scimgateway 5.0.6 → 5.0.8

package/README.md

@@ -13,14 +13,14 @@ Validated through IdP's:
 - Okta 
 - Omada 
 - SailPoint/IdentityNow  
-  
+
 Latest news:  
 
-- Major version **v5** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
+- Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
 - Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway
 - Supports OAuth Client Credentials authentication
-- Major version **v4** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
+- Major version **v4.0.0** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -258,8 +258,8 @@ Below shows an example of config\plugin-saphana.json
           ],
           "bearerOAuth": [
             {
-              "client_id": null,
-              "client_secret": null,
+              "clientId": null,
+              "clientSecret": null,
               "readOnly": false,
               "baseEntities": []
             }
@@ -398,7 +398,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
 
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
 
 - **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
 
@@ -460,6 +460,21 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
 - **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
 
+	Configuration notes when using default configuration oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
+
+	- Entra ID application must have application permissions `Mail.Send`  
+	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
+	
+		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+		Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
+		  
+			##Connect to Exchange
+			Install-Module -Name ExchangeOnlineManagement
+			Connect-ExchangeOnline
+			 
+			##Create ApplicationAccessPolicy
+			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
 - **endpoint** - Contains endpoint specific configuration according to our **plugin code**. 
@@ -589,8 +604,7 @@ docker-compose**
 	**Dockerfile**   <== Main dockerfile  
 	**DataDockerfile**   <== Handles volume mapping   
 	**docker-compose-debug.yml** <== Debugging  
-
-
+	**docker-compose-mssql.yml** <== Example including MSSQL docker image
 
 - Create a scimgateway user on your Linux VM.   
 
@@ -1097,14 +1111,99 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
-### v5.0.6  
+### v5.0.8
+
+[Fixed]
+
+- Ensure Bun compatibility with Azure Reverse Proxy for large and long running response
+- HelperRest was not compatible with Node.js
+- plugin-mssql, some error handling should not throw an error
+- Configuration files updated according to the v5 configuration syntax of `scimgateway.auth.bearerOAuth` - `clientId/clientSecret` now replacing deprecated `client_id/client_secret`
+
+### v5.0.7
+
+[Improved]
+
+- plugin-mssql all methods now implemented, also includes docker and dbinit configuration, **thanks to [@Peter Havekes](https://github.com/phavekes) and [@mrvanes](https://github.com/mrvanes)**
+
+[Fixed]
+
+- mail sending option introduced in v5.0.6 did not fully support national special charcters when using Microsoft Exchange Online and html formatted email
+
+### v5.0.6
 
 [Improved]
 
 - new configuration option: `scimgateway.idleTimeout` default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
-- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication configuration which is default and recommended for Microsoft Exchange Online.
-- removed configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
-- plugin may send email using method scimgateway.sendMail()
+- deprecated configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
+- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication  
+
+**old configuration:**
+
+	{
+	  "scimgateway": {
+	    ...
+	    "emailOnError": {
+	      "smtp": {
+	        "enabled": false,
+	        "host": null,
+	        "port": 587,
+	        "proxy": null,
+	        "authenticate": true,
+	        "username": null,
+	        "password": null,
+	        "sendInterval": 15,
+	        "to": null,
+	        "cc": null
+	      }
+	    },
+	    ...
+	  },
+	  ...
+	}
+
+
+**new configuration:**  
+Using Microsoft Exchange Online and oauth authencation which also is default and recommended by Microsoft. For other mail servers and options like SMTP AUTH (basic/oauth), please see configuration description. Plugin may also send mail using method scimgateway.sendMail()
+
+	{
+	  "scimgateway": {
+	    ...
+	    "email": {
+	      "auth": {
+	        "type": "oauth",
+	        "options": {
+	          "tenantIdGUID": null,
+	          "clientId": null,
+	          "clientSecret": null
+	        }
+	      },
+	      "emailOnError": {
+	        "enabled": false,
+	        "from": null,
+	        "to": null
+	      }
+	    },
+	    ...
+	  },
+	  ...
+	}
+    
+Configuration notes when using oauth and tenantIdGUID - Microsoft Exchange Online (ExO):  
+
+- Entra ID application must have application permissions `Mail.Send`  
+- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
+
+	First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+	Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
+	  
+		##Connect to Exchange
+		Install-Module -Name ExchangeOnlineManagement
+		Connect-ExchangeOnline
+		 
+		##Create ApplicationAccessPolicy
+		New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
 
