I want to sync Azure AD users using the SCIM provisioning endpoint with ASP.NET Core 6 and C#.
I am getting this error
Match urn:ietf:params:scim:schemas:extension:enterprise:2.0:User between Microsoft Entra ID and customappsso
SystemForCrossDomainIdentityManagementServiceIncompatible
We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint: Please refer to the Azure Active Directory SCIM provisioning documentation (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) and adapt the SCIM endpoint to be able to process provisioning requests from Azure Active Directory. This operation was retried 0 times.
As per my understanding, the SCIM provisioning working flow is when we start provisioning first time then it’s called POST ~/scim/Users and get all the users from Azure AD and sync with SCIM target application. then after 40 min interval it’s again call SCIM end points and sync what we have made some changes on users from Azure AD.
Then I have configure SCIM provisioning into Enterprise application on Azure.
Also I have added Tenant URL https://testdomain.io/scim and secret key is my JWT token.
Now I have created these endpoints in my ASP.NET Core Web API:
namespace SCIM.Controllers
{
[Route("[controller]")]
[ApiController]
public class ScimController : ControllerBase
{
[HttpPost("token")]
public IActionResult GenerateToken()
{
var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes("6wSAGBSZh0zv4sZI63qD7KijhD4d4yLh8L4wd7maZMtJIxBIvvvEK59qHA"));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(
issuer: "https://8074-122-170-119-235.ngrok-free.app/scim",
audience: "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
claims: new[]
{
new Claim(ClaimTypes.Name, "AzureAD")
},
expires: DateTime.Now.AddDays(1),
signingCredentials: creds);
return Ok(new { token = new JwtSecurityTokenHandler().WriteToken(token) });
}
[HttpGet("Users")]
public async Task<IActionResult> Users([FromQuery(Name = "filter")] string filter)
{
}
[HttpGet("Users/{id}")]
public async Task<IActionResult> GetUsers(string id)
{
return Ok();
}
[HttpPost("Users")]
public async Task<IActionResult> CreateUser([FromBody] Object item)
{
try
{
var data = JsonConvert.DeserializeObject<Root>(item.ToString());
Console.WriteLine(data.active + " " + data.userName);
var response = new
{
schemas = new[] { "urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" },
id = Guid.NewGuid().ToString(),
externalId = data.externalId,
userName = data.userName,
active = data.active,
displayName = data.displayName,
emails = data.emails,
meta = new { resourceType = "User" },
name = data.name
};
return Ok(response);
}
catch (Exception ex)
{
return BadRequest("An error occurred while processing the request.");
}
}
[HttpPatch("Users/{id}")]
public async Task<IActionResult> UpdateUser(string id,[FromBody] Object item)
{
return Ok(null);
}
}
}
I have created these endpoints and when we start first time SCIM provisioning then the create endpoint will be called, and user sync on target application and it shows count on Azure. But then after I am update some properties on Azure AD user, then my update patch endpoint is not called and an error occurs:
SystemForCrossDomainIdentityManagementServiceIncompatible
Does anyone know what I am missing in my code?
I will add my error screenshot and also I will show the attribute mapping which I have added on SCIM provisioning.
enter image description here
enter image description here
Coder is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.