By: Shaun Walker user 06 Jul 2020 at 8:47 p.m. CDT

4 Responses
Shaun Walker gravatar
Hi Team, We are testing integration with SCIM and noticed an issue when creating users with groups defined. The groups do not seem to hold. An example post is here: ` { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "shauntest4", "name": { "familyName": "roler", "givenName": "role" }, "displayName": "testing roles n groups", "password": null, "active": true, "emails": [ { "value": "1asfdsdfg@dob.c44as", "primary": true, "type": "businessCausal" } ], "urn:ietf:params:scim:schemas:extension:gluu:2.0:User": { "role": [ "ThisIsARole" ] }, "groups": [ { "value": "e1fc449b-c17c-4b4e-b67c-2707c263ef7c" } ] } ` It returns back the created user, with just the value of the group, but when using GET on that user, it does not return the group: ` { "schemas": [ "urn:ietf:params:scim:schemas:extension:gluu:2.0:User", "urn:ietf:params:scim:schemas:core:2.0:User" ], "id": "554441cc-c879-4740-9fac-25aefdcd268e", "meta": { "resourceType": "User", "created": "2020-07-07T01:36:34.674Z", "lastModified": "2020-07-07T01:36:34.674Z", "location": "https://******************/identity/restv1/scim/v2/Users/554441cc-c879-4740-9fac-25aefdcd268e" }, "userName": "shauntest4", "name": { "familyName": "roler", "givenName": "role", "formatted": "role roler" }, "displayName": "testing roles n groups", "active": true, "emails": [ { "value": "1asfdsdfg@dob.c44as", "type": "businessCausal", "primary": true } ], "urn:ietf:params:scim:schemas:extension:gluu:2.0:User": { "role": [ "ThisIsARole" ] } } ` We can patch the user into the group after creation, but the RFC's and documentation seem to hint at being able to add a group to a user create. Am I missing something?

By Michael Schwartz staff 06 Jul 2020 at 10:27 p.m. CDT

Michael Schwartz gravatar
I don't think this is supported out of the box. You could however use a SCIM interception script to implement it. What do you think @Jose.Gonzalez?

By Jose Gonzalez staff 07 Jul 2020 at 9:30 a.m. CDT

Jose Gonzalez gravatar
Hi everyone, Per spec, `groups` is merely readOnly in the User resource so there is no way to assign groups that way. See `https://<your-host>/identity/restv1/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User` All memberships have to be handled via `/Groups` endpoint. For this case you would do PATCH with `add` operation over `members`. I don't have a payload at hand but here is a [Java routine](https://github.com/GluuFederation/scim/blob/master/scim-client/src/test/java/gluu/scim2/client/patch/PatchGroupTest.java#L65-L105) part of the test suite which will serve as an example.

By Shaun Walker user 07 Jul 2020 at 5:48 p.m. CDT

Shaun Walker gravatar
Thanks Jose, That makes perfect sense, I must have missed that while scimming (ha, pun) over the spec. For everyone else's reference in case this pops up in a search, adding a user to a group via PATCH can be done like this: PATCH https://<gluu server>/identity/restv1/scim/v2/Groups/e1fc449b-c17c-4b4e-b67c-2707c263ef7c ``` { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "add", "value": { "members": [ { "value":"5ff58ef2-8b38-4025-b4d2-93096598fc14" } ] } } ] } ``` Happy to close out this question, cheers!

By Michael Schwartz staff 07 Jul 2020 at 6:03 p.m. CDT

Michael Schwartz gravatar
You still might want to use a dynamic scope script. When you return the memberOf user claim (attribute), you'll get the DN or unique id of the group. That's not very user friendly for applications, so you may want to do a lookup, then replace the DN with the name of the Group, and send that to the application.