scimgateway 5.0.5 → 5.0.7

package/README.md

@@ -13,7 +13,7 @@ Validated through IdP's:
 - Okta 
 - Omada 
 - SailPoint/IdentityNow  
-  
+
 Latest news:  
 
 - Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
@@ -208,7 +208,6 @@ Below shows an example of config\plugin-saphana.json
 	  "scimgateway": {
 	    "port": 8884,
 	    "localhostonly": false,
-        "payloadSize": null,
         "scim": {
           "version": "2.0",
           "skipTypeConvert" : false,
@@ -281,18 +280,19 @@ Below shows an example of config\plugin-saphana.json
 	      }
 	    },
 	    "ipAllowList": [],
-	    "emailOnError": {
-	      "smtp": {
+	    "email": {
+	      "auth": {
+	        "type": "oauth",
+	        "options": {
+	          "tenantIdGUID": null,
+	          "clientId": null,
+	          "clientSecret": null
+	        }
+	      },
+	      "emailOnError": {
 	        "enabled": false,
-	        "host": null,
-	        "port": 587,
-	        "proxy": null,
-	        "authenticate": true,
-	        "username": null,
-	        "password": null,
-	        "sendInterval": 15,
-	        "to": null,
-	        "cc": null
+	        "from": null,
+	        "to": null
 	      }
 	    },
 	    "stream": {
@@ -349,15 +349,15 @@ Definitions in `scimgateway` object have fixed attributes, but values can be mod
 
 Definitions in `endpoint` object are customized according to our plugin code. Plugin typically need this information for communicating with endpoint  
 
-- **port** - Gateway will listen on this port number. Clients (e.g. Provisioning Server) will be using this port number for communicating with the gateway.  
+- **port** - Gateway will listen on this port number. Clients (e.g. Provisioning Server) will be using this port number for communicating with the gateway
 
-- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.  
+- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.
 
-- **payloadSize** - if not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size  
+- **idleTimeout** - default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
 
-- **scim.version** - "1.1" or "2.0". Default is "2.0".  
+- **scim.version** - "1.1" or "2.0". Default is "2.0".
 
-- **scim.skipTypeConvert** - true or false, default false. Multivalue attributes supporting types e.g. emails, phoneNumbers, ims, photos, addresses, entitlements and x509Certificates (but not roles, groups and members) will be become "type converted objects" when sent to modifyUser and createUser. This for simplicity of checking attributes included and also for the endpointMapper method (used by plugin-ldap and plugin-entra-id), e.g.: 
+- **scim.skipTypeConvert** - true or false, default false. Multivalue attributes supporting types e.g. emails, phoneNumbers, ims, photos, addresses, entitlements and x509Certificates (but not roles, groups and members) will be become "type converted objects" when sent to modifyUser and createUser. This for simplicity of checking attributes included and also for the endpointMapper method (used by plugin-ldap and plugin-entra-id), e.g.:
 
 		"emails": {
 		  "work": {"value": "jsmith@example.com", "type": "work"},
@@ -375,34 +375,34 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **scim.skipMetaLocation** - true or false, default false. If set to true, `meta.location` which contains protocol and hostname from request-url, will be excluded from response e.g. `"{...,meta":{"location":"https://my-company.com/<...>"}}`. If using reverse proxy and not including headers `X-Forwarded-Proto` and `X-Forwarded-Host`, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.
 
-- **scim."groupMemberOfUser** - true or false, default false. If body contains groups and groupMemberOfUser=true, groups attribute will remain at user object (groups are member of user) instead of default user member of groups that will use modifyGroup method for maintaining group members.
+- **scim.groupMemberOfUser** - true or false, default false. If body contains groups and groupMemberOfUser=true, groups attribute will remain at user object (groups are member of user) instead of default user member of groups that will use modifyGroup method for maintaining group members.
 
 - **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If set to `true`, only PUT body content will be replaced. Any additional existing user attributes and groups supported by plugin will remain as-is.
 
-- **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`  
+- **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`
 
-- **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.   
+- **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.
 
-- **log.customMasking** - array of attributes to be masked e.g. `"customMasking": ["SSN", "weight"]`. By default SCIM Gateway includes masking of some standard attributes like password.  
+- **log.customMasking** - array of attributes to be masked e.g. `"customMasking": ["SSN", "weight"]`. By default SCIM Gateway includes masking of some standard attributes like password.
 