 ### v5.0.5  
 
@@ -1216,7 +1315,7 @@ Besides going from JavaScript to TypeScript, following can be mentioned:
 
 * Use scimgateway.HelperRest() for REST functionlity, also supports Auth PassThrough
 * scimgateway.endpointMapper() may be used for inbound/outbound attribute mappings
-* In general when using TypeScript, variables should be type defined: `let isDone: boolean = false`, `catch (err: any)`, ...
+* In general when using TypeScript, variables should be type-defined: `let isDone: boolean = false`, `catch (err: any)`, ...
 
 ### v4.5.12
 
@@ -1573,7 +1672,7 @@ Note, obsolete - see v4.2.15 comments
           "forceExitTimeout": 1000
         }
 
-    **Thanks to Kevin Osborn**
+    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
 
 ### v4.1.15  
 
@@ -1604,7 +1703,7 @@ Note, obsolete - see v4.2.15 comments
         scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx)
         // tip, see provided example plugins
 
-    **Thanks to Kevin Osborn**
+    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
 
 ### v4.1.14  
 
@@ -1629,7 +1728,7 @@ Note, obsolete - see v4.2.15 comments
 [Improved]  
 
 - new plugin configuration `payloadSize`. If not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size e.g. "5mb"  
-    **Thanks to Sam Murphy**
+    **Thanks to [@Sam Murphy*](https://github.com/SamMurphyDev)**
 
 [Fixed]  
   
@@ -1775,7 +1874,7 @@ SCIM Gateway related news:
         }
 
 - postinstall copying example plugins may be skipped by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
-- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to Raymond Augé**
+- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to [@Raymond Augé](https://github.com/rotty3000)**
 
 
 ### v4.0.0  
@@ -1785,7 +1884,7 @@ SCIM Gateway related news:
 - New `getGroups()` replacing deprecated exploreGroups(), getGroup() and getGroupMembers()
 - Fully filter and sort support
 - Authentication configuration may now include a baseEntities array containing one or more `baseEntity` allowed for corresponding admin user
-- New plugin-mongodb, **thanks to Filipe Ribeiro and Miguel Ferreira (KEEP SOLUTIONS)**
+- New plugin-mongodb, **Thanks to [@Filipe Ribeiro](https://github.com/fribeiro-keeps) and [@Miguel Ferreira](https://github.com/jmaferreira) (KEEP SOLUTIONS)**
 
 Note, using this major version **require existing custom plugins to be upgraded**. If you do not want to upgrade your custom plugins, the old version have to be installed using: `npm install scimgateway@3.2.11`  
 
@@ -1893,7 +1992,7 @@ We also need to add logic from existing getGroup() and getGroupMembers()
 [Fixed]  
 
 - Return 500 on GET handler error instead of 404  
-  **Thanks to Nipun Dayanath**
+  **Thanks to [@Nipun Dayanath](https://github.com/nipund)**
 - createUser/createRole response now includes id retrieved by getUser/getRole instead of using posted userName/displayName value
 
 ### v3.2.6  
@@ -2373,7 +2472,7 @@ Custom plugins needs some changes (please see included example plugins)
 
 - Some minor compliance fixes  
 
-**Thanks to ywchuang** 
+**Thanks to [@ywchuang](https://github.com/ywchuang)** 
 
 ### v1.0.4  
 [Improved]  
@@ -2473,7 +2572,7 @@ With:
 
 - Document updated on how to run SCIM Gateway as a Docker container  
 - `config\docker` includes docker configuration examples  
-**Thanks to Charley Watson and Jeffrey Gilbert**  
+**Thanks to [@cwatsonc](https://github.com/cwatsonc) and [@visualjeff](https://github.com/visualjeff)**  
 
