Missing Identity Attributes on call to scim /users endpoint

I’ve noticed that not all identity attributes are returned on the call to the /users endpoint of the scim api. For example, firstname and lastname are identity attributes on our instance but are not returned in a call to get a user. Also, it seems that these same attributes cannot be used to search for users on the endpoint. @derek_putnam, I know you’re a SCIM expert :slight_smile:

I wish I was but alas, I am not.

With that said, @adam_creaney knows a thing or two about SCIM!

@kevinwoodbury
I suspect part of the problem is tied to the difference between IIQ nomenclature of certain attributes vs the SCIM spec definition of those same attributes (like name, email, etc.). Doing a SCIM search based on lastname would actually be a filter like this: filter=name.familyName eq "Arnefield".

In my sandbox (with totally random fake data, executing the following GET request: http://localhost:8080/iiq/scim/v2/Users?filter=name.familyName eq "Arnefield" will find 2 users with that same last name:

{
  "totalResults": 2,
  "startIndex": 1,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "Resources": [
    {
      "urn:ietf:params:scim:schemas:sailpoint:1.0:User": {
        "icc_empID": "002588",
        "capabilities": [],
        "lastRefresh": "2023-04-03T21:01:49.904Z",
        "icc_startDate": "1/13/2008 0:0:0 AM UTC",
        "icc_department": "Your Company",
        "icc_jobCode": "ME",
        "icc_empType": "Part Time Permanent",
        "icc_state": "MI",
        "icc_country": "US",
        "administrator": {},
        "icc_active": "Active",
        "isManager": false,
        "icc_userID": "harnefield",
        "accounts": [
          {
            "displayName": "002588",
            "value": "0a0a428587481246818748c3ef19098d",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c3ef19098d"
          },
          {
            "displayName": "harnefield",
            "value": "0a0a428587481246818748c7d6436587",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c7d6436587"
          },
          {
            "displayName": "harnefield",
            "value": "0a0a428587481246818748c86a250aa8",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c86a250aa8"
          }
        ],
        "riskScore": 250,
        "icc_city": "Ti├¬n Phã░ß╗øc",
        "icc_title": "Marketing Executive"
      },
      "emails": [
        {
          "type": "work",
          "value": "[email protected]",
          "primary": true
        }
      ],
      "displayName": "Arnefield, Hart",
      "meta": {
        "created": "2023-04-03T20:16:53.015Z",
        "location": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3ef17098b",
        "lastModified": "2023-04-03T21:01:49.904Z",
        "version": "W/\"1680555709904\"",
        "resourceType": "User"
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:User",
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "name": {
        "formatted": "Arnefield, Hart",
        "familyName": "Arnefield",
        "givenName": "Hart"
      },
      "active": true,
      "id": "0a0a428587481246818748c3ef17098b",
      "userType": "employee",
      "userName": "002588",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "manager": {
          "displayName": "Marusik, Clyve",
          "value": "0a0a428587481246818748c3abfe00d2",
          "$ref": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3abfe00d2"
        }
      }
    },
    {
      "urn:ietf:params:scim:schemas:sailpoint:1.0:User": {
        "icc_empID": "002123",
        "capabilities": [],
        "lastRefresh": "2023-04-03T21:01:23.621Z",
        "icc_startDate": "10/5/2015 0:0:0 AM UTC",
        "icc_department": "QA Team",
        "icc_jobCode": "DBE",
        "icc_empType": "Part Time Contract",
        "icc_state": "MT",
        "icc_country": "US",
        "administrator": {},
        "icc_active": "Active",
        "isManager": false,
        "icc_userID": "tarnefield",
        "accounts": [
          {
            "displayName": "002123",
            "value": "0a0a428587481246818748c4baf12e81",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c4baf12e81"
          },
          {
            "displayName": "tarnefield",
            "value": "0a0a428587481246818748c7b4c25d31",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c7b4c25d31"
          },
          {
            "displayName": "tarnefield",
            "value": "0a0a428587481246818748c8b2a41d52",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c8b2a41d52"
          }
        ],
        "riskScore": 250,
        "icc_city": "Sŏnbong",
        "icc_title": "Database Engineer"
      },
      "emails": [
        {
          "type": "work",
          "value": "[email protected]",
          "primary": true
        }
      ],
      "displayName": "Arnefield, Tamqrah",
      "meta": {
        "created": "2023-04-03T20:17:45.200Z",
        "location": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c4baf02e80",
        "lastModified": "2023-04-03T21:01:23.621Z",
        "version": "W/\"1680555683621\"",
        "resourceType": "User"
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:User",
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "name": {
        "formatted": "Arnefield, Tamqrah",
        "familyName": "Arnefield",
        "givenName": "Tamqrah"
      },
      "active": true,
      "id": "0a0a428587481246818748c4baf02e80",
      "userType": "contractor",
      "userName": "002123",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "manager": {
          "displayName": "Willowby, Dar",
          "value": "0a0a428587481246818748c3acb500e5",
          "$ref": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3acb500e5"
        }
      }
    }
  ]
}

