scimgateway 4.2.16 → 4.3.0

package/lib/{plugin-azure-ad.js → plugin-entra-id.js}

@@ -1,17 +1,17 @@
 // =====================================================================================================================
-// File:    plugin-azure-ad.js
+// File:    plugin-entra-id.js
 //
 // Author:  Jarle Elshaug
 //
-// Purpose: Azure AD provisioning including licenses e.g. O365
+// Purpose: Entra ID provisioning including licenses e.g. O365
 //
-// Prereq:  Azure AD configuration:
+// Prereq:  Entra ID configuration:
 //          Application key defined (clientsecret)
 //          plugin-azure-ad.json configured with corresponding clientid and clientsecret
-//          Application permission "Windows Azure Active Directory" - all "Application Permissions"
-//          Application must be member of "User Account Administrator" (powershell import-Module MSOnline)
+//          Application permission: Directory.ReadWriteAll and Organization.ReadWrite.All
+//          Application must be member of "User Account Administrator" or "Global administrator"
 //
-// Notes: For CA Provisioning - Use ConnectorXpress, import metafile
+// Notes: For Symantec/Broadcom/CA Provisioning - Use ConnectorXpress, import metafile
 //        "node_modules\scimgateway\resources\Azure - ScimGateway.xml" for creating endpoint
 //
 //        Using "Custom SCIM" attributes defined in scimgateway.endpointMap
@@ -129,7 +129,9 @@ for (const key in config.map.user) { // userAttributes = ['country', 'preferredL
 }
 
 for (const baseEntity in config.entity) { // ensure we have baseUrls in config and for this azure-ad plugin we overwrite any existing to hardcoded value ['https://graph.microsoft.com/beta']
-  config.entity[baseEntity].baseUrls = ['https://graph.microsoft.com/beta'] // beta instead of 'v1.0' gives all user attributes when no $select
+  if (config.entity[baseEntity].oauth && config.entity[baseEntity].oauth.tenantIdGUID) {
+    config.entity[baseEntity].baseUrls = ['https://graph.microsoft.com/beta'] // beta instead of 'v1.0' gives all user attributes when no $select
+  }
 }
 
 const _serviceClient = {}
@@ -914,10 +916,104 @@ scimgateway.modifyServicePlan = async (baseEntity, id, ctx) => {
   throw new Error(`${action} error: ${action} is not supported`)
 }
 
