azureapiazureportalscim

Resolving SystemForCrossDomainIdentityManagementBadResponse

I have implemented this SCIM reference code in our application.

My implemented code did pass all the test collection of Users present in this postman link. My SCIM Api was also accepted by Azure as the valid endpoint for Users.

The real problem starts when I tried to perform Provision on Demand from the Azure portal for a User.

I received the following error code: SystemForCrossDomainIdentityManagementBadResponse

Error Message: A required attribute is missing from a response. The missing attribute is Identifier. Here is the response:

{
    "result": {
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {},
        "active": true,
        "displayName": "Chris Brown",
        "emails": [
            {
                "type": "work",
                "primary": true,
                "value": "chris.brown@xyz.com"
            }
        ],
        "meta": {
            "resourceType": "User",
            "created": "2022-04-21T05:27:03.774148Z",
            "lastModified": "2022-04-21T05:27:03.774148Z",
            "version": null,
            "location": null
        },
        "name": {
            "formatted": "Chris Brown",
            "familyName": "Brown",
            "givenName": "Chris"
        },
        "preferredLanguage": "en-GB",
        "userName": "chris.brown@xyz.com",
        "externalId": "chris.brown",
        "id": "a99b4da2-ab2f-49fc-8a01-4a9ce251fbdb",
        "schemas": [
            "urn:ietf:params:scim:schemas:core:2.0:User",
            "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
        ]
    },
    "targetUrl": null,
    "success": true,
    "error": null,
    "unAuthorizedRequest": false,
}

As you can clearly see, I have added id (the Identifier) to the response. Now I am confused about what the error message conveys.

Please help.

An image for clear understanding of the error message at Azure Portal:

enter image description here

Solution

  • Your response doesn't align with the SCIM spec. The response to the POST (I think that's what it is, given the screenshot) is nesting the actual response inside of a "Result" object that is not defined in the spec at all.

    Take a look at https://datatracker.ietf.org/doc/html/rfc7644#section-3.3 for an example of a correct response to a POST.

    Also, there are a number of attributes in your response, outside of the "request" attribute/object, that aren't defined in the spec and are therefore noncompliant. Those would be:

    "targetUrl": null, "success": true, "error": null, "unAuthorizedRequest": false,