 
 ### v0.4.5  
@@ -2494,7 +2593,7 @@ With:
 
 - NoSQL Document-Oriented Database plugin: `plugin-loki`  
 This plugin now replace previous `plugin-testmode`  
-**Thanks to Jeffrey Gilbert**  
+**Thanks to [@visualjeff](https://github.com/visualjeff)**  
 - Minor code/comment reorganizations in provided plugins  
 - Minor adjustments to multi-value logic introduced in v0.4.0  
 
@@ -2513,7 +2612,7 @@ This plugin now replace previous `plugin-testmode`
 
 - Mocha test scripts for automated testing of plugin-testmode  
 - Automated tests run on Travis-ci.org (click on build badge) 
-- **Thanks to Jeffrey Gilbert**
+- **Thanks to [@visualjeff](https://github.com/visualjeff)**
 
 
   

package/config/docker/dbinit/init.sql

@@ -0,0 +1,43 @@
+USE [master];
+GO
+
+IF NOT EXISTS (SELECT * FROM sys.sql_logins WHERE name = 'scimgateway')
+BEGIN
+    CREATE LOGIN [scimgateway] WITH PASSWORD = 'password', CHECK_POLICY = OFF;
+    ALTER SERVER ROLE [sysadmin] ADD MEMBER [scimgateway];
+END
+GO
+
+IF DB_ID('scimgateway') IS NULL
+BEGIN
+    CREATE DATABASE [scimgateway];
+END
+GO
+
+IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'User')
+BEGIN
+    USE [scimgateway]
+    CREATE TABLE [User] (
+        [UserID] VARCHAR(50) NOT NULL,
+        [Enabled] VARCHAR(50) NULL,
+        [Password] VARCHAR(50) NULL,
+        [FirstName] VARCHAR(50) NULL,
+        [MiddleName] VARCHAR(50) NULL,
+        [LastName] VARCHAR(50) NULL,
+        [Email] VARCHAR(50) NULL,
+        [MobilePhone] VARCHAR(50) NULL,
+        CONSTRAINT [PK_User] PRIMARY KEY ([UserID])
+    );
+END
+GO
+
+IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'Group')
+BEGIN
+    USE [scimgateway]
+    CREATE TABLE [Group] (
+        [GroupID] VARCHAR(50) NOT NULL,
+        [Enabled] VARCHAR(50) NULL,
+        CONSTRAINT [PK_Group] PRIMARY KEY ([GroupID])
+    );
+END
+GO

package/config/docker/docker-compose-mssql.yml

@@ -0,0 +1,58 @@
+version: '2'
+services:
+#   scimgateway:
+#     build:
+#       context: .
+#       dockerfile: ./Dockerfile
+#     image: scimgateway:latest
+#     container_name: scimgateway
+#     depends_on:
+#       scimgateway-sqlserver:
+#         condition: service_healthy
+#     hostname:
+#       scimgateway
+#     volumes:
+#       - ./config:/home/scimgateway/config:rw
+#       - /var/lib/dbus:/var/lib/dbus:ro
+#     ports:
+#       - "8880:8880"
+# #    environment:
+# #      - NODE_ENV=production
+# #      - PORT=8880
+# #      - SEED=changeit
+#     restart: on-failure:3
+
+  scimgateway-sqlserver:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    hostname:
+      MySqlHost
+    environment:
+      - ACCEPT_EULA=Y
+      - SA_PASSWORD=p@ssw0rd!
+      - MSSQL_PID=Developer
+    ports:
+      - 1433:1433
+    volumes:
+      - ./sqlserver_data:/var/opt/mssql
+    user: root
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -C -S localhost -U sa -P \"p@ssw0rd!\" -Q 'SELECT 1' || exit 1"]
+      interval: 10s
+      retries: 10
+      start_period: 10s
+      timeout: 3s
+
+  scimgateway-sqlserver-configurator:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    volumes:
+      - ./dbinit:/docker-entrypoint-initdb.d
+    depends_on:
+      scimgateway-sqlserver:
+        condition: service_healthy
+    restart: no
+    command: >
+      bash -c '
+      /opt/mssql-tools18/bin/sqlcmd -C -S MySqlHost -U sa -P "p@ssw0rd!" -d master -i docker-entrypoint-initdb.d/init.sql;
+      echo "All done!";
+      '

package/config/plugin-api.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-entra-id.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-ldap.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-loki.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-mongodb.json

