Skip to content

Keep SAML Identity when deprovisioning via SCIM

nobody requested to merge gitlab-community/gitlab:issue-379149 into master

close #379149 (closed)

To be honest, I can't make that scim api work for local docker Idp. I used this doc for setting up testing enviornment.

The identity provider is simplesamlphp and it is running in docker.

The SCIM API I am using is here.

My request is like this:

curl "https://3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96b.gitpod.io/api/scim/v2/groups/flightjs/Users" \
	--header "Authorization: Bearer <token>" \
	--header "Content-Type: application/scim+json"

And it can't find any user when I tried to list the users under a group (flightjs).

{"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":0,"itemsPerPage":20,"startIndex":1,"Resources":[]}

I can see two users, one is root, and the other one is User_2. User_2 is the user that I logged in from the local docker Idp. I don't understand why it doesn't list these two users by using scim api.

samlusers

I also tried to create a new user, but didn't seem work either. I created a user called Test User which is following this doc, and I can't find there is any Test User in the system after I used the api to create it.

#!/bin/bash

curl --verbose --request POST "https://3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io/api/scim/v2/flightjs/Users" \
     --data '{"externalId":"test_uid","active":null,"userName":"username","emails":[{"primary":true,"type":"work","value":"name@example.com"}],"name":{"formatted":"Test User","familyName":"User","givenName":"Test"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"meta":{"resourceType":"User"}}' \
     --header "Authorization: Bearer <token>" --header "Content-Type: application/scim+json"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 35.197.72.15:443...
* TCP_NODELAY set
* Connected to 3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io (35.197.72.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ws-us96.gitpod.io
*  start date: Apr 26 17:41:33 2023 GMT
*  expire date: Jul 25 17:41:32 2023 GMT
*  subjectAltName: host "3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io" matched cert's "*.ws-us96.gitpod.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556460d3b320)
> POST /api/scim/v2/flightjs/Users HTTP/2
> Host: 3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io
> user-agent: curl/7.68.0
> accept: */*
> authorization: Bearer FzgyzheQxz6zQUSHaysj
> content-type: application/scim+json
> content-length: 290
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* We are completely uploaded and fine
< HTTP/2 404 
< content-length: 0
< date: Sat, 29 Apr 2023 12:14:07 GMT
< 
* Connection #0 to host 3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io left intact

However, I found the code is rather easy to locate so I made the change without testing if it working.

I will continue to work on how to valide this piece of code.

small update: I searched online and found someone used simplesamlphp as Idp too and they have the similar issue [1] like I have. I will continue to dig this.

A list of few things that I can try:

  1. create a new docker image including the latest simplesamlphp. simplesamlphp repo is still active. But the current docker image that I use stops updating about 2 years ago. Maybe the latest simplesamlphp fixes the problem. - okay, today I build a new docker image and used simplesamlphp v2.0.3. I still hit the same problem.
  2. set up proxy to inspect the payload - maybe I can find something.
  3. use okta as Idp instead.

Update: A big progress is I can use SCIM to create/view/delete a user.

[1]. https://community.atlassian.com/t5/Atlassian-Access-questions/Provisioning-groups-from-custom-IdP/qaq-p/1540794

Edited by nobody

Merge request reports