SCIM 2.0 connector: get externalId?

I’m connecting to a SCIM 2.0-compliant REST API. The target application utilizes the optional Common Attribute externalId (RFC 7643 - System for Cross-domain Identity Management: Core Schema). As specified by the SCIM standard, “Common attributes are considered to be part of every base resource schema and do not use their own “schemas” URI.”

Therefore, this attribute is not included in neither core schema or extended schemas (in the same way the common attributes ‘id’ and ‘meta’ are not in any schema. See also schema info in the standard RFC 7643 - System for Cross-domain Identity Management: Core Schema).

Use Case:
I need to be able to read the externalId of User resources and set it during User object creation.
However, it appears IIQ cannot ‘see’ the externalId. When discovering schema, it can identify all core + extended attributes, as well as ‘id’. However, it does not discover externalId.

Troubleshooting steps so far:
I have verified that User resources (GET /Users) do contain the externalId, and response is in the correct format as expected according to SCIM 2.0. Likewise, manual POST of a new user object allows me to create new Users with externalId.

If adding externalId in provisioningPolicy, the attribute is present in the provisioningPlan XML, but is filtered out by IIQ before it posts the JSON to the API. Checking the logs (trace on the SCIM2Connector), it appears IIQ first checks all attributes in the schemas, and then filters out attributes that are not in the schema.

I have added externalId manually in schema, as well as in the application definition

SchemaPropertyMapping:
  <SchemaPropertyMapping urn="urn:ietf:params:scim:schemas:core:2.0:User">
                <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="id" property="id" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>
                <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="externalId" property="externalId" setter="openconnector.connector.scim2.SCIM2PropertySetter"/>

This did not help. It does not make externalId visible in aggregation either, I cannot even see the externalId in the Link representation.

I’ve tried explicit attribute setting, this doesn’t seem to make a difference.

It should be doable, I can see on Compass that others have been setting externalId successfully, though it’s not explained how (example: https://community.sailpoint.com/t5/IdentityIQ-Forum/SailPoint-SCIM-Connector-Is-Unable-To-Send-Multi-value/td-p/189787 ).

Does anyone have any input – how do I make the the SCIM 2.0 Common Attribute externalId discoverable to IIQ?

@menno_pieters have you ever encountered this? :slight_smile:

Hi @Ann_Fonseca_J ,

Sorry, no, I have not encountered this. I do know that SCIM can be rather tricky. Not all SCIM servers are “as compliant” as they say, which can lead to nasty interoperability issues.

  • Menno

Ah too bad, thank you for replying though!

If anyone bumps into this issue, ETN for fixing in SCIM 2.0 connector is CONJUBILEE-1178 :slight_smile: