Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,609 questions
Entra ID SCIM Provisioning: Invalid URL (\r\n appended) and Entra ID specific user ID used in filter request.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 34%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
Nitin Bansal
0
Reputation points
We are experiencing a critical issue with Entra ID SCIM provisioning to our custom application. Entra ID is sending invalid URLs to our SCIM endpoint, resulting in "Forbidden" errors and preventing user provisioning.
Problem Description:
- Invalid URL with \r\n:
- Entra ID is constructing and sending URLs with carriage return and newline characters (\r\n) appended to the end of the resource path.
- Example: Instead of
https://<hidden>/v1/scim/Users/2711b55e-c2af-4038-bdda-96bce5b017b0, Entra ID is sendinghttps://<hidden>/v1/scim/Users/2711b55e-c2af-4038-bdda-96bce5b017b0\r\n.- This invalid URL is causing our API Gateway to return a 403 Forbidden error.
- Evidence: The Entra ID provisioning logs show the following:
Resource: https://<hidden>/v1/scim/Users/2711b55e-c2af-4038-bdda-96bce5b017b0\r\n
- Incorrect User Filtering:
- Entra ID is sending filter requests to our SCIM endpoint using an Entra ID-specific user ID, instead of the expected user attributes (e.g.,
******@accesscorp.com). - This is preventing Entra ID from correctly matching users in our target system.
- Evidence: Our SCIM service logs show filter requests with Entra ID internal user IDs.
- Entra ID is sending filter requests to our SCIM endpoint using an Entra ID-specific user ID, instead of the expected user attributes (e.g.,
- Stale User ID Usage:
- Despite the incorrect filtering, the subsequent GET request to
/users/{id}is using a valid user ID (2711b55e-c2af-4038-bdda-96bce5b017b0). - This suggests Entra ID is retaining and using stale user IDs from previous interactions, indicating a potential issue with Entra ID's internal state management.
- This valid ID is then being used in a context that is causing our authorization to reject the request.
- Despite the incorrect filtering, the subsequent GET request to
Impact:
- User provisioning to our customer application is blocked.
- Synchronization between Entra ID and our application is not working.
Configuration:
- We have configured the base URL and JWT token in the Entra ID enterprise application provisioning settings.
- Attribute mappings are configured according to our SCIM schema.
- We are using AWS API gateway with a lambda authorizer to validate the JWT token.
Troubleshooting Steps Taken:
- Verified the Base URL configuration in Entra ID.
- Checked API Gateway and Lambda authorizer logs.
- Confirmed that the user ID in
/users/{id}is valid in our system. - Captured Entra ID provisioning logs.
- Checked AWS WAF and confirmed it is not blocking requests.
- Directly tested the SCIM endpoint with Postman using the same authentication.
Request:
- Please investigate why Entra ID is appending \r\n characters to the URL.
- Please investigate why Entra ID is using an internal user ID for filtering.
- Please investigate why Entra ID is using stale user IDs.
We require urgent assistance to resolve this issue. Thank you for your prompt attention to this matter.
Sincerely,
Nitin Bansal
Sign in to answer