@@ -58,8 +58,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-mssql.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-saphana.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-scim.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-soap.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/lib/helper-rest.ts

@@ -4,7 +4,7 @@ import { Buffer } from 'node:buffer'
 import fs from 'node:fs'
 import querystring from 'querystring'
 import * as utils from './utils.ts'
-import ScimGateway from 'scimgateway'
+// import type { ScimGateway } from 'scimgateway' // comment out for supporting Node.js, using type any and no IntelliSense
 
 /**
  * HelperRest includes function doRequest() for doing REST calls
@@ -13,12 +13,12 @@ export class HelperRest {
   private lock = new utils.Lock()
   private _serviceClient: Record<string, any> = {}
   private config_entity: any
-  private scimgateway: ScimGateway
+  private scimgateway: any
   private idleTimeout: number
   private graphUrl = 'https://graph.microsoft.com/beta' // beta instead of 'v1.0' gives all user attributes when no $select
 
-  constructor(scimgateway: ScimGateway, optionalEntities?: Record<string, any>) {
-    if (!(scimgateway instanceof ScimGateway)) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
+  constructor(scimgateway: any, optionalEntities?: Record<string, any>) {
+    if (!scimgateway || !scimgateway.gwName) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
     this.scimgateway = scimgateway
     this.idleTimeout = (scimgateway as any)?.config?.scimgateway.idleTimeout || 120
     this.idleTimeout = this.idleTimeout - 1
@@ -297,7 +297,7 @@ export class HelperRest {
           } catch (err: any) {
             throw new Error(`tls configuration error: ${err.message}`)
           }
-          if (Object.prototype.hasOwnProperty.call(connOpt?.tls, 'rejectUnauthorized')) {
+          if (connOpt.tls && Object.prototype.hasOwnProperty.call(connOpt.tls, 'rejectUnauthorized')) {
             if (connOpt.tls.rejectUnauthorized !== false && connOpt.tls.rejectUnauthorized !== true) {
               delete connOpt.tls.rejectUnauthorized
             }
@@ -405,13 +405,18 @@ export class HelperRest {
       let dataString = ''
       if (body) {
         if (options.headers['Content-Type']) {
-          if (options.headers['Content-Type'].toLowerCase() === 'application/x-www-form-urlencoded') {
+          const type: string = options.headers['Content-Type'].toLowerCase().trim()
+          if (type.startsWith('application/x-www-form-urlencoded')) {
             if (typeof body === 'string') dataString = body
             else dataString = querystring.stringify(body) // JSON to query string syntax + URL encoded
-          } else dataString = JSON.stringify(body)
+          } else {
+            if (typeof body === 'string') dataString = body
+            else dataString = JSON.stringify(body)
+          }
         } else {
           options.headers['Content-Type'] = 'application/json; charset=utf-8'
-          dataString = JSON.stringify(body)
+          if (typeof body === 'string') dataString = body
+          else dataString = JSON.stringify(body)
         }
         options.headers['Content-Length'] = Buffer.byteLength(dataString, 'utf8')
         options.body = dataString