+// =================================================
+// getUser
+// addOn helper for plugin-azure-ad
+// =================================================
+const getUser = async (baseEntity, uid, attributes, ctx) => { // uid = id, userName (upn) or externalId (upn)
+  if (attributes.length < 1) {
+    attributes = userAttributes
+  }
+
+  const user = () => {
+    return new Promise((resolve, reject) => {
+      (async () => {
+        // const [attrs] = scimgateway.endpointMapper('outbound', attributes, config.map.user) // SCIM/CustomSCIM => endpoint attribute standard
+        const method = 'GET'
+        const path = `/users/${querystring.escape(uid)}?$expand=manager($select=userPrincipalName)` // beta returns all attributes or use: ?$select=${attrs.join()}
+        const body = null
+        try {
+          const response = await doRequest(baseEntity, method, path, body, ctx)
+          const userObj = response.body
+          if (!userObj) {
+            const err = new Error('Got empty response when retrieving data for ' + uid)
+            return reject(err)
+          }
+
+          let managerId
+          if (userObj.manager && userObj.manager.userPrincipalName) managerId = userObj.manager.userPrincipalName
+          delete userObj.manager
+          if (managerId) userObj.manager = managerId
+
+          resolve(userObj)
+        } catch (err) {
+          return reject(err)
+        }
+      })()
+    })
+  }
+
+  const license = () => {
+    return new Promise((resolve, reject) => {
+      (async () => {
+        if (!attributes.includes('servicePlan.value')) return resolve(null) // licenses not requested
+        const method = 'GET'
+        const path = `/users/${querystring.escape(uid)}/licenseDetails`
+        const body = null
+        const retObj = { servicePlan: [] }
+
+        try {
+          const response = await doRequest(baseEntity, method, path, body, ctx)
+          if (!response.body.value) {
+            const err = new Error('No content for license information ' + uid)
+            return reject(err)
+          } else {
+            if (response.body.value.length < 1) return resolve(null) // User with no licenses
+            for (let i = 0; i < response.body.value.length; i++) {
+              const skuPartNumber = response.body.value[i].skuPartNumber
+              for (let index = 0; index < response.body.value[i].servicePlans.length; index++) {
+                if (response.body.value[i].servicePlans[index].provisioningStatus === 'Success' ||
+                response.body.value[i].servicePlans[index].provisioningStatus === 'PendingInput') {
+                  const servicePlan = { value: `${skuPartNumber}::${response.body.value[i].servicePlans[index].servicePlanName}` }
+                  retObj.servicePlan.push(servicePlan)
+                }
+              }
+            }
+          }
+          resolve(retObj)
+        } catch (err) {
+          let statusCode
+          try { statusCode = JSON.parse(err.message).statusCode } catch (e) {}
+          if (statusCode === 404) return resolve(null) // user have no plans
+          return reject(err)
+        }
+      })()
+    })
+  }
+
+  // return Promise.all([user(), manager(), license()])
+  return Promise.all([user(), license()])
+    .then((results) => {
+      let retObj = {}
+      for (const i in results) { // merge async.parallell results to one
+        retObj = Object.assign(retObj, results[i])
+      }
+      return retObj
+    })
+    .catch((err) => {
+      if (err.message.includes('empty response')) return null // no user found
+      else throw (err)
+    })
+}
+
 // =================================================
 // helpers
 // =================================================
 
+//
+// start - REST endpoint template
+//
+
 const getClientIdentifier = (ctx) => {
   if (!ctx?.request?.header?.authorization) return undefined
   const [user, secret] = getCtxAuth(ctx)
@@ -936,6 +1032,85 @@ const getCtxAuth = (ctx) => {
   else return [undefined, authToken] // bearer auth
 }
 
+//
+// getAccessToken - returns oauth accesstoken
+//
+const getAccessToken = async (baseEntity, ctx) => {
+  await lock.acquire()
+  const clientIdentifier = getClientIdentifier(ctx)
+  const d = new Date() / 1000 // seconds (unix time)
+  if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier] && _serviceClient[baseEntity][clientIdentifier].accessToken &&
+   (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
+    lock.release()
+    return _serviceClient[baseEntity][clientIdentifier].accessToken
+  }
+
+  const action = 'getAccessToken'
+  scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Retrieving accesstoken`)
+
+  const method = 'POST'
+  const [, secret] = getCtxAuth(ctx) // if Auth PassTrough, secret from basic or bearer auth
+  let tokenUrl
+  let form
+
+  if (config.entity[baseEntity].oauth) {
+    let resource
+    try {
+      const urlObj = new URL(config.entity[baseEntity].baseUrls[0])
+      resource = urlObj.origin
+    } catch (err) {
+      resource = null
+    }
+    if (config.entity[baseEntity].oauth.tenantIdGUID) { // Azure
+      tokenUrl = `https://login.microsoftonline.com/${config.entity[baseEntity].oauth.tenantIdGUID}/oauth2/token`
+    } else {
+      tokenUrl = `https://login.microsoftonline.com/${config.entity[baseEntity].oauth.tokenUrl}`
+    }
+    form = {
+      grant_type: 'client_credentials',
+      client_id: config.entity[baseEntity].oauth.clientId,
+      client_secret: secret || scimgateway.getPassword(`endpoint.entity.${baseEntity}.oauth.clientSecret`, configFile), // using config if no Auth PassThrough
+      resource: resource // "https://graph.microsoft.com"
+    }
+  } else {
+    const err = new Error(`[${action}] missing supported endpoint authentication configuration`)
+    lock.release()
+    throw (err)
+  }
+
+  const options = {
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded' // body must be query string formatted (no JSON)
+    }
+  }
+
+  try {
+    const response = await doRequest(baseEntity, method, tokenUrl, form, ctx, options)
+    if (!response.body) {
+      const err = new Error(`[${action}] No data retrieved from: ${method} ${tokenUrl}`)
+      throw (err)
+    }
+    const jbody = response.body
+    if (jbody.error) {
+      const err = new Error(`[${action}] Error message: ${jbody.error_description}`)
+      throw (err)
+    } else if (!jbody.access_token || !jbody.expires_in) {
+      const err = new Error(`[${action}] Error message: Retrieved invalid token response`)
+      throw (err)
+    }
+
+    const d = new Date() / 1000 // seconds (unix time)
+    jbody.validTo = d + parseInt(jbody.expires_in) // instead of using expires_on (clock may not be in sync with NTP, AAD default expires_in = 3600 seconds)
+    scimgateway.logger.silly(`${pluginName}[${baseEntity}] ${action}: AccessToken =  ${jbody.access_token}`)
+
+    lock.release()
+    return jbody
+  } catch (err) {
+    lock.release()
+    throw (err)
+  }
+}
+
 //
 // getServiceClient - returns options needed for connection parameters
 //
@@ -948,6 +1123,11 @@ const getCtxAuth = (ctx) => {
 const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
   const action = 'getServiceClient'
 
