search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
10.33k stars 3.06k forks source link

Okta Problem with SCIM for SAML users created before SCIM protocol was enabled #14481

Open jiwoc55 opened 3 months ago

jiwoc55 commented 3 months ago

Debug mode

Describe the bug

Hi,

We have a problem with the SCIM protocol. We followed the documentation below : https://snipe-it.readme.io/docs/scim

IdP: Okta Parameters : Create Users enabled Deactivate Users enabled

The SAML protocol was activated first, then we manually created each account on Snipe-IT.

When we set up SCIM, the connection between IdP and Snipe-IT is fully functional. However, when we assign the application from our IdP, this doesn't activate the account on Snipe-IT, so we have to check the "This user can login" box, otherwise we get the following error:

An error occurred while assigning this app. Automatic provisioning of user to app failed: User XXXX provision to app failed due to delay in reactivating remote User. Rescheduling provision job.

We have the same problem for deactivating accounts with SCIM, so the functionality described in the documentation doesn't work "IF account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta."

The box "This user can login" remains activated even though the status change is clearly visible in the SCIM logs (active:true > active:false):

scim.log : HTTP/1.0 200 OK Cache-Control: no-cache, private Content-Type: application/json Date: Fri, 22 Mar 2024 16:44:44 GMT Etag: "W/"e7e08e356cf07d88e79960cc61482801a5000917""

{"id":"341","meta":{"created":"2023-11-20T15:34:43+01:00","lastModified":"2024-03-22T17:43:49+01:00","location":"https://URL_To_Snipe-IT\/scim\/v2\/Users\/341","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"XXX","department":"XXX","manager":{"value":500}},"userName":"XXX","name":{"formatted":"XXX","familyName":"XXX","givenName":"XXX"},"title":"XXX","preferredLanguage":"en-US","active":true,"emails":[{"value":"XXX","type":"work","primary":true}],"phoneNumbers":[{"value":"None","type":"work","primary":true}],"addresses":[{"type":"work","formatted":"n\/a","streetAddress":"France","primary":true}]}
[2024-03-22 17:44:44] production.ERROR: ===================================================================================== Exception caught! Invalid data! of type: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException when executing: PUT https://URL_To_Snipe-IT/scim/v2/Users/341

{"id":"341","meta":{"created":"2023-11-20T15:34:43+01:00","lastModified":"2024-03-22T17:43:49+01:00","location":"https://URL_To_Snipe-IT/scim/v2/Users/341","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"XXX","department":"XXX","manager":{"value":500}},"userName":"XXX","name":{"formatted":"XXX","familyName":"XXX","givenName":"XXX"},"title":"XXX","preferredLanguage":"en-US","active":false,"emails":[{"value":"XXX","type":"work","primary":true}],"phoneNumbers":[{"value":"None","type":"work","primary":true}],"addresses":[{"type":"work","formatted":"n/a","streetAddress":"France","primary":true}]} `

We don't encounter these problems with new accounts created and deactivated on Okta.

Regards,

Reproduction steps

  1. Enable SAML protocol between Okta and Snipe-IT
  2. Create accounts manually on Snipe-IT
  3. Enable SCIM protocol between Okta and Snipe-IT
  4. Assign the Snipe-IT application on Okta to users already created
  5. Bug : the user cannot login until the This user can login" checkbox is manually ticked on Snipe-IT (see errors ang logs message above)
  6. Unassign application from Okta, Bug : "This user can login" box remains checked (see errors ang logs message above)

Expected behavior

The SCIM protocol must enable / disable login and therefore the "this user can login" checkbox automatically as mentioned in the documentation.

Screenshots

No response

Snipe-IT Version

v6.3.3 build 12903 (g0f63fa23e)

Operating System

Ubuntu

Web Server

Nginx

PHP Version

8.1.2

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

welcome[bot] commented 3 months ago

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

jiwoc55 commented 1 month ago

Hi,

May I please have an update on my problem?

regards,

uberbrady commented 1 month ago

"Can Log in" in Snipe-IT is mapped to the 'active' flag in SCIM. If you send "active": false - then we will toggle the "can log in" field to false.

jiwoc55 commented 1 month ago

Hi,

switching the “can connect” field to false does not work for users already existing before the SCIM connection with our IdP. even when sending a flag in SCIM. If you send “active”: false.