Question 175731 in Nginx Question posted in
The official documentation can be found here.

Is an Nginx Authorization Token required for Azure AD SCIM user provisioning apis?

I followed below steps to start SCIM user provisioning inside Azure AD

  1. Create an Enterprise application.
  2. Enable provisioning by providing the endpoint and secret token.
    • Endpoint: [Domain]/scim
    • Secret token: Provided by me (I have created a unique JWT token for each customer).
  3. Synchronize all users or selected users to start provisioning – customer’s decision.

I have followed SCIM protocol 2.0 and created the following endpoints:

  • GET [Domain]/scim/users
  • POST [Domain]/scim/users
  • PUT [Domain]/scim/users/[userId]
  • DELETE [Domain]/scim/users/[userId]

I have used the test cases provided in the tutorial section of Azure SCIM, which can be found at:https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint
All endpoints work perfectly when tested with Postman.
However, when attempting to use Azure AD, the Authorization Code/Token is missing from the header, causing the request to fail validation and making it difficult to identify the requesting customer.

Please guide me if I am mistaken or if there is an alternative approach to achieve this.

Here is the header I am receiving

Array
(
    [Adscimversion] => Date:2023-05-16T03:28:34.9633168Z, ActivityId:5678gb58-a34d-41qw-erfgf-213wew43sds
    [Connection] => close
    [X-Accel-Internal] => /internal-nginx-static-location
    [X-Real-Ip] => [IP]
    [Host] => [HOSTNAME]
)
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I have updated my .htaccess file as follow and it's working now

    RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

  2. 0

    for transparency, I’m a product manager on the Microsoft Azure AD team and I have some familiarity with this topic although I don’t directly own/manage it.

    If you’ve entered the token in the "Secret Token" field below the field that you put the SCIM server address in, it should be included in the web request. If you have any way to intercept the traffic, that might be helpful to figure out if it’s a code issue on your end or an issue with the Azure AD SCIM client. I haven’t heard anything about this sort of problem recently, so I’m inclined to think it’s a code problem on your end and that the Authorization: header is being included.

    Also as a side note – Azure AD doesn’t support PUT, so you’ll need to implement PATCH to be compatible.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search