package/lib/plugin-mssql.ts

@@ -6,16 +6,40 @@
 // Purpose: SQL user-provisioning
 //
 // Prereq:
-// TABLE [dbo].[User](
-//  [UserID] [varchar](50) NOT NULL,
-//  [Enabled] [varchar](50) NULL,
-//  [Password] [varchar](50) NULL,
-//  [FirstName] [varchar](50) NULL,
-//  [MiddleName] [varchar](50) NULL,
-//  [LastName] [varchar](50) NULL,
-//  [Email] [varchar](50) NULL,
-//  [MobilePhone] [varchar](50) NULL
-// )
+// CREATE TABLE [Users] (
+//     [UserID] VARCHAR(50) NOT NULL,
+//     [Enabled] VARCHAR(50) NULL,
+//     [Password] VARCHAR(50) NULL,
+//     [FirstName] VARCHAR(50) NULL,
+//     [MiddleName] VARCHAR(50) NULL,
+//     [LastName] VARCHAR(50) NULL,
+//     [Email] VARCHAR(50) NULL,
+//     [MobilePhone] VARCHAR(50) NULL,
+//     CONSTRAINT [PK_User]
+//         PRIMARY KEY ([UserID])
+// );
+//
+// CREATE TABLE [Groups] (
+//     [GroupID] VARCHAR(50) NOT NULL,
+//     [Enabled] VARCHAR(50) NULL,
+//     CONSTRAINT [PK_Group]
+//         PRIMARY KEY ([GroupID])
+// );
+//
+// CREATE TABLE [Users2Group] (
+//     [GroupID] VARCHAR(50) NOT NULL,
+//     [UserID] VARCHAR(50) NOT NULL,
+//     CONSTRAINT [PK_Users2Group]
+//         PRIMARY KEY ([GroupID],[UserID]),
+//     CONSTRAINT [FK_U2G_Group]
+//         FOREIGN KEY ([GroupID])
+//         REFERENCES [Groups]([GroupID])
+//         ON DELETE CASCADE,
+//     CONSTRAINT [FK_U2G_Users]
+//         FOREIGN KEY ([UserID])
+//         REFERENCES [Users]([UserID])
+//         ON DELETE CASCADE
+// );
 //
 // Supported attributes:
 //
@@ -42,7 +66,7 @@ import { Connection, Request } from 'tedious'
 const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
   try {
     return (await import('scimgateway')).ScimGateway
-  } catch (err) {
+  } catch (err: any) {
     const source = './scimgateway.ts'
     return (await import(source)).ScimGateway
   }
@@ -69,7 +93,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
-      sqlQuery = `select * from [User] where UserID = '${getObj.value}'`
+      sqlQuery = `select * from [Users] where UserID = '${getObj.value}'`
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
       // optional - only used when groups are member of users, not default behavior - correspond to getGroupUsers() in versions < 4.x.x
       throw new Error(`${action} error: not supporting groups member of user filtering: ${getObj.rawFilter}`)
@@ -82,64 +106,37 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     throw new Error(`${action} not error: supporting advanced filtering: ${getObj.rawFilter}`)
   } else {
     // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all users to be returned - correspond to exploreUsers() in versions < 4.x.x
-    sqlQuery = 'select * from [User]'
+    sqlQuery = 'select * from [Users]'
   }
   // mandatory if-else logic - end
 
   if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
   try {
-    return await new Promise((resolve, reject) => {
+    return await new Promise(async (resolve) => {
       const ret: any = { // itemsPerPage will be set by scimgateway
         Resources: [],
         totalResults: null,
       }
 
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-
-      const connection = new Connection(connectionCfg)
-
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`exploreUsers MSSQL client connect error: ${err.message}`)
-          return reject(e)
+      const users: any[] = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+      for (const user of users) {
+        const scimUser = {
+          id: user.UserID.value ? user.UserID.value : undefined,
+          userName: user.UserID.value ? user.UserID.value : undefined,
+          active: user.Enabled.value === 'true' || false,
+          name: {
+            givenName: user.FirstName.value ? user.FirstName.value : undefined,
+            middleName: user.MiddleName.value ? user.MiddleName.value : undefined,
+            familyName: user.LastName.value ? user.LastName.value : undefined,
+          },
+          phoneNumbers: user.MobilePhone.value ? [{ type: 'work', value: user.MobilePhone.value }] : undefined,
+          emails: user.Email.value ? [{ type: 'work', value: user.Email.value }] : undefined,
         }
-        const request = new Request(sqlQuery, function (err, rowCount, rows) {
-          if (err) {
-            connection.close()
-            const e = new Error(`exploreUsers MSSQL client request: ${sqlQuery} Error: ${err.message}`)
-            return reject(e)
-          }
+        ret.Resources.push(scimUser)
+      }
 