 - **auth** - Contains one or more authentication/authorization methods used by clients for accessing gateway - may also include:
   - **auth.xx.readOnly** - true/false, true gives read only access - only allowing `GET` requests for corresponding admin user
   - **auth.xx.baseEntities** - array containing one or more `baseEntity` allowed for this user e.g. ["client-a"] - empty array allowing all.  
-  **Methods are disabled by setting corresponding admin user to null or remove methods not used**  
+  **Methods are disabled by setting corresponding admin user to null or remove methods not used**
 
-- **auth.basic** - Array of one ore more basic authentication objects - Basic Authentication with **username**/**password**. Note, we set a clear text password that will become encrypted when gateway is started.  
+- **auth.basic** - Array of one ore more basic authentication objects - Basic Authentication with **username**/**password**. Note, we set a clear text password that will become encrypted when gateway is started.
 
-- **auth.bearerToken** - Array of one or more bearer token objects - Shared token/secret (supported by Entra ID). Clear text value will become encrypted when gateway is started.  
+- **auth.bearerToken** - Array of one or more bearer token objects - Shared token/secret (supported by Entra ID). Clear text value will become encrypted when gateway is started.
 
-- **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.  
+- **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.
 
-- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.   
+- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
 
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
 
-- **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization 
+- **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
 
-- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory unless absolute path being defined e.g:  
+- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory unless absolute path being defined e.g:
   
 		"certificate": {
 		  "key": "key.pem",
@@ -436,23 +436,49 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
         ]
-
-- **emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
-- **emailOnError.smtp.enabled** - true or false, value set to true will enable email notifications
-- **emailOnError.smtp.host** - Mailserver e.g. "smtp.office365.com"
-- **emailOnError.smtp.port** - Port used by mailserver e.g. 587, 25 or 465
-- **emailOnError.smtp.proxy** - If using mailproxy e.g. "http://proxy-host:1234"
-- **emailOnError.smtp.authenticate** - true or false, set to true will use username/password authentication
-- **emailOnError.smtp.username** - Mail account for authentication and also the sender of the email, e.g. "user@outlook.com"
-- **emailOnError.smtp.password** - Mail account password
-- **emailOnError.smtp.sendInterval** - Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification. Default 15 minutes
-- **emailOnError.smtp.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
-- **emailOnError.smtp.cc** - Comma separated list of cc email addresses
+- **email** - Contains configuration for sending email from plugin or automated error notifications emailOnError. Note, for emailOnError only the first error will be sent until sendInterval have passed
+- **email.host** - Mailserver e.g. "smtp.gmail.com" - mandatory when not using tenantIdGUID (Microsoft)
+- **email.port** - Port used by mailserver e.g. 587, 25 or 465 - mandatory when not using tenantIdGUID (Microsoft)
+- **email.auth** - Authentication configuration
+- **email.auth.type** - `basic` or `oauth`
+- **email.auth.options** - Authentication configuration options - note, different options for type basic and oauth
+- **email.auth.options.username (basic)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
+- **email.auth.options.password (basic)** - Mail account password
+- **email.auth.options.tenantIdGUID (oauth)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
+- **email.auth.options.tokenUrl (oauth)** - Token endpoint, mandatory when not using tenantIdGUID (Microsoft Exchange Online)
+- **email.auth.options.clientId (oauth)** - Client ID
+- **email.auth.options.clientSecret (oauth)** - Client Secret
+- **email.proxy** - Proxy configuration if using mailproxy
+- **email.proxy.host** - Proxy host e.g. `http://proxy-host:1234`
+- **email.proxy.username** - username if authentication is required
+- **email.proxy.password** - password if authentication is required
+- **email.emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
+- **email.emailOnError.enabled** - true or false, value set to true will enable email notifications
+- **email.emailOnError.sendInterval** - Default 15. Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification.
+- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com", note must correspond with email.auth.options being used and mailserver configuration
+- **email.emailOnError.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
+- **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
+- **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
+
+	Configuration notes when using default configuration oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
+
+	- Entra ID application must have application permissions "**Mail.Send**"  
+	- To prevent the sending of emails from any defined mailboxes, an ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+	
+		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+		Note, "mail enabled security" group cannot be created from portal, only from admin or admin.exchange console
+		  
+			##Connect to Exchange
+			Install-Module -Name ExchangeOnlineManagement
+			Connect-ExchangeOnline
+			 
+			##Create ApplicationAccessPolicy
+			New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
 
