Unexpected behaviour when invoking the `scim2/Users` endpoint with `count` value > 0 in and omitted `domain` value in multi-attribute filtering flow

[vfraga]

Describe the issue:

In the SCIM2 user multi-attribute filter flow, when a count parameter greater than 0 is passed without specifying a domain value, the result may be empty because the search is only conducted in the PRIMARY user store [1]. This is unlike the single-attribute search [2] or multi-attribute filtering without the count parameter [3][4], which iterate through the available user store domains. Example:

• Request:

  curl --location --request GET 'https://localhost:9443/scim2/Users?filter=urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3AaccountLocked%20eq%20%22true%22%20and%20urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3Adepartment%20eq%20%221234%22&count=1' \
  --header 'Authorization: Basic YWRtaW46YWRtaW4='

• Response:

{
    "totalResults": 2,
    "startIndex": 1,
    "itemsPerPage": 0,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ]
}

We can see there's omitted results given the totalResults value.

How to reproduce:

1. Set up an Identity Server instance with a JDBC secondary user store manager (named 'EXTERNAL' in this example).
2. Add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file:

   [scim2_multi_attribute_filtering]
   use_pagination = "true"

3. Go to the Claim Configuration page (Claims > List > http://wso2.org/claims) and uncheck the 'Read only' checkbox for the 'Department' claim and enable 'Supported by Default' for the 'Account Locked' claim.
4. In the EXTERNAL user store, create:
   • 2 users with 'Account Locked' set to 'true' and 'Department' set to '123'
   • 1 user with 'Account Locked' set to 'true' and 'Department' set to '456'
5. Run the following cURL command:

   curl --location --request GET 'https://localhost:9443/scim2/Users?filter=urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3AaccountLocked%20eq%20%22true%22%20and%20urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Aextension%3Aenterprise%3A2.0%3AUser%3Adepartment%20eq%20%22123%22&count=1' \
   --header 'Authorization: Basic YWRtaW46YWRtaW4='

6. Notice the totalResult value of 2 although the result is empty:

   {
   "totalResults": 2,
   "startIndex": 1,
   "itemsPerPage": 0,
   "schemas": [
       "urn:ietf:params:scim:api:messages:2.0:ListResponse"
   ]
   }

Expected behavior: In the multi-attribute filtering flow, if no domain is specified, the pagination/filtering should occur across all user stores (or until the limit threshold is reached).

Environment information:

• Product Version: 5.11.0, 6.0.0, 6.1.0, 7.0.0

---

[1] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.46/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1913-L1924 [2] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.46/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1407-L1446 [3] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.127/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1972-L1982 [4] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.127/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L1997-L2011