-          for (const row in rows) {
-            const scimUser = {
-              id: rows[row].UserID.value ? rows[row].UserID.value : undefined,
-              userName: rows[row].UserID.value ? rows[row].UserID.value : undefined,
-              active: rows[row].Enabled.value === 'true' || false,
-              name: {
-                givenName: rows[row].FirstName.value ? rows[row].FirstName.value : undefined,
-                middleName: rows[row].MiddleName.value ? rows[row].MiddleName.value : undefined,
-                familyName: rows[row].LastName.value ? rows[row].LastName.value : undefined,
-              },
-              phoneNumbers: rows[row].MobilePhone.value ? [{ type: 'work', value: rows[row].MobilePhone.value }] : undefined,
-              emails: rows[row].Email.value ? [{ type: 'work', value: rows[row].Email.value }] : undefined,
-            }
-            ret.Resources.push(scimUser)
-          }
-          connection.close()
-          resolve(ret) // all explored users
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      resolve(ret) // all explored users
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -154,7 +151,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" userObj=${JSON.stringify(userObj)}`)
 
   try {
-    return await new Promise((resolve, reject) => {
+    return await new Promise(async (resolve) => {
       if (!userObj.name) userObj.name = {}
       if (!userObj.emails) userObj.emails = { work: {} }
       if (!userObj.phoneNumbers) userObj.phoneNumbers = { work: {} }
@@ -170,37 +167,12 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
         Email: (userObj.emails.work.value) ? `'${userObj.emails.work.value}'` : null,
       }
 
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-      const connection = new Connection(connectionCfg)
-
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`createUser MSSQL client connect error: ${err.message}`)
-          return reject(e)
-        }
-        const sqlQuery = `insert into [User] (UserID, Enabled, Password, FirstName, MiddleName, LastName, Email, MobilePhone) 
+      const sqlQuery = `insert into [Users] (UserID, Enabled, Password, FirstName, MiddleName, LastName, Email, MobilePhone)
                 values (${insert.UserID}, ${insert.Enabled}, ${insert.Password}, ${insert.FirstName}, ${insert.MiddleName}, ${insert.LastName}, ${insert.Email}, ${insert.MobilePhone})`
 
-        const request = new Request(sqlQuery, function (err) {
-          if (err) {
-            connection.close()
-            const e = new Error(`createUser MSSQL client request: ${sqlQuery} error: ${err.message}`)
-            return reject(e)
-          }
-          connection.close()
-          resolve(null)
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+
+      resolve(null)
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -215,36 +187,11 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id}`)
 
   try {
-    return await new Promise((resolve, reject) => {
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-      const connection = new Connection(connectionCfg)
+    return await new Promise(async (resolve) => {
+      const sqlQuery = `delete from [Users] where UserID = '${id}'`
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`deleteUser MSSQL client connect error: ${err.message}`)
-          return reject(e)
-        }
-        const sqlQuery = `delete from [User] where UserID = '${id}'`
-        const request = new Request(sqlQuery, function (err) {
-          if (err) {
-            connection.close()
-            const e = new Error(`deleteUser MSSQL client request: ${sqlQuery} error: ${err.message}`)
-            return reject(e)
-          }
-          connection.close()
-          resolve(null)
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      resolve(null)
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -259,7 +206,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
   try {
-    return await new Promise((resolve, reject) => {
+    return await new Promise(async (resolve) => {
       if (!attrObj.name) attrObj.name = {}
       if (!attrObj.emails) attrObj.emails = { work: {} }
       if (!attrObj.phoneNumbers) attrObj.phoneNumbers = { work: {} }
@@ -294,35 +241,10 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 
       sql = sql.substr(0, sql.length - 1) // remove trailing ","
 
