Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

If the errors are different from the mobile and default (rp1) instances then it's probably two different issues.  Maybe one related to authentication and one related to identity assertion or user mapping.

For both case, please share what request you are making and the error that you are getting back.  That should help to narrow down the problem.
If there are errors in the AAC message.log then that would be helpful too.

A few thoughts:
Since you're able to get to some endpoints, it seems your junctions are connecting to AAC successfully.
You should check that you are sending iv-user and iv-groups headers on the junctions.
You should check that you are sending Basic Authentication header populated with an AAC user that is in the "adminGroup" group (likely easuser).

If you want users to be able to access SCIM for administrative functions (search all users, create users etc.) then you'll need to create an ISAM group with the name "adminGroup" and add the ISAM users to this group.  Other users will only be able to read/modify their own user entry (using /scim/Me).

If it helps, you might find the instructions in Chapter 7 of the "MMFA Cookbook give another perspective on configuring SCIM.
https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu March 18, 2021 06:50 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

I already made some additional tests, and when I configure on rp1, a junction /mga to support oidc, and after this, I also configure it to support MMFA, MMFA will wizard overwrites /mga, and oidc will not work any more. I thought it would just add the configuration to the previously defined /mga!

The command I use to get the http:rp1/scim/Users, after a successful login is the following:

curl -v $VERBOSE -s -k --cookie-jar cookie.jar --cookie cookie.jar \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H "Accept: text/html" \
-X GET https://$HOST/$JUNCTION/Users \
--data-ascii ""

It returns the following message:
<!-- All Rights Reserved. -->
<!--
This is an Application Gateway error message template file. It is used by the Application Gateway to build a response when a particular
error occurs. This file can be modified as appropriate.

Error details:
* Code: 0x38cf025f
* Text: DPWWA0607E Received basic authentication challenge for junction where filtering is being applied
-->
<html>
<head>
<meta http-equiv="Content-Type" content= "text/html; charset=UTF-8">
<!-- Enter Page Title -->
<title>Unexpected Authentication Challenge</title>
</head>
...
<!-- Enter Message Header -->
<h1><font color="#FF0000">Unexpected Authentication Challenge</font></h1>

<p><!-- Enter Error Message -->
The Application Gateway received an unexpected authentication challenge from a junction Web server.

<!-- Provide Error Explanation -->
<H4>Explanation</H4>
<P>The Application Gateway attempted to fetch the resource you requested from a junction Web server. However, the Application Gateway received
an authentication challenge from the junction server while handling your request. There is currently no sign-on information configured for
this junction server.
</P>
...

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu March 18, 2021 08:20 AM
From: Jon Harry
Subject: Trying to Understand SCIM implementation

Hi Joao,

If the errors are different from the mobile and default (rp1) instances then it's probably two different issues.  Maybe one related to authentication and one related to identity assertion or user mapping.

For both case, please share what request you are making and the error that you are getting back.  That should help to narrow down the problem.
If there are errors in the AAC message.log then that would be helpful too.

A few thoughts:
Since you're able to get to some endpoints, it seems your junctions are connecting to AAC successfully.
You should check that you are sending iv-user and iv-groups headers on the junctions.
You should check that you are sending Basic Authentication header populated with an AAC user that is in the "adminGroup" group (likely easuser).

If you want users to be able to access SCIM for administrative functions (search all users, create users etc.) then you'll need to create an ISAM group with the name "adminGroup" and add the ISAM users to this group.  Other users will only be able to read/modify their own user entry (using /scim/Me).

If it helps, you might find the instructions in Chapter 7 of the "MMFA Cookbook give another perspective on configuring SCIM.
https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 18, 2021 06:50 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

I manage to get GET /scim/Users to work, but GET /scim/Groups return the following error

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"SCIIS0001E The resource 'c2NpbWFkbWluZ3JvdXA' was not found.","status":"404"}

I still have to test User Management functions: POST, PATCH, DELETE

On the mobile RP, GET /scim/ResourceTypes, GET /scim/Users and GET /scim/Groups still don't work
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu March 18, 2021 09:06 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

I already made some additional tests, and when I configure on rp1, a junction /mga to support oidc, and after this, I also configure it to support MMFA, MMFA will wizard overwrites /mga, and oidc will not work any more. I thought it would just add the configuration to the previously defined /mga!

The command I use to get the http:rp1/scim/Users, after a successful login is the following:

curl -v $VERBOSE -s -k --cookie-jar cookie.jar --cookie cookie.jar \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H "Accept: text/html" \
-X GET https://$HOST/$JUNCTION/Users \
--data-ascii ""

It returns the following message:
<!-- All Rights Reserved. -->
<!--
This is an Application Gateway error message template file. It is used by the Application Gateway to build a response when a particular
error occurs. This file can be modified as appropriate.