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
-- **endpoint** - Contains endpoint specific configuration according to our **plugin code**.    
- 
+- **endpoint** - Contains endpoint specific configuration according to our **plugin code**. 
+
 #### Configuration notes
 
 - Custom Schemas, ServiceProviderConfig and ResourceType can be used if `./lib/scimdef-v2.json or scimdef-v1.json` exists. Original scimdef-v2.json/scimdef-v1.json can be copied from node_modules/scimgateway/lib to your plugin/lib and customized.
@@ -578,8 +604,7 @@ docker-compose**
 	**Dockerfile**   <== Main dockerfile  
 	**DataDockerfile**   <== Handles volume mapping   
 	**docker-compose-debug.yml** <== Debugging  
-
-
+	**docker-compose-mssql.yml** <== Example including MSSQL docker image
 
 - Create a scimgateway user on your Linux VM.   
 
@@ -1086,11 +1111,98 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.0.7
+
+[Improved]
+
+- plugin-mssql all methods now implemented, also includes docker and dbinit configuration, **thanks to [@Peter Havekes](https://github.com/phavekes) and [@mrvanes](https://github.com/mrvanes)**
+
+[Fixed]
+
+- mail sending option introduced in v5.0.6 did not fully support national special charcters when using Microsoft Exchange Online and html formatted email
+
+### v5.0.6
+
+[Improved]
+
+- new configuration option: `scimgateway.idleTimeout` default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
+- deprecated configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
+- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication  
+
+**old configuration:**
+
+	{
+	  "scimgateway": {
+	    ...
+	    "emailOnError": {
+	      "smtp": {
+	        "enabled": false,
+	        "host": null,
+	        "port": 587,
+	        "proxy": null,
+	        "authenticate": true,
+	        "username": null,
+	        "password": null,
+	        "sendInterval": 15,
+	        "to": null,
+	        "cc": null
+	      }
+	    },
+	    ...
+	  },
+	  ...
+	}
+
+
+**new configuration:**  
+Using Microsoft Exchange Online and oauth authencation which also is default and recommended by Microsoft    
+For other mail servers and options like SMTP AUTH (basic/oauth), please see configuration description  
+Plugin may also send mail using method scimgateway.sendMail()  
+
+	{
+	  "scimgateway": {
+	    ...
+	    "email": {
+	      "auth": {
+	        "type": "oauth",
+	        "options": {
+	          "tenantIdGUID": null,
+	          "clientId": null,
+	          "clientSecret": null
+	        }
+	      },
+	      "emailOnError": {
+	        "enabled": false,
+	        "from": null,
+	        "to": null
+	      }
+	    },
+	    ...
+	  },
+	  ...
+	}
+    
+Configuration notes when using oauth and tenantIdGUID - Microsoft Exchange Online (ExO):  
+
+- Entra ID application must have application permissions "**Mail.Send**"  
+- To prevent the sending of emails from any defined mailboxes, an ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+
+	First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+	Note, "mail enabled security" group cannot be created from portal, only from admin or admin.exchange console
+	  
+		##Connect to Exchange
+		Install-Module -Name ExchangeOnlineManagement
+		Connect-ExchangeOnline
+		 
+		##Create ApplicationAccessPolicy
+		New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
+
 ### v5.0.5  
 
 [Fixed]
 
-- plugin-ldap, dn special character not correct for ascii code 128(dec)/80(hex) 
+- plugin-ldap, dn special character not correct for ascii code 128(dec)/80(hex)
 
 ### v5.0.4  
 
@@ -1104,7 +1216,7 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 - unauthorized connection when using configuration bearerJwtAzure 
 
-[Improved] 
+[Improved]
 
 - minor type definition cosmetics
 
@@ -1553,7 +1665,7 @@ Note, obsolete - see v4.2.15 comments
           "forceExitTimeout": 1000
         }
 
-    **Thanks to Kevin Osborn**
+    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
 
 ### v4.1.15  
 
@@ -1584,7 +1696,7 @@ Note, obsolete - see v4.2.15 comments
         scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx)
         // tip, see provided example plugins
 
-    **Thanks to Kevin Osborn**
+    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
 
 ### v4.1.14  
 
@@ -1609,7 +1721,7 @@ Note, obsolete - see v4.2.15 comments
 [Improved]  
 
