanced tool then click the go link that will take you to the kudu console for your web app.

Once there click on debug console then PowerShell on the top menu browse to site/wwwroot/public and click the pencil icon on the web.config file and paste in the settings I mentioned earlier after that go back to the azure web app and restart it and it should be good.

[snipe]

Thanks so much for this feedback. If you can send us a support request at support@snipeitapp.com we can speak a little more freely, and that would help. (We want to solve the the problem, but there may be sensitive data involved that I would not wish for either of you to share here.)

[zm1868179]

I dont think we have access to that, Snipe-IT hosts for us, we do not get to see that interface?

In your azure web app go to development tools section in the menu and select advanced tool then click the go link that will take you to the kudu console for your web app. Once there click on debug console then PowerShell on the top menu browse to site/wwwroot/public and click the pencil icon on the web.config file and paste in the settings I mentioned earlier after that go back to the azure web app and restart it and it should be good.

Oh I misread your statement I thought you were saying you were hosting it in azure if snipeit is hosting it for you would need to be them to look into it but the current code base does function with creates and updates so it may be a hosting misconfiguration

[snipe]

lol now I'm confused

[JacobS-Caruso]

i'll put in a support request :)

[snipe]

Perfect :)

[khikita]

We are using SNIPE-IT 6.0.12 for hosting. I am unable to create or update users in SCIM from AzureAD.

The error is also in the Issue here. Is there any way to fix it?

Error Code
SystemForCrossDomainIdentityManagementServiceIncompatible

Error Message
StatusCode: BadRequest
Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.
Web Response: 
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Invalid data!","status":400,"scimType":"invalidSyntax","errors":{"urn:ietf:params:scim:schemas:core:2.0:User:addresses.0.streetAddress":["urn:ietf:params:scim:schemas:core:2___0:User:addresses.0.streetAddress \u306f\u6587\u5b57\u5217\u306b\u3057\u3066\u4e0b\u3055\u3044\u3002"],"urn:ietf:params:scim:schemas:core:2.0:User:addresses.0.locality":["urn:ietf:params:scim:schemas:core:2___0:User:addresses.0.locality \u306f\u6587\u5b57\u5217\u306b\u3057\u3066\u4e0b\u3055\u3044\u3002"]}}

[musyne]

From AzureAD attributes mapping you should remove a few stuff that Snipe-IT can't process. From your log, everything with addresses.0.XXXX

[khikita]

Thank's

I just did this one attribute mapping and it worked. The address wasn't in there, but I removed the mapping for the depertment and other extraneous stuff.

[kine90]

Fresh install of SnipeIT Version v6.3.4 - build 13139 (master) on Ubuntu 22.04.4 LTS, hosted on-prem and served over Cloudflared tunnel. SCIM with EntraID works for creating new users (after setting Attribute Mappings correctly) but not for updating. The solution linked by synthomat fixes also this issue (Enable SCIM logging via SCIM_TRACE=true).