Error details:
* Code: 0x38cf025f
* Text: DPWWA0607E Received basic authentication challenge for junction where filtering is being applied
-->
<html>
<head>
<meta http-equiv="Content-Type" content= "text/html; charset=UTF-8">
<!-- Enter Page Title -->
<title>Unexpected Authentication Challenge</title>
</head>
...
<!-- Enter Message Header -->
<h1><font color="#FF0000">Unexpected Authentication Challenge</font></h1>

<p><!-- Enter Error Message -->
The Application Gateway received an unexpected authentication challenge from a junction Web server.

<!-- Provide Error Explanation -->
<H4>Explanation</H4>
<P>The Application Gateway attempted to fetch the resource you requested from a junction Web server. However, the Application Gateway received
an authentication challenge from the junction server while handling your request. There is currently no sign-on information configured for
this junction server.
</P>
...

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu March 18, 2021 08:20 AM
From: Jon Harry
Subject: Trying to Understand SCIM implementation

Hi Joao,

If the errors are different from the mobile and default (rp1) instances then it's probably two different issues.  Maybe one related to authentication and one related to identity assertion or user mapping.

For both case, please share what request you are making and the error that you are getting back.  That should help to narrow down the problem.
If there are errors in the AAC message.log then that would be helpful too.

A few thoughts:
Since you're able to get to some endpoints, it seems your junctions are connecting to AAC successfully.
You should check that you are sending iv-user and iv-groups headers on the junctions.
You should check that you are sending Basic Authentication header populated with an AAC user that is in the "adminGroup" group (likely easuser).

If you want users to be able to access SCIM for administrative functions (search all users, create users etc.) then you'll need to create an ISAM group with the name "adminGroup" and add the ISAM users to this group.  Other users will only be able to read/modify their own user entry (using /scim/Me).

If it helps, you might find the instructions in Chapter 7 of the "MMFA Cookbook give another perspective on configuring SCIM.
https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 18, 2021 06:50 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

Glad you are making some progress.

The text "c2NpbWFkbWluZ3JvdXA" is Base64-encode for "scimadmingro".
I'm not sure where that is coming from.  Is that anywhere in your configuration?

I'm surprised to see that message from GET a call to /scim/Groups (which should return all groups).
I would only expect to see it in a GET request for /scim/Groups/c2NpbWFkbWluZ3JvdXA

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu March 18, 2021 11:40 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

I manage to get GET /scim/Users to work, but GET /scim/Groups return the following error

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"SCIIS0001E The resource 'c2NpbWFkbWluZ3JvdXA' was not found."
,"status":"404"}

I still have to test User Management functions: POST, PATCH, DELETE

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu March 18, 2021 09:06 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

I already made some additional tests, and when I configure on rp1, a junction /mga to support oidc, and after this, I also configure it to support MMFA, MMFA will wizard overwrites /mga, and oidc will not work any more. I thought it would just add the configuration to the previously defined /mga!

The command I use to get the http:rp1/scim/Users, after a successful login is the following:

curl -v $VERBOSE -s -k --cookie-jar cookie.jar --cookie cookie.jar \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H "Accept: text/html" \
-X GET https://$HOST/$JUNCTION/Users \
--data-ascii ""

It returns the following message:
<!-- All Rights Reserved. -->
<!--
This is an Application Gateway error message template file. It is used by the Application Gateway to build a response when a particular
error occurs. This file can be modified as appropriate.

Error details:
* Code: 0x38cf025f
* Text: DPWWA0607E Received basic authentication challenge for junction where filtering is being applied
-->
<html>
<head>
<meta http-equiv="Content-Type" content= "text/html; charset=UTF-8">
<!-- Enter Page Title -->
<title>Unexpected Authentication Challenge</title>
</head>
...
<!-- Enter Message Header -->
<h1><font color="#FF0000">Unexpected Authentication Challenge</font></h1>

<p><!-- Enter Error Message -->
The Application Gateway received an unexpected authentication challenge from a junction Web server.

<!-- Provide Error Explanation -->
<H4>Explanation</H4>
<P>The Application Gateway attempted to fetch the resource you requested from a junction Web server. However, the Application Gateway received
an authentication challenge from the junction server while handling your request. There is currently no sign-on information configured for
this junction server.
</P>
...

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu March 18, 2021 08:20 AM
From: Jon Harry
Subject: Trying to Understand SCIM implementation

Hi Joao,

If the errors are different from the mobile and default (rp1) instances then it's probably two different issues.  Maybe one related to authentication and one related to identity assertion or user mapping.

For both case, please share what request you are making and the error that you are getting back.  That should help to narrow down the problem.
If there are errors in the AAC message.log then that would be helpful too.

A few thoughts:
Since you're able to get to some endpoints, it seems your junctions are connecting to AAC successfully.
You should check that you are sending iv-user and iv-groups headers on the junctions.
You should check that you are sending Basic Authentication header populated with an AAC user that is in the "adminGroup" group (likely easuser).

If you want users to be able to access SCIM for administrative functions (search all users, create users etc.) then you'll need to create an ISAM group with the name "adminGroup" and add the ISAM users to this group.  Other users will only be able to read/modify their own user entry (using /scim/Me).

If it helps, you might find the instructions in Chapter 7 of the "MMFA Cookbook give another perspective on configuring SCIM.
https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 18, 2021 06:50 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

The real group name is scimAdminGroup, not scimadmingroup.

