The Azure AD SCIM client does not follow the SCIM Base URI properly.
As per, https://tools.ietf.org/html/rfc7644#section-1.3,
The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.
The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since bearer tokens need to expire for security reasons. The SCIM client should instead implement the OAuth2 client credentials grant or password grant to a configurable OAuth2 token endpoint.
The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing
Work to support the code grant as well as client credentials on the non-gallery app is currently in our backlog. It’s intended to be done, but not yet funded.
In the meantime, the 1KB token limitation has been lifted.
AZURE Post endpoint is getting triggered for a restored user instead of Patch Endpoint. It would be better if the user is restored, the SCIM endpoint to be triggered is Patch.
Since the identities of the user we maintain in the downstream system is the same with source.
Considering it as a restored user means, downstream system also would be holding the data unless it is hard deleted.
Jens Schwendemann commented
Jap, #2 is a showstopper. In my environment I'm trying to integrate with SAP Analytics Cloud. They / SAP (for comprehensible reasons) do not allow long-lived tokens anymore on cloud foundry platform. That, combined with the AAD SCIM client not supporting...
- authorization code grant configurable authorization / token URLs for gallery apps
- authorization code grant for non-gallery apps
- client grant flow at all
... leaves us in limbus with our planned integration.
And again still no news of the issue #2 ? TWO Years? Seriously?
Still no news of the issue #2 ? Or maybe this is simply to motivate the registration of the app in the gallery.
Bissat Matthieu commented
Hi, on my side issue #2 is problematic as well. Is there any timeline on when the "OAuth authorization code grant" feature will be deployed for non-gallery apps?
And what about the "OAuth client credentials grant"? The doc says it is in your backlog, any update?
Charles Tandy commented
Is there any update on when we can expect to be able to use code grant flow?
Having long lasting Bearer tokens is very problematic and introduces security risk.
I also can't use the bearer tokens from my current OAuth provider because they are too large for the current storage limit: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-storage-limit
This makes it impossible for me to integrate with Azure without switching OAuth providers.
Alexander Bergmann commented
Ist there a possible date already when we can use code grant flow in custom SCIM App?
When you will fix the second Issue? Its very difficult to use a bearer Token.
The feature for OAuth support is in progress. We are working on expanding support for it currently.
Is there any update on issue #2? The lack of proper oauth or SAML support makes integrating to Azure AD very problematic at this time.
Aaron S. commented
The first issue is fixed, the second issue is still outstanding. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
Osman Ilyas commented
#1 has definitely been fixed
#2 is still a problem
Arindam Laha commented
Is there any update on this topic? Azure AD SCIM is not implemented as per the RFC guidelines.
How can violating the SCIM2 RFC be a design decision?
How can it even work with any SCIM2 backend if it is requesting the wrong URIs?
Regarding #1, indeed a very problematic behavior.
It violates section 3.2 in RFC 7644.
I am currently discussing this with Microsoft Tek support; their answer up to this point is that it is a by-design behavior...
shlomi at anchi dot name