SCIM endpoint and user provisioning with Azure Active Directory & Symfony

Question

i'm developing a SCIM endpoint API to enable automatic provisioning of users between my symfony v5 application and Azure AD. Actually i did not find enough documentation to help me develop this, also i am not an expert but i followed docs.microsoft for some guidelines. i start by building a symfony REST API CRUD without using any bundle,all my endpoints start by /Users.

Then i hosted my application on a remote site (PLESK) with this url : https://example.com/ and now i want to Integrate my SCIM endpoint with the Azure AD SCIM client. In the Tenant URL field i put this URL: https://example.com/scim but i receive this error, can anyone please explain me if i am doing the right thing ? and why i receive this error?

You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account. Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable Details: We received this unexpected response from your application: An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. To address this issue, ensure that the tenant URL is correct. The tenant URL is usually in a format like: https://<>/scim. If this does not resolve the issue, contact the application developer to ensure their SCIM endpoint conforms with the protocol https://tools.ietf.org/html/rfc7644#section-3.4.2

this is my API Controller Class example create user :

class APIController extends AbstractController
{

//Create User
    /**
     * @Route("/Users", name="ajout", methods={"POST"})
     */
    public  function addUser(Request $request){
        //On verifie si on a une requette
// On vérifie si la requête est une requête Ajax
        //if($request->isXmlHttpRequest()) {
        // On instancie un nouvel article
        $user = new User();

        // On décode les données envoyées
        $donnees = json_decode($request->getContent());

        // On hydrate l'objet
        $user->setEmail($donnees->email);
        $user->setRoles($donnees->roles);

        // On sauvegarde en base
        $entityManager = $this->getDoctrine()->getManager();
        $entityManager->persist($user);
        $entityManager->flush();

        // On retourne la confirmation
        return new Response('ok', 201);
    }
    //return new Response('Failed', 404); }
}

The provisioning must be trying to access another resource to see what your api supports, as per the scim spec. I'm guessing this boils down to your api being a partial implementation. Can you cross-reference with the symfony app logs to see what resource was requested? — msg
if you mean the symfony app log file i checked it after testing it again and i found nothing there.but if you mean the server logs , i don't have access to the server yet . — AmaniHR
Yes, I meant the app log file, and the request should have been logged even if the route was not found (assuming you have logging configured). Can you access your application with a browser? Is it correctly set up? — msg
You should be careful, that app is configured in the dev environment with the profiler enabled, anyone can access it. Besides that, two things, 1. accessing /Users causes an InternalServerError, 2. The url is different to the one you configured in azure (it's missing the /public/ part). — msg

Ghjjgu Ghjjgu · Accepted Answer · 2020-05-20T14:48:44

Azure AD us expecting a response that looks.like this. That would allow you to validate creds.

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 0,
    "Resources": [],
    "startIndex": 1,
    "itemsPerPage": 20
}

https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#get-user-by-query---zero-results

SCIM endpoint and user provisioning with Azure Active Directory & Symfony

2 Answers