SCIM 端点和用户配置与 Azure Active Directory 和 Symfony

Question

i'm developing a SCIM endpoint API to enable automatic provisioning of users between my symfony v5 application and Azure AD . Actually i did not find enough documentation to help me develop this, also i am not an expert but i followed docs.microsoft for some guidelines. i start by building a symfony REST API CRUD without using any bundle,all my endpoints start by /Users.

Then i hosted my application on a remote site (PLESK) with this url: https://example.com/ and now i want to Integrate my SCIM endpoint with the Azure AD SCIM client. In the Tenant URL field i put this URL: https://example.com/scim but i receive this error, can anyone please explain me if i am doing the right thing? and why i receive this error?

You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account. Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable Details: We received this unexpected response from your application: An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. To address this issue, ensure that the tenant URL is correct. The tenant URL is usually in a format like: https://<>/scim. If this does not resolve the issue, contact the application developer to ensure their SCIM endpoint conforms with the protocol https://tools.ietf.org/html/rfc7644#section-3.4.2

this is my API Controller Class example create user:

class APIController extends AbstractController
{

//Create User
    /**
     * @Route("/Users", name="ajout", methods={"POST"})
     */
    public  function addUser(Request $request){
        //On verifie si on a une requette
// On vérifie si la requête est une requête Ajax
        //if($request->isXmlHttpRequest()) {
        // On instancie un nouvel article
        $user = new User();

        // On décode les données envoyées
        $donnees = json_decode($request->getContent());

        // On hydrate l'objet
        $user->setEmail($donnees->email);
        $user->setRoles($donnees->roles);

        // On sauvegarde en base
        $entityManager = $this->getDoctrine()->getManager();
        $entityManager->persist($user);
        $entityManager->flush();

        // On retourne la confirmation
        return new Response('ok', 201);
    }
    //return new Response('Failed', 404); }
} 

Answer 1

Azure AD us expecting a response that looks.like this. That would allow you to validate creds.

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 0,
    "Resources": [],
    "startIndex": 1,
    "itemsPerPage": 20
}

https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#get-user-by-query---zero-results

Answer 2

URL https://example.com/scim will not work, because you have no prefix scim defined in @Route annotations, only "Users". Url https://example.com also. Probably Azure wants check GET method - because in SCIM docs http://www.simplecloud.info/ only such a method returns 200 response code.

First of all - specify all the needed routes defined in the SCIM.

Secondly - use Postman and test routes manually based on http://www.simplecloud.info/ documentation or even better - write e2e tests for it https://symfony.com/doc/current/testing.html#functional-tests

Next - make sure what is your really working URL

Finally - test the integration within Azure test tool

PS. Why not the ApiPlatform based on Symfony 5? You will make it everything much faster.

PS2. You can watch some ready to go Microsoft Reference Codes for SCIM (for C#, but still worthwhile to read - especially README). https://github.com/AzureAD/SCIMReferenceCode
Also, wiki page about testing is great, you should check it https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint