SCIM connector PATCH replace issue

vmauduit · July 1, 2024, 2:07pm

Dear community,

lately I had some trouble with SCIM 2.0 connector. I’m trying to figure out if my issue is on application and, or IIQ end.

In the RFC, the first bullet point of the replace paragraph says (RFC 7644 - System for Cross-domain Identity Management: Protocol):
If the “path” parameter is omitted, the target is assumed to be
the resource itself. In this case, the “value” attribute SHALL
contain a list of one or more attributes that are to be replaced.

It might not be clear on how applications implementing SCIM 2.0 API need to behave in the case of a complex attribute when doing a replace operation. For example for the complex attribute name.

Let’s assume that name property of my identity look like this:

{
  "name": {
    "formatted": "newFormatted",
    "familyName": "newfamilyName",
    "givenName": "givenName"
  }
}

First scenario:
When the target location (path attribute) is specified and specifies a complex attribute, sub-attributes that are not specified in the value parameter are left unchanged.

Request:
HTTP PATH : http://localhost/Users/$id$

{
  "Operations": [
    {
      "op": "replace",
      "path": "name",
      "value": {
        "formatted": "newformatted",
        "familyName": "newfamilyName"
      }
    }
  ]
}

Response:
HTTP GET : http://localhost/Users/$id$

{
  "name": {
    "formatted": "newFormatted",
    "familyName": "newfamilyName",
    "givenName": "givenName"
  }
}

Second scenario:
When the path parameter is not specified, the value contains a list of one or more attributes that are to be replaced.

Request:
HTTP PATH : http://localhost/Users/$id$

{
  "Operations": [
    {
      "op": "replace",
      "value": {
        "name": {
          "formatted": "newformatted",
          "familyName": "newfamilyName"
        }
      }
    }
  ]
}

Response should be this one, where sub-attributes not supplied in the name complex attribute are erase:
HTTP GET : http://localhost/Users/$id$

{
  "name": {
    "formatted": "newFormatted",
    "familyName": "newfamilyName"
  }
}

or shall we keep them like this ?
HTTP GET : http://localhost/Users/$id$

{
  "name": {
    "formatted": "newFormatted",
    "familyName": "newfamilyName",
    "givenName": "givenName"
  }
}

What is, in the second scenario, the right answer ?

Regards

enistri_devo · July 2, 2024, 7:53am

I think in the second scenario where the path parameter is omitted, replace the name attribute entirely with the provided values

system · August 31, 2024, 7:54am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to manipulate the request body going to target for a SCIM2.0 connector IIQ Discussion and Questions scim-connector , identityiq , provisioning	7	283	May 5, 2024
SCIM 2.0 API Questions ISC Discussion and Questions scim-connector	13	2881	July 19, 2023
Patch operations with SCIM 2.0 connector ISC Discussion and Questions scim-connector	3	311	May 12, 2024
SCIM 2.0 Connector Create operation IIQ Discussion and Questions scim-connector , identityiq , connectors	8	381	May 24, 2024
Update one Identity attribute via API IIQ Discussion and Questions apis , identityiq	11	580	December 24, 2023

SCIM connector PATCH replace issue

Related topics