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-      const connection = new Connection(connectionCfg)
+      const sqlQuery = `update [Users] set ${sql} where UserID like '${id}'`
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`modifyUser MSSQL client connect error: ${err.message}`)
-          return reject(e)
-        }
-        const sqlQuery = `update [User] set ${sql} where UserID like '${id}'`
-        const request = new Request(sqlQuery, function (err) {
-          if (err) {
-            connection.close()
-            const e = new Error(`modifyUser MSSQL client request: ${sqlQuery} error: ${err.message}`)
-            return reject(e)
-          }
-          connection.close()
-          resolve(null)
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      resolve(null)
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -332,55 +254,164 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 // =================================================
 // getGroups
 // =================================================
-scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
+scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   const action = 'getGroups'
   scimgateway.logDebug(baseEntity, `handling "${action}" getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)
 
+  let sqlQuery
+
   // mandatory if-else logic - start
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
-      // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
+      // mandatory - unique filtering - single unique user to be returned - correspond to getGroup() in versions < 4.x.x
+      sqlQuery = `select * from [Groups] where GroupID = '${getObj.value}'`
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
       // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
-      // Resources = [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
+      sqlQuery = `select * from [Groups] join [Users2Group] on Groups.GroupID = Users2Group.GroupID where Users2Group.UserID = '${getObj.value}'`
     } else {
       // optional - simpel filtering
+      throw new Error(`${action} error: not supporting simple filtering: ${getObj.rawFilter}`)
     }
   } else if (getObj.rawFilter) {
     // optional - advanced filtering having and/or/not - use getObj.rawFilter
+    throw new Error(`${action} not error: supporting advanced filtering: ${getObj.rawFilter}`)
   } else {
     // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all groups to be returned - correspond to exploreGroups() in versions < 4.x.x
+    sqlQuery = 'select * from [Groups]'
   }
   // mandatory if-else logic - end
+  if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
-  return { Resources: [] } // groups not supported - returning empty Resources
+  try {
+    return await new Promise(async (resolve) => {
+      const ret: any = { // itemsPerPage will be set by scimgateway
+        Resources: [],
+        totalResults: null,
+      }
+
+      const groups: any[] = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+
+      for (const group of groups) {
+        const scimGroup: Record<string, any> = {
+          id: group.GroupID.value ? group.GroupID.value : undefined,
+          displayName: group.GroupID.value ? group.GroupID.value : undefined,
+          active: group.Enabled.value === 'true' || false,
+          members: [],
+        }
+
+        const sqlQuery = `select UserID from [Users2Group] where GroupID = '${scimGroup.id}'`
+        const members = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+        for (const member of members) {
+          const scimMember = {
+            value: member.UserID.value,
+            display: member.UserID.value,
+          }
+          scimGroup.members.push(scimMember)
+        }
+
+        ret.Resources.push(scimGroup)
+      }
+
+      resolve(ret)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
 // createGroup
 // =================================================
-scimgateway.createGroup = async (baseEntity, groupObj) => {
+scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const action = 'createGroup'
   scimgateway.logDebug(baseEntity, `handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
-  throw new Error(`${action} error: ${action} is not supported`)
+
+  try {
+    return await new Promise(async (resolve) => {
+      const insert = {
+        GroupID: `'${groupObj.displayName}'`,
+        Enabled: (groupObj.active) ? `'${groupObj.active}'` : '\'false\'',
+      }
+
+      const sqlQuery = `insert into [Groups] (GroupID, Enabled) values (${insert.GroupID}, ${insert.Enabled})`
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+
+      if (Array.isArray(groupObj.members) && groupObj.members) {
+        for (const member of groupObj.members) {
+          const sqlQuery = `insert into [Users2Group] (UserID, GroupID) values ('${member.value}', ${insert.GroupID})`
+          await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+        }
+      }
+
+      resolve(null)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
 // deleteGroup
 // =================================================
-scimgateway.deleteGroup = async (baseEntity, id) => {
+scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const action = 'deleteGroup'
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id}`)
-  throw new Error(`${action} error: ${action} is not supported`)
+
+  try {
+    return await new Promise(async (resolve) => {
+      const sqlQuery = `delete from [Groups] where GroupID = '${id}'`
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+
+      resolve(null)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
 // modifyGroup
 // =================================================
-scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
+scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyGroup'
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
-  throw new Error(`${action} error: ${action} is not supported`)
+
+  let sql = ''
+
+  if (attrObj.active !== undefined) sql += `Enabled='${attrObj.active}',`
+  sql = sql.substr(0, sql.length - 1) // remove trailing ","
+
+  const queries = []
+  if (sql) {
+    queries.push(`update [Groups] set ${sql} where GroupID like '${id}'`)
+  }
+
+  // This BLINDLY inserts all user/groups and gracefully breaks on PK violation
+  // for each existing membership
+  if (Array.isArray(attrObj.members) && attrObj.members) {
+    for (const member of attrObj.members) {
+      if (member.operation == 'delete') {
+        queries.push(`delete from [Users2Group] where GroupID='${id}' and UserID='${member.value}'`)
+      } else {
+        queries.push(`insert into [Users2Group] (UserID, GroupID) values ('${member.value}','${id}')`)
+      }
+    }
+  }
+
+  const sqlQuery = queries.join(';')
+
+  try {
+    return await new Promise(async (resolve) => {
+      if (sqlQuery) {
+        scimgateway.logDebug(baseEntity, `sqlQuery: ${sqlQuery}`)
+        await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+      }
+
+      resolve(null)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
@@ -399,6 +430,42 @@ const getCtxAuth = (ctx: undefined | Record<string, any>) => {
   else return [undefined, authToken] // bearer auth
 }
 