 - new plugin configuration `payloadSize`. If not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size e.g. "5mb"  
-    **Thanks to Sam Murphy**
+    **Thanks to [@Sam Murphy*](https://github.com/SamMurphyDev)**
 
 [Fixed]  
   
@@ -1755,7 +1867,7 @@ SCIM Gateway related news:
         }
 
 - postinstall copying example plugins may be skipped by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
-- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to Raymond Augé**
+- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to [@Raymond Augé](https://github.com/rotty3000)**
 
 
 ### v4.0.0  
@@ -1765,7 +1877,7 @@ SCIM Gateway related news:
 - New `getGroups()` replacing deprecated exploreGroups(), getGroup() and getGroupMembers()
 - Fully filter and sort support
 - Authentication configuration may now include a baseEntities array containing one or more `baseEntity` allowed for corresponding admin user
-- New plugin-mongodb, **thanks to Filipe Ribeiro and Miguel Ferreira (KEEP SOLUTIONS)**
+- New plugin-mongodb, **Thanks to [@Filipe Ribeiro](https://github.com/fribeiro-keeps) and [@Miguel Ferreira](https://github.com/jmaferreira) (KEEP SOLUTIONS)**
 
 Note, using this major version **require existing custom plugins to be upgraded**. If you do not want to upgrade your custom plugins, the old version have to be installed using: `npm install scimgateway@3.2.11`  
 
@@ -1873,7 +1985,7 @@ We also need to add logic from existing getGroup() and getGroupMembers()
 [Fixed]  
 
 - Return 500 on GET handler error instead of 404  
-  **Thanks to Nipun Dayanath**
+  **Thanks to [@Nipun Dayanath](https://github.com/nipund)**
 - createUser/createRole response now includes id retrieved by getUser/getRole instead of using posted userName/displayName value
 
 ### v3.2.6  
@@ -2353,7 +2465,7 @@ Custom plugins needs some changes (please see included example plugins)
 
 - Some minor compliance fixes  
 
-**Thanks to ywchuang** 
+**Thanks to [@ywchuang](https://github.com/ywchuang)** 
 
 ### v1.0.4  
 [Improved]  
@@ -2453,7 +2565,7 @@ With:
 
 - Document updated on how to run SCIM Gateway as a Docker container  
 - `config\docker` includes docker configuration examples  
-**Thanks to Charley Watson and Jeffrey Gilbert**  
+**Thanks to [@cwatsonc](https://github.com/cwatsonc) and [@visualjeff](https://github.com/visualjeff)**  
 
 
 ### v0.4.5  
@@ -2474,7 +2586,7 @@ With:
 
 - NoSQL Document-Oriented Database plugin: `plugin-loki`  
 This plugin now replace previous `plugin-testmode`  
-**Thanks to Jeffrey Gilbert**  
+**Thanks to [@visualjeff](https://github.com/visualjeff)**  
 - Minor code/comment reorganizations in provided plugins  
 - Minor adjustments to multi-value logic introduced in v0.4.0  
 
@@ -2493,7 +2605,7 @@ This plugin now replace previous `plugin-testmode`
 
 - Mocha test scripts for automated testing of plugin-testmode  
 - Automated tests run on Travis-ci.org (click on build badge) 
-- **Thanks to Jeffrey Gilbert**
+- **Thanks to [@visualjeff](https://github.com/visualjeff)**
 
 
   

package/config/docker/dbinit/init.sql

@@ -0,0 +1,43 @@
+USE [master];
+GO
+
+IF NOT EXISTS (SELECT * FROM sys.sql_logins WHERE name = 'scimgateway')
+BEGIN
+    CREATE LOGIN [scimgateway] WITH PASSWORD = 'password', CHECK_POLICY = OFF;
+    ALTER SERVER ROLE [sysadmin] ADD MEMBER [scimgateway];
+END
+GO
+
+IF DB_ID('scimgateway') IS NULL
+BEGIN
+    CREATE DATABASE [scimgateway];
+END
+GO
+
+IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'User')
+BEGIN
+    USE [scimgateway]
+    CREATE TABLE [User] (
+        [UserID] VARCHAR(50) NOT NULL,
+        [Enabled] VARCHAR(50) NULL,
+        [Password] VARCHAR(50) NULL,
+        [FirstName] VARCHAR(50) NULL,
+        [MiddleName] VARCHAR(50) NULL,
+        [LastName] VARCHAR(50) NULL,
+        [Email] VARCHAR(50) NULL,
+        [MobilePhone] VARCHAR(50) NULL,
+        CONSTRAINT [PK_User] PRIMARY KEY ([UserID])
+    );
+END
+GO
+
+IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'Group')
+BEGIN
+    USE [scimgateway]
+    CREATE TABLE [Group] (
+        [GroupID] VARCHAR(50) NOT NULL,
+        [Enabled] VARCHAR(50) NULL,
+        CONSTRAINT [PK_Group] PRIMARY KEY ([GroupID])
+    );
+END
+GO

