SCIM User Provisioning Error

[AcaPrince]

Debug mode

• [X] I have enabled debug mode
• [X] I have read checked the Common Issues page

Describe the bug

Hi team, got an issue with SCIM provisioning into Snipe-IT Cloud with Microsoft Entra. Hope this is the right place, as I can only find reference to on-prem Snipe-IT, not the hosted cloud instance so apologies if this should be posted elsewhere?!

Have configured as per your guidance and when provisioning begins, it begins its initial cycle and successfully provision ~150 users into Snipe (out of ~500 in the group - to confirm, it's not a nested group). However, it then stops and we get the following:

• Entra shows Provisioning 'quarantined' with error "An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. To address this issue, ensure that the tenant URL is correct. The tenant URL is usually in a format like: https://<>/scim. If this does not resolve the issue, contact the application developer to ensure their SCIM endpoint conforms with the protocol https://tools.ietf.org/html/rfc7644#section-3.4.2"

• Test connection with Tenant URL and Secret Token succeeds, and when amending the URL to be incorrect, it reports failure, so have confirmed that the Tenant URL is definitely correct (and of course, did work for the first ~150 users)

• Tried manually provisioning a user who shows as failed in the logs and has not appeared in Snipe, but it still fails, with the error "Failed to create user "username" in customappsso" - Error code "null".

Wonder if there's anything you can suggest to try. Have even recreated the Enterprise app and reconfigured SCIM with a new API key and everything - had the same experience of approx ~150 users being created before the provisioning gets quarantined with the same experience described above. Really at a loss, have trawled your FAQs and general info on the web about this, afraid all roads point back to "contact the devs".

Reproduction steps

1.Generate API key as supreradmin 2.Configure SCIM as Global admin account using https://XXX.snipe-it.io/scim/v2 and the API key (target a single group containing ~500 users - not nested groups). Automatic provisioning, targeting only specific users. 3.Begin initial provisioning cycle 4.Wait for initial cycle to run (and hope that it doesn't get quarantined) :')

Expected behavior

For all ~500 users in the provisioning group to get created, not just hitting ~150 and stopping.

Screenshots

Please see screenshots in context in error description

Snipe-IT Version

v6.4.0 build 13351 (gdb2baae758) (master)

Operating System

Windows

Web Server

-

PHP Version

8.1.23

Operating System

Windows

Browser

Google Chrome, Edge

Version

124

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

Fresh instance of Snipe-IT cloud, new MS Entra enterprise app configured just for SCIM into this new platform (multiple new enterprise apps tried for SCIM but same happens each time, even with new API key and successful Tenant URL connection test).

[welcome[bot]]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

[uberbrady]

If you are a hosted customer, you're certainly welcome to reach out to support@snipeitapp.com and you'll definitely get support more specific to your hosted instance - and we can enable SCIM logging, and give you details of what's going on in there.

For anyone else running in to issues like this, you can change your .env to include SCIM_TRACE=true - and then a scim.log file will be generated in ./storage/logs/scim.log - which tends to be quite noisy, but can sometimes surface errors. You'll see the payload of the SCIM requests that are failing (as well as the ones that are succeeding). Sometimes you can see a field being mapped that we don't support, or weird data showing up that you don't expect.

Most of the time when we see errors like this one, it's because you have some fields mapped that we don't support - there are lots of fields that SCIM providers would love to provide to us, but we just literally don't have the fields to store them in. We have some notes about that here: https://snipe-it.readme.io/docs/scim#fields-that-snipe-it-cannot-handle-yet . And we also have a list of all supported fields here - https://snipe-it.readme.io/docs/scim#all-supported-mappings-into-snipe-it . While it's tempting to try to just ignore weird fields that show up, that can cause bigger problems because when the SCIM client - the directory provider is the SCIM client, Snipe-IT is the SCIM server - tries to check back to see if its changes were accepted, it won't see the ignored fields, and can try to keep re-sending updates, over and over. That is, as you can imagine, bad.

Other things to note - we don't support the DELETE verb, and we don't support Groups.

Another thing that we'll often see is when there are users who exist, but were deleted, the SCIM mapping can get confused. Or if you have a SCIM provisioning that is working, but then you do a DB restore and the user ID's change - Azure, specifically, can get very confused when this happen (because it internally stores Snipe-IT user ID's to associate with its users).

Snipe-IT Documentation

SCIM

To enable SCIM support, you first need to generate an API key for a Superuser. As a superuser, go to the user menu near the upper-right, and choose "Manage API keys." Click "Create New Token." Copy the token and paste that in as a "Bearer Token" on your SCIM client's configuration pages. Sometimes t...

Snipe-IT Documentation

SCIM

To enable SCIM support, you first need to generate an API key for a Superuser. As a superuser, go to the user menu near the upper-right, and choose "Manage API keys." Click "Create New Token." Copy the token and paste that in as a "Bearer Token" on your SCIM client's configuration pages. Sometimes t...