You can check oxtrust.log and scim.log with DEBUG mode, indication of failure should be there.

The indication of the failure is in the message, but it's wrong. SCIM validation of email addresses is broken. Can this be fixed? You've hardcoded SCIM to reject valid email addresses. For privacy reasons I can't submit the email addresses (or log files containing email addresses) here on a public database, but I can send them to you along with the full JSON request and response. What's the email address to send them to? You can test it yourself if you like - add a user with the email address: adam.d'amway@mhsww.us It's a valid email address: https://en.wikipedia.org/wiki/Email_address#Local-part But there are more failure modes than just that. SCIM validation of emails needs work.

>> add a user with the email address: adam.d'amway@mhsww.us Unfortunately, there are some limitations from LDAP side, here is another comment quoted from one customer's side: ``` Seems like it's highly discouraged to use non-ASCII character email address in LDAP, as all newer ldap servers ( including new OpenDJ / WrenDS / OpenLDAP ) are strictly following RFC_1(https://datatracker.ietf.org/doc/html/rfc4524), RFC_2(https://datatracker.ietf.org/doc/html/rfc3490). However we tried to change schema and it doesn't ended up good as LDAP server is turning them into base64 encoding. So, overall it doesn't seem like using non-ASCII character as email address in LDAP. I believe our solution on allowing non-ASCII character is there with Couchbase. I checked 4.2.3 with Couchbase backend and it seems pretty well worked there in SCIM operation. Screenshot attached. ``` Bottomline is, if you want to use any special character in emailAddress.. you have to use non-LDAP backend like Couchbase as Data source of Gluu Server and SCIM to push user's information into Gluu for now.

These are ASCII names. RFC_2 and RFC_1 don't apply. Specifically the problems I'm seeing are: ASCII character ' (single quote) included in left side of email address ASCII character & (ampersand) included in left side of email address non-ASCII / Unicode characters included in 'display' element of email address I haven't specifically checked if opendj supports this, but these are just plain ordinary ascii email addresses, but the error message specifically shows you are excluding these valid addresses. Since the 'display' element is non-mandatory, it can be worked around here. But incorrectly validating the actual email address is a blocker - there are some real emails of real people who have been on our current system for 15 years, and now we just can't add them to Gluu. Oh, and this is a bug IN SCIM, so suggesting I use SCIM to work around it is crazy talk. SCIM is 'validating' the email address (and getting it wrong) and so is oxTrust.

Hi, Zico & Arthur. >For privacy reasons I can't submit the email addresses Just a suggestion: could you compose an arbitrary example email address that we could use to confirm the issue exist? That just would be a more straightforward way to convey the nature of the problem, I think.

Why has this case been closed? Here are two sample email addresses as suggested. These are ASCII They are 'similar' to genuine email addresses we are loading into Gluu that have been in use for 15+ years. These are not newer 'unicode' addresses of the type that many systems struggle with, but just plain stock standard email addresses which both oxTrust and SCIM validate and reject incorrrectly: ``` a&bapps_management@mhsww.us adam.d'amway@mhsww.us ``` You can test these in your favourite email client if you like.

This is clearly a bug. [Issue created in github](https://github.com/GluuFederation/oxTrust/issues/2076)