package/config/docker/docker-compose-mssql.yml

@@ -0,0 +1,58 @@
+version: '2'
+services:
+#   scimgateway:
+#     build:
+#       context: .
+#       dockerfile: ./Dockerfile
+#     image: scimgateway:latest
+#     container_name: scimgateway
+#     depends_on:
+#       scimgateway-sqlserver:
+#         condition: service_healthy
+#     hostname:
+#       scimgateway
+#     volumes:
+#       - ./config:/home/scimgateway/config:rw
+#       - /var/lib/dbus:/var/lib/dbus:ro
+#     ports:
+#       - "8880:8880"
+# #    environment:
+# #      - NODE_ENV=production
+# #      - PORT=8880
+# #      - SEED=changeit
+#     restart: on-failure:3
+
+  scimgateway-sqlserver:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    hostname:
+      MySqlHost
+    environment:
+      - ACCEPT_EULA=Y
+      - SA_PASSWORD=p@ssw0rd!
+      - MSSQL_PID=Developer
+    ports:
+      - 1433:1433
+    volumes:
+      - ./sqlserver_data:/var/opt/mssql
+    user: root
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -C -S localhost -U sa -P \"p@ssw0rd!\" -Q 'SELECT 1' || exit 1"]
+      interval: 10s
+      retries: 10
+      start_period: 10s
+      timeout: 3s
+
+  scimgateway-sqlserver-configurator:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    volumes:
+      - ./dbinit:/docker-entrypoint-initdb.d
+    depends_on:
+      scimgateway-sqlserver:
+        condition: service_healthy
+    restart: no
+    command: >
+      bash -c '
+      /opt/mssql-tools18/bin/sqlcmd -C -S MySqlHost -U sa -P "p@ssw0rd!" -d master -i docker-entrypoint-initdb.d/init.sql;
+      echo "All done!";
+      '

package/config/plugin-api.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8890,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {

package/config/plugin-entra-id.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8881,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "customSchema": null,
@@ -75,18 +74,56 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
+        "enabled": false,
+        "from": null,
+        "to": null
+      }
+    },
+    "stream": {
+      "baseUrls": [],
+      "certificate": {
+        "ca": null
+      },
+      "subscriber": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "entity": {
+          "undefined": {
+            "nats": {
+              "tenant": null,
+              "subject": null,
+              "jwt": null,
+              "secret": null
+            },
+            "deleteUserOnLastGroupRoleRemoval": false,
+            "skipConvertRolesToGroups": false,
+            "generateUserPassword": false,
+            "modifyOnly": false,
+            "replaceDomains": []
+          }
+        }
+      },
+      "publisher": {
+        "enabled": false,
+        "entity": {
+          "undefined": {
+            "nats": {
+              "tenant": null,
+              "subject": null,
+              "jwt": null,
+              "secret": null
+            }
+          }
+        }
       }
     }
   },

package/config/plugin-ldap.json

@@ -2,7 +2,6 @@
   "scimgateway": {
     "port": 8883,
     "localhostonly": false,
-    "payloadSize": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,
@@ -75,18 +74,19 @@
       }
     },
     "ipAllowList": [],
-    "emailOnError": {
-      "smtp": {
+    "email": {
+      "auth": {
+        "type": "oauth",
+        "options": {
+          "tenantIdGUID": null,
+          "clientId": null,
+          "clientSecret": null
+        }
+      },
+      "emailOnError": {
         "enabled": false,
-        "host": null,
-        "port": 587,
-        "proxy": null,
-        "authenticate": true,
-        "username": null,
-        "password": null,
-        "sendInterval": 15,
-        "to": null,
-        "cc": null
+        "from": null,
+        "to": null
       }
     },
     "stream": {
@@ -275,4 +275,4 @@
       }
     }
   }
-}
+}