Keep SAML Identity when deprovisioning via SCIM
close #379149 (closed)
To be honest, I can't make that scim api work for local docker Idp. I used this doc for setting up testing enviornment.
The identity provider is simplesamlphp and it is running in docker.
The SCIM API I am using is here.
My request is like this:
curl "https://3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96b.gitpod.io/api/scim/v2/groups/flightjs/Users" \
--header "Authorization: Bearer <token>" \
--header "Content-Type: application/scim+json"
And it can't find any user when I tried to list the users under a group (flightjs).
{"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":0,"itemsPerPage":20,"startIndex":1,"Resources":[]}
I can see two users, one is root, and the other one is User_2
. User_2
is the user that I logged in from the local docker Idp. I don't understand why it doesn't list these two users by using scim api.
I also tried to create a new user, but didn't seem work either. I created a user called Test User which is following this doc, and I can't find there is any Test User
in the system after I used the api to create it.
#!/bin/bash
curl --verbose --request POST "https://3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io/api/scim/v2/flightjs/Users" \
--data '{"externalId":"test_uid","active":null,"userName":"username","emails":[{"primary":true,"type":"work","value":"name@example.com"}],"name":{"formatted":"Test User","familyName":"User","givenName":"Test"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"meta":{"resourceType":"User"}}' \
--header "Authorization: Bearer <token>" --header "Content-Type: application/scim+json"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 35.197.72.15:443...
* TCP_NODELAY set
* Connected to 3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io (35.197.72.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=ws-us96.gitpod.io
* start date: Apr 26 17:41:33 2023 GMT
* expire date: Jul 25 17:41:32 2023 GMT
* subjectAltName: host "3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io" matched cert's "*.ws-us96.gitpod.io"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556460d3b320)
> POST /api/scim/v2/flightjs/Users HTTP/2
> Host: 3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io
> user-agent: curl/7.68.0
> accept: */*
> authorization: Bearer FzgyzheQxz6zQUSHaysj
> content-type: application/scim+json
> content-length: 290
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* We are completely uploaded and fine
< HTTP/2 404
< content-length: 0
< date: Sat, 29 Apr 2023 12:14:07 GMT
<
* Connection #0 to host 3000-gitlabcommunity-gitlab-af2m2luuofa.ws-us96.gitpod.io left intact
However, I found the code is rather easy to locate so I made the change without testing if it working.
I will continue to work on how to valide this piece of code.
small update: I searched online and found someone used simplesamlphp as Idp too and they have the similar issue [1] like I have. I will continue to dig this.
A list of few things that I can try:
- create a new docker image including the latest simplesamlphp. simplesamlphp repo is still active. But the current docker image that I use stops updating about 2 years ago. Maybe the latest simplesamlphp fixes the problem. - okay, today I build a new docker image and used simplesamlphp v2.0.3. I still hit the same problem.
- set up proxy to inspect the payload - maybe I can find something.
- use okta as Idp instead.
Update: A big progress is I can use SCIM to create/view/delete a user.