You will see in the output above that custom extended IIQ attributes are also included in the response (the icc_ ones). Searchable extended attributes can also be used in SCIM querys/filters, so if I wanted to find users in Texas, my SCIM request would be: http://localhost:8080/iiq/scim/v2/Users?filter=urn:ietf:params:scim:schemas:sailpoint:1.0:User:icc_state eq "TX"

Limiting to 2 results for brevity, I get:

{
  "totalResults": 56,
  "startIndex": 1,
  "itemsPerPage": 2,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "Resources": [
    {
      "urn:ietf:params:scim:schemas:sailpoint:1.0:User": {
        "icc_empID": "002274",
        "capabilities": [],
        "lastRefresh": "2023-04-03T21:01:27.746Z",
        "icc_startDate": "11/30/2009 0:0:0 AM UTC",
        "icc_department": "Marketing Department",
        "icc_jobCode": "SE",
        "icc_empType": "Full Time Permanent",
        "icc_state": "TX",
        "icc_country": "US",
        "administrator": {},
        "icc_active": "Active",
        "isManager": false,
        "icc_userID": "tsalery",
        "accounts": [
          {
            "displayName": "002274",
            "value": "0a0a428587481246818748c3bb32023e",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c3bb32023e"
          },
          {
            "displayName": "tsalery",
            "value": "0a0a428587481246818748c761364776",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c761364776"
          },
          {
            "displayName": "tsalery",
            "value": "0a0a428587481246818748c8bf0c1f2e",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c8bf0c1f2e"
          }
        ],
        "riskScore": 250,
        "icc_city": "Ingenio La Esperanza",
        "icc_title": "Software Engineer"
      },
      "emails": [
        {
          "type": "work",
          "value": "[email protected]",
          "primary": true
        }
      ],
      "displayName": "Salery, Turner",
      "meta": {
        "created": "2023-04-03T20:16:39.728Z",
        "location": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3bb2f023d",
        "lastModified": "2023-04-03T21:01:27.746Z",
        "version": "W/\"1680555687746\"",
        "resourceType": "User"
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:User",
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "name": {
        "formatted": "Salery, Turner",
        "familyName": "Salery",
        "givenName": "Turner"
      },
      "active": true,
      "id": "0a0a428587481246818748c3bb2f023d",
      "userType": "employee",
      "userName": "002274",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "manager": {
          "displayName": "Gilfillan, Kelci",
          "value": "0a0a428587481246818748c3b0bd0161",
          "$ref": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3b0bd0161"
        }
      }
    },
    {
      "urn:ietf:params:scim:schemas:sailpoint:1.0:User": {
        "icc_empID": "002328",
        "capabilities": [],
        "lastRefresh": "2023-04-03T21:01:38.450Z",
        "icc_startDate": "10/14/2005 0:0:0 AM UTC",
        "icc_department": "Marketing Department",
        "icc_jobCode": "TPM",
        "icc_empType": "Full Time Contract",
        "icc_state": "TX",
        "icc_country": "US",
        "administrator": {},
        "icc_active": "Active",
        "isManager": false,
        "icc_userID": "epeever",
        "accounts": [
          {
            "displayName": "002328",
            "value": "0a0a428587481246818748c3c7e0037e",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c3c7e0037e"
          },
          {
            "displayName": "epeever",
            "value": "0a0a428587481246818748c775504c94",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c775504c94"
          },
          {
            "displayName": "epeever",
            "value": "0a0a428587481246818748c846f00117",
            "$ref": "http://localhost:8080/iiq/scim/v2/Accounts/0a0a428587481246818748c846f00117"
          }
        ],
        "riskScore": 250,
        "icc_city": "Karlskrona",
        "icc_title": "Technical Project Manager"
      },
      "emails": [
        {
          "type": "work",
          "value": "[email protected]",
          "primary": true
        }
      ],
      "displayName": "Peever, Elbertina",
      "meta": {
        "created": "2023-04-03T20:16:42.972Z",
        "location": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3c7dc037d",
        "lastModified": "2023-04-03T21:01:38.450Z",
        "version": "W/\"1680555698450\"",
        "resourceType": "User"
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:sailpoint:1.0:User",
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "name": {
        "formatted": "Peever, Elbertina",
        "familyName": "Peever",
        "givenName": "Elbertina"
      },
      "active": true,
      "id": "0a0a428587481246818748c3c7dc037d",
      "userType": "contractor",
      "userName": "002328",
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "manager": {
          "displayName": "Tichelaar, Weber",
          "value": "0a0a428587481246818748c3abab00cc",
          "$ref": "http://localhost:8080/iiq/scim/v2/Users/0a0a428587481246818748c3abab00cc"
        }
      }
    }
  ]
}

This was done on my personal sandbox using IIQ 8.3p2, but I’ve done similar with the IIQ SCIM API going back to at least 8.1p3 that I can recall off-hand. Hope this helps!

3 Likes

This is a huge help, thank-you @brian_weigel

1 Like