+  let authType
+  if (config.entity[baseEntity].basicAuth) authType = 'basicAuth'
+  else if (config.entity[baseEntity].oauth) authType = 'oauth'
+  else if (config.entity[baseEntity].bearerAuth) authType = 'bearerAuth'
+
   let urlObj
   if (!path) path = ''
   try {
@@ -958,20 +1138,22 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
     //
 
     const clientIdentifier = getClientIdentifier(ctx)
-    if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier] && _serviceClient[baseEntity][clientIdentifier].accessToken) { // serviceClient already exist - Azure plugin specific
+    if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) { // serviceClient already exist - Azure plugin specific
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Using existing client`)
-      // check if token refresh is needed
-      const d = new Date() / 1000 // seconds (unix time)
-      if (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo < d + 30) { // less than 30 sec before token expiration
-        scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Accesstoken about to expire in ${_serviceClient[baseEntity][clientIdentifier].accessToken.validTo - d} seconds`)
-        try {
-          const accessToken = await getAccessToken(baseEntity, ctx)
-          _serviceClient[baseEntity][clientIdentifier].accessToken = accessToken
-          _serviceClient[baseEntity][clientIdentifier].options.headers.Authorization = ` Bearer ${accessToken.access_token}`
-        } catch (err) {
-          delete _serviceClient[baseEntity][clientIdentifier]
-          const newErr = err
-          throw newErr
+      if (_serviceClient[baseEntity][clientIdentifier].accessToken) {
+      // check if token refresh is needed when using oauth
+        const d = new Date() / 1000 // seconds (unix time)
+        if (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo < d + 30) { // less than 30 sec before token expiration
+          scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Accesstoken about to expire in ${_serviceClient[baseEntity][clientIdentifier].accessToken.validTo - d} seconds`)
+          try {
+            const accessToken = await getAccessToken(baseEntity, ctx)
+            _serviceClient[baseEntity][clientIdentifier].accessToken = accessToken
+            _serviceClient[baseEntity][clientIdentifier].options.headers.Authorization = ` Bearer ${accessToken.access_token}`
+          } catch (err) {
+            delete _serviceClient[baseEntity][clientIdentifier]
+            const newErr = err
+            throw newErr
+          }
         }
       }
     } else {
@@ -982,19 +1164,18 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
         const err = new Error(`Base URL have baseEntity=${baseEntity}, and configuration file ${pluginName}.json is missing required baseEntity configuration for ${baseEntity}`)
         throw err
       }
-
-      // Azure plugin specific
-      const accessToken = await getAccessToken(baseEntity, ctx)
-
+      if (!config.entity[baseEntity].baseUrls || !Array.isArray(config.entity[baseEntity].baseUrls) || config.entity[baseEntity].baseUrls.length < 1) {
+        const err = new Error(`missing configuration entity.${baseEntity}.baseUrls`)
+        throw err
+      }
       urlObj = new URL(config.entity[baseEntity].baseUrls[0])
       const param = {
         baseUrl: config.entity[baseEntity].baseUrls[0],
-        accessToken: accessToken, // Azure plugin specific
         options: {
           json: true, // json-object response instead of string
           headers: {
             'Content-Type': 'application/json',
-            Authorization: ` Bearer ${accessToken.access_token}`
+            Accept: 'application/json'
           },
           host: urlObj.hostname,
           port: urlObj.port, // null if https and 443 defined in url
@@ -1003,6 +1184,37 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
         }
       }
 
