0
Under review

Support for multi-valued attribute in the SCIM gateway

Adrian Corston 3 years ago updated by Matthew Davis (Technical Product Manager) 3 weeks ago 4

I am looking into getting multi-role support for Azure App Provisioning with UNIFYBroker following the process described on this page: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app

Specifically, I’m using the ‘AppRoleAssignmentsComplex’ case, because some customers need the multi-role scenario (i.e. users can be assigned to multiple roles for the same app).

To make this work Azure needs to use a SCIM attribute that supports multi-values (see ‘Example output’ for a non-normative example).

Are there any multi-valued attributes in the current UNIFYBroker SCIM gateway implementation that I can use for this?

If not then is it possible to implement one using the current SCIM library, or will it only be possible once the SCIM gateway is ported across to a different DLL?

Under review

Hi Adrian

There are not any existing fields which would be suitable. Some multi-valued fields are supported like addresses, phone numbers and emails, however mappings for these are hard-coded to specific types, ie mobilePhoneNumber maps to phoneNumbers with the type of "mobile".

The SCIM library used by Broker v5.3 does actually support roles, though, so it's possible that mappings for roles could be added, provided that the role type is a pre-defined, static value that can be used in a mapping, as with the phone number example above.

Thanks Beau.  The type is "WindowsAzureActiveDirectoryRole" as shown in the link I provided above.  There are multiple values and they all have the same type (as per the example).  So different to the phone number example where there is only one value for each type.  Will that work with UNIFYBroker?

Thanks Beau I'll see what I can do about organising funding for this.