SCIM using Google Workspace not working

[Leny1996]

Debug mode

• [X] I have enabled debug mode
• [X] I have read checked the Common Issues page

Describe the bug

Cannot enable debug mode - SCIM not working with debug enabled.

I've tried to enable autoprovisioning on Google by doing SAML setup as Keeper app. This is working correctly as simple SAML login. Now, I've configured provisioning and looks like there is some exception. Also tried to set compliance mode to true.

Error is the same, with of without SCIM standard compliance enabled:

GET https://SERVER/scim/v2/Users

-------------------------------------------------------------------------------------
{"totalResults":0,"itemsPerPage":0,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[]}
[2023-03-08 22:58:05] production.ERROR: =====================================================================================
Exception caught! Invalid data! of type: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException when executing:
POST https://SERVER/scim/v2/Users

{"schemas":["urn:scim:schemas:core:1.0","urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"username@domain.com","emails":[{"primary":true,"value":"username@domain.com","type":"work"}],"displayName":"User Name","name":{"givenName":"User","familyName":"Name"},"active":true}

Also, I can see this type of errors from Google side (every user has the same error):

username@domain.com, 45003, StatusCode: 400 : Bad Request : { schemas :[ urn:ietf:params:scim:api:messages:2.0:Error ]  detail : Invalid data!   status :400  scimType : invalidSyntax   errors :{ urn:ietf:params:scim:schemas:core:2.0:User:userName :[ The urn:ietf:params:scim:schemas:core:2   0: user:user name field is required. ]  urn:ietf:params:scim:schemas:core:2.0:User:name.givenName :[ The urn:ietf:params:scim:schemas:core:2   0: user:name   given name field is required. ]}}

Reproduction steps

1. Add new SAML app (as Keeper app) on Google
2. Import IdP metadata on SnipeIT
3. Enable autoprovisioning on Google SAML App
4. Observe storage/logs/scim.log

Expected behavior

I expect to sync my google workspace users to snipe-it

Screenshots

Snipe-IT Version

v6.0.14

Operating System

Docker

Web Server

-

PHP Version

-

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

[welcome[bot]]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

[uberbrady]

I wasn't able to get Google to do a SCIM sync with us last time I checked - have they opened that up so you can sorta pick your own mapping and just run with it? If so I can help figure this out.

One thing I can definitely say is that the schema line they're sending is going to throw our SCIM library for a bit of a loop; it expects the first schema listed to be the 'core' schema for SCIMv2, and Google is sending the v1 schema first.

If you can let me know a little more about how we can mange to get SCIM to work for us in Google, I will try and help from my end (and improve our documentation in the process), but if for some reason you can't (or it isn't available to us for whatever reason), I would instead recommend seeing if there's a way to disable legacy SCIMv1 support, maybe?

Please let us know; I'd love to make this available to everyone.

[Leny1996]

No, they still do not allow to use your own SCIM setup, but I was searching for some "tricky" solutions. I've found this: https://plugins.miniorange.com/wordpress-scim-user-provisioning-with-google-apps, which shows that WordPress SCIM is using Keeper App on Google and I've decided to try it out, and to be honest - it looks promising. You can try making the same, maybe we can try using different apps on Google (other than Keeper), or align Snipe-IT codebase somehow?

Plugins - miniOrange

Google Apps / G-Suite SCIM - Automated User Provisioning in Wordpress (WP)

Google apps / G-Suite SCIM Automated User Provisioning for WordPress (WP) using SCIM | Sync WordPress (WP) users in Google | add, update, delete, and deactivate users in Real time from google apps IDP to WordPress (WP).

[Leny1996]

@uberbrady were you able to test it?

[EclipseKnight]

I'm just adding that I've also attempted these methods with no luck and the same error as @Leny1996 . Any chance on getting a status update on this issue? Would be happy to provide any necessary information.

[sk3pp3r]

same issue for me +1

[sk3pp3r]

I just create a bash&python scripts

The bash read users that created last 24Hrs and save it to a csv file (using GAMADV-XTD3) The python script parse csv file and ship it to Snipe-IT by using API POST method

I will share it a soon.

[Leny1996]

@uberbrady did you have a chance to test this? I've tried to enable SCIM again on 6.3.0, but no success. scim.log:

[2024-02-07 19:21:13] production.INFO: =====================================================================================
GET https://snipe-it.domain.com/scim/v2/Users?filter=userName%20eq%20%22CUT%domain.com%22&startIndex=1

-------------------------------------------------------------------------------------
{"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"id":"67","meta":{"created":"2022-02-15T11:17:37+01:00","lastModified":"2023-04-11T08:48:11+02:00","location":"https:\/\/snipe-it.domain.com\/scim\/v2\/Users\/67","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:core:2.0:User":{"userName":"email@domaincom","name":{"formatted":"CUT","familyName":"CUT","givenName":"CUT"},"title":"CUT","preferredLanguage":"en-US","active":true,"emails":[{"value":"email@domain.com","type":"work","primary":true}],"phoneNumbers":[{"type":"work","primary":true}],"addresses":[{"type":"work","formatted":"n\/a","primary":true}]}}]}  
[2024-02-07 19:21:13] production.INFO: =====================================================================================
GET https://snipe-it.domain.com/scim/v2/Users/67

-------------------------------------------------------------------------------------
HTTP/1.0 200 OK
Cache-Control: no-cache, private
Content-Type:  application/json
Date:          Wed, 07 Feb 2024 18:21:13 GMT
Etag:          "W/"44c38a2859a5994023576fa68e1a3391b4dba9fb""

{"id":"67","meta":{"created":"2022-02-15T11:17:37+01:00","lastModified":"2023-04-11T08:48:11+02:00","location":"https:\/\/snipe-it.domain.com\/scim\/v2\/Users\/67","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:core:2.0:User":{"userName":"email@domain.com","name":{"formatted":"CUT","familyName":"CUT","givenName":"CUT"},"title":"CUT","preferredLanguage":"en-US","active":true,"emails":[{"value":"email@domain.com","type":"work","primary":true}],"phoneNumbers":[{"type":"work","primary":true}],"addresses":[{"type":"work","formatted":"n\/a","primary":true}]}}  
[2024-02-07 19:21:13] production.ERROR: =====================================================================================
Exception caught! Invalid data! of type: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException when executing:
POST https://snipe-it.domain.com/scim/v2/Users

{"schemas":["urn:scim:schemas:core:1.0","urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"email@domain.com","emails":[{"primary":true,"value":"email@domain.com","type":"work"}],"displayName":"CUT","name":{"givenName":"CUT","familyName":"CUT"},"active":true} 

Maybe this could help somehow. I can see that urn:scim:schemas:core:1.0 was not sent in schemas: schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"]