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough using ctx header
+        param.options.headers.Authorization = ctx.request.header.authorization
+      } else {
+        switch (authType) {
+          case 'basicAuth':
+            if (!config.entity[baseEntity].basicAuth.username || !config.entity[baseEntity].basicAuth.password) {
+              const err = new Error(`missing configuration entity.${baseEntity}.basicAuth.username/password`)
+              throw err
+            }
+            param.options.headers.Authorization = 'Basic ' + Buffer.from(`${config.entity[baseEntity].basicAuth.username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.basicAuth.password`, configFile)}`).toString('base64')
+            break
+          case 'oauth':
+            if (!config.entity[baseEntity].oauth.clientId || !config.entity[baseEntity].oauth.clientSecret) {
+              const err = new Error(`missing configuration entity.${baseEntity}.oauth.clientId/clientSecret`)
+              throw err
+            }
+            param.accessToken = await getAccessToken(baseEntity, ctx)
+            param.options.headers.Authorization = `Bearer ${param.accessToken.access_token}`
+            break
+          case 'bearerAuth':
+            if (!config.entity[baseEntity].bearerAuth.token) {
+              const err = new Error(`missing configuration entity.${baseEntity}.bearerAuth.token`)
+              throw err
+            }
+            param.options.headers.Authorization = 'Bearer ' + Buffer.from(`${scimgateway.getPassword(`endpoint.entity.${baseEntity}.bearerAuth.token`, configFile)}`).toString('base64')
+            break
+          default:
+            // no auth
+        }
+      }
+
       // proxy
       if (config.entity[baseEntity].proxy && config.entity[baseEntity].proxy.host) {
         const agent = new HttpsProxyAgent(config.entity[baseEntity].proxy.host)
@@ -1012,12 +1224,14 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
         }
       }
 
+      // config options
+      if (config.entity[baseEntity].options) param.options = scimgateway.extendObj(param.options, config.entity[baseEntity].options)
+
       if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
       if (!_serviceClient[baseEntity][clientIdentifier]) _serviceClient[baseEntity][clientIdentifier] = {}
-
       _serviceClient[baseEntity][clientIdentifier] = param // serviceClient created
 
-      // Azure plugin specific (note, not using [clientIdentifier])
+      // OData support - note, not using [clientIdentifier]
       _serviceClient[baseEntity].nextLink = {}
       _serviceClient[baseEntity].nextLink.users = null // Azure users pagination
       _serviceClient[baseEntity].nextLink.groups = null // Azure groups pagination
@@ -1173,150 +1387,8 @@ const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) =
 } // doRequest
 