Yes it is a group I created with cn=scimAdminGroup,dc=iswga, and contains only one member, which is scimadmin, the user I use to connect.

Regarding the /scim/Users/{Id}, if I use the adminGroup user, I always get ALL users, and some of them are repeated!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu March 18, 2021 11:58 AM
From: Jon Harry
Subject: Trying to Understand SCIM implementation

Hi Joao,

Glad you are making some progress.

The text "c2NpbWFkbWluZ3JvdXA" is Base64-encode for "scimadmingro".
I'm not sure where that is coming from.  Is that anywhere in your configuration?

I'm surprised to see that message from GET a call to /scim/Groups (which should return all groups).
I would only expect to see it in a GET request for /scim/Groups/c2NpbWFkbWluZ3JvdXA

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 18, 2021 11:40 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

I manage to get GET /scim/Users to work, but GET /scim/Groups return the following error

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"SCIIS0001E The resource 'c2NpbWFkbWluZ3JvdXA' was not found."
,"status":"404"}

I still have to test User Management functions: POST, PATCH, DELETE

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu March 18, 2021 09:06 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

I already made some additional tests, and when I configure on rp1, a junction /mga to support oidc, and after this, I also configure it to support MMFA, MMFA will wizard overwrites /mga, and oidc will not work any more. I thought it would just add the configuration to the previously defined /mga!

The command I use to get the http:rp1/scim/Users, after a successful login is the following:

curl -v $VERBOSE -s -k --cookie-jar cookie.jar --cookie cookie.jar \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H "Accept: text/html" \
-X GET https://$HOST/$JUNCTION/Users \
--data-ascii ""

It returns the following message:
<!-- All Rights Reserved. -->
<!--
This is an Application Gateway error message template file. It is used by the Application Gateway to build a response when a particular
error occurs. This file can be modified as appropriate.

Error details:
* Code: 0x38cf025f
* Text: DPWWA0607E Received basic authentication challenge for junction where filtering is being applied
-->
<html>
<head>
<meta http-equiv="Content-Type" content= "text/html; charset=UTF-8">
<!-- Enter Page Title -->
<title>Unexpected Authentication Challenge</title>
</head>
...
<!-- Enter Message Header -->
<h1><font color="#FF0000">Unexpected Authentication Challenge</font></h1>

<p><!-- Enter Error Message -->
The Application Gateway received an unexpected authentication challenge from a junction Web server.

<!-- Provide Error Explanation -->
<H4>Explanation</H4>
<P>The Application Gateway attempted to fetch the resource you requested from a junction Web server. However, the Application Gateway received
an authentication challenge from the junction server while handling your request. There is currently no sign-on information configured for
this junction server.
</P>
...

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu March 18, 2021 08:20 AM
From: Jon Harry
Subject: Trying to Understand SCIM implementation

Hi Joao,

If the errors are different from the mobile and default (rp1) instances then it's probably two different issues.  Maybe one related to authentication and one related to identity assertion or user mapping.

For both case, please share what request you are making and the error that you are getting back.  That should help to narrow down the problem.
If there are errors in the AAC message.log then that would be helpful too.

A few thoughts:
Since you're able to get to some endpoints, it seems your junctions are connecting to AAC successfully.
You should check that you are sending iv-user and iv-groups headers on the junctions.
You should check that you are sending Basic Authentication header populated with an AAC user that is in the "adminGroup" group (likely easuser).

If you want users to be able to access SCIM for administrative functions (search all users, create users etc.) then you'll need to create an ISAM group with the name "adminGroup" and add the ISAM users to this group.  Other users will only be able to read/modify their own user entry (using /scim/Me).

If it helps, you might find the instructions in Chapter 7 of the "MMFA Cookbook give another perspective on configuring SCIM.
https://community.ibm.com/community/user/security/blogs/jon-harry/2020/02/06/mobile-multi-factor-authentication-ibm-verify-mfa

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu March 18, 2021 06:50 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao

Hope you are doing Well !

We are facing same issue i.e ​Following end points are accessible 

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But not able to access /scim/Users , Could you please let us know how you resolved this issue 

Regards

------------------------------
Narottam Singh
------------------------------

Original Message:
Sent: Thu March 18, 2021 06:50 AM
From: Joao Goncalves
Subject: Trying to Understand SCIM implementation

Hi:
I am trying to follow the User Self-Care Cookbook.
I already have most of it done, but there are some parts that are not working.
I tryied to access every single endpoint using the mobile rp, and default (I named it rp1) rp.
I managed to get answers from the following endpoints:

• /scim/Schemas
• /scim/Schemas/{schema}
• /scim/ServiceProfileConfig
• /scim/ResourceTypes
• /scimResourceTypes/{resourceType}

But the remaining endpoints are not working, For example /scim/Users or /scim/Users/Me, /scim/Groups, and so on, are not working, even then I logged in successfully as a user.

The response that I am getting from mobile and rp1 Reverse proxy, for the endpoints that are not working are different.

Can someone help me?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------