 //
-// getAccessToken - returns oauth jwt accesstoken
+// end - REST endpoint template
 //
-const getAccessToken = async (baseEntity, ctx) => {
-  await lock.acquire()
-  const clientIdentifier = getClientIdentifier(ctx)
-  const d = new Date() / 1000 // seconds (unix time)
-  if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier] && _serviceClient[baseEntity][clientIdentifier].accessToken &&
-   (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
-    lock.release()
-    return _serviceClient[baseEntity][clientIdentifier].accessToken
-  }
-
-  const action = 'getAccessToken'
-  scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Retrieving accesstoken`)
-
-  const req = `https://login.microsoftonline.com/${config.entity[baseEntity].tenantIdGUID}/oauth2/token`
-  const method = 'POST'
-
-  const [, secret] = getCtxAuth(ctx) // if Auth PassTrough, secret from basic or bearer auth
-  const form = { // query string formatted
-    grant_type: 'client_credentials',
-    client_id: config.entity[baseEntity].clientId,
-    client_secret: secret || scimgateway.getPassword(`endpoint.entity.${baseEntity}.clientSecret`, configFile), // using config if no Auth PassThrough
-    resource: 'https://graph.microsoft.com'
-  }
-
-  const options = {
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded' // body must be query string formatted (no JSON)
-    }
-  }
-
-  try {
-    const response = await doRequest(baseEntity, method, req, form, ctx, options)
-    if (!response.body) {
-      const err = new Error(`[${action}] No data retrieved from: ${method} ${req}`)
-      throw (err)
-    }
-    const jbody = response.body
-    if (jbody.error) {
-      const err = new Error(`[${action}] Error message: ${jbody.error_description}`)
-      throw (err)
-    } else if (!jbody.access_token || !jbody.expires_in) {
-      const err = new Error(`[${action}] Error message: Retrieved invalid token response`)
-      throw (err)
-    }
-
-    const d = new Date() / 1000 // seconds (unix time)
-    jbody.validTo = d + parseInt(jbody.expires_in) // instead of using expires_on (clock may not be in sync with NTP, AAD default expires_in = 3600 seconds)
-    scimgateway.logger.silly(`${pluginName}[${baseEntity}] ${action}: AccessToken =  ${jbody.access_token}`)
-
-    lock.release()
-    return jbody
-  } catch (err) {
-    lock.release()
-    throw (err)
-  }
-}
-
-const getUser = async (baseEntity, uid, attributes, ctx) => { // uid = id, userName (upn) or externalId (upn)
-  if (attributes.length < 1) {
-    attributes = userAttributes
-  }
-
-  const user = () => {
-    return new Promise((resolve, reject) => {
-      (async () => {
-        // const [attrs] = scimgateway.endpointMapper('outbound', attributes, config.map.user) // SCIM/CustomSCIM => endpoint attribute standard
-        const method = 'GET'
-        const path = `/users/${querystring.escape(uid)}?$expand=manager($select=userPrincipalName)` // beta returns all attributes or use: ?$select=${attrs.join()}
-        const body = null
-        try {
-          const response = await doRequest(baseEntity, method, path, body, ctx)
-          const userObj = response.body
-          if (!userObj) {
-            const err = new Error('Got empty response when retrieving data for ' + uid)
-            return reject(err)
-          }
-
-          let managerId
-          if (userObj.manager && userObj.manager.userPrincipalName) managerId = userObj.manager.userPrincipalName
-          delete userObj.manager
-          if (managerId) userObj.manager = managerId
-
-          resolve(userObj)
-        } catch (err) {
-          return reject(err)
-        }
-      })()
-    })
-  }
-
-  const license = () => {
-    return new Promise((resolve, reject) => {
-      (async () => {
-        if (!attributes.includes('servicePlan.value')) return resolve(null) // licenses not requested
-        const method = 'GET'
-        const path = `/users/${querystring.escape(uid)}/licenseDetails`
-        const body = null
-        const retObj = { servicePlan: [] }
-
-        try {
-          const response = await doRequest(baseEntity, method, path, body, ctx)
-          if (!response.body.value) {
-            const err = new Error('No content for license information ' + uid)
-            return reject(err)
-          } else {
-            if (response.body.value.length < 1) return resolve(null) // User with no licenses
-            for (let i = 0; i < response.body.value.length; i++) {
-              const skuPartNumber = response.body.value[i].skuPartNumber
-              for (let index = 0; index < response.body.value[i].servicePlans.length; index++) {
-                if (response.body.value[i].servicePlans[index].provisioningStatus === 'Success' ||
-                response.body.value[i].servicePlans[index].provisioningStatus === 'PendingInput') {
-                  const servicePlan = { value: `${skuPartNumber}::${response.body.value[i].servicePlans[index].servicePlanName}` }
-                  retObj.servicePlan.push(servicePlan)
-                }
-              }
-            }
-          }
-          resolve(retObj)
-        } catch (err) {
-          let statusCode
-          try { statusCode = JSON.parse(err.message).statusCode } catch (e) {}
-          if (statusCode === 404) return resolve(null) // user have no plans
-          return reject(err)
-        }
-      })()
-    })
-  }
-
-  // return Promise.all([user(), manager(), license()])
-  return Promise.all([user(), license()])
-    .then((results) => {
-      let retObj = {}
-      for (const i in results) { // merge async.parallell results to one
-        retObj = Object.assign(retObj, results[i])
-      }
-      return retObj
-    })
-    .catch((err) => {
-      if (err.message.includes('empty response')) return null // no user found
-      else throw (err)
-    })
-}
 
 //
 // Cleanup on exit

package/lib/plugin-ldap.js

@@ -202,7 +202,16 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
       throw new Error(`${action} error: not supporting groups member of user filtering: ${getObj.rawFilter}`)
     } else {
       // optional - simpel filtering
-      throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
+      if (getObj.operator === 'eq') {
+        ldapOptions = {
+          filter: `&${getObjClassFilter(baseEntity, 'user')}(${getObj.attribute}=${getObj.value})`, // &(objectClass=user)(objectClass=person)(objectClass=organizationalPerson)(objectClass=top)(employeeNumber=123)
+          scope: scope,
+          attributes: attrs
+        }
+        if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
+      } else {
+        throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
+      }
     }
   } else if (getObj.rawFilter) {
     // optional - advanced filtering having and/or/not - use getObj.rawFilter
@@ -284,8 +293,8 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   if (!userBase) userBase = config.entity[baseEntity].ldap.userBase
 
   // convert SCIM attributes to endpoint attributes according to config.map
-  const [endpointObj, err] = scimgateway.endpointMapper('outbound', userObj, config.map.user)
-  if (err) throw new Error(`${action} error: ${err.message}`)
+  const [endpointObj] = scimgateway.endpointMapper('outbound', userObj, config.map.user)
+  // if (err) throw new Error(`${action} error: ${err.message}`)  // use above [endpointObj, err] to catch non supported attributes
 
   // endpoint spesific attribute handling
   if (endpointObj.sAMAccountName !== undefined) { // Active Directory
@@ -366,8 +375,8 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
     const groups = attrObj.groups
     delete attrObj.groups // make sure to be removed from attrObj
 
-    const [groupsAttr, err] = scimgateway.endpointMapper('outbound', 'groups.value', config.map.user)
-    if (err) throw new Error(`${action} error: ${err.message}`)
+    const [groupsAttr] = scimgateway.endpointMapper('outbound', 'groups.value', config.map.user)
+    // if (err) throw new Error(`${action} error: ${err.message}`)  // use above [endpointObj, err] to catch non supported attributes
 
     const body = { add: { }, remove: { } }
     body.add[groupsAttr] = []
@@ -416,8 +425,8 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   if (JSON.stringify(attrObj) === '{}') return null // only groups included
 
   // convert SCIM attributes to endpoint attributes according to config.map
-  const [endpointObj, err] = scimgateway.endpointMapper('outbound', attrObj, config.map.user)
-  if (err) throw new Error(`${action} error: ${err.message}`)
+  const [endpointObj] = scimgateway.endpointMapper('outbound', attrObj, config.map.user)
+  // if (err) throw new Error(`${action} error: ${err.message}`)  // use above [endpointObj, err] to catch non supported attributes
 
   // endpoint spesific attribute handling
   if (endpointObj.userAccountControl !== undefined) { // SCIM "active" - Active Directory