+const connectionCfg = (ctx: undefined | Record<string, any>) => {
+  const connectionCfg = scimgateway.copyObj(config.connection)
+  if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
+    if (!connectionCfg.authentication) connectionCfg.authentication = {}
+    if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
+    if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
+    const [username, password] = getCtxAuth(ctx)
+    connectionCfg.authentication.options.password = password
+    if (username) connectionCfg.authentication.options.userName = username
+  }
+  return connectionCfg
+}
+
+const query: (sql: string, ctx: any) => Promise<any> = (sql, ctx) => new Promise((resolve, reject) => {
+  const connection = new Connection(connectionCfg(ctx))
+
+  connection.connect((err) => {
+    if (err) {
+      const e = new Error(`MSSQL client connect error: ${err.message}`)
+      reject(e)
+    } else {
+      const request = new Request(sql, (err, rowCount, rows) => {
+        if (err) {
+          connection.close()
+          const e = new Error(`MSSQL client request: ${sql} Error: ${err.message}`)
+          reject(e)
+        } else {
+          connection.close()
+          resolve(rows)
+        }
+      })
+      connection.execSql(request)
+    }
+  })
+})
+
 //
 // Cleanup on exit
 //

package/lib/scimgateway.ts

@@ -2367,13 +2367,25 @@ export class ScimGateway {
           if (!ctx.response.body) ctx.response.body = 'NOT_FOUND'
           break
       }
-      const response = new Response(ctx.response.body, { status: ctx.response.status, headers: ctx.response.headers })
-      if (ctx.response.body) {
+      const body = ctx.response.body
+      if (body) {
         try {
-          JSON.parse(ctx.response.body)
-          response.headers.set('content-type', 'application/scim+json; charset=utf-8')
+          JSON.parse(body)
+          ctx.response.headers.set('content-type', 'application/scim+json; charset=utf-8')
         } catch (err) { void 0 }
       }
+      let response: Response
+      if (typeof Bun !== 'undefined') {
+        const stream = new ReadableStream({ // ensure Bun compatibility with Azure Reverse Proxy for large and long running response - header set by Bun: Transfer-Encoding: 'chunked'
+          start(controller) {
+            controller.enqueue(body)
+            controller.close()
+          },
+        })
+        response = new Response(body ? stream : undefined, { status: ctx.response.status, headers: ctx.response.headers })
+      } else {
+        response = new Response(body ? body : undefined, { status: ctx.response.status, headers: ctx.response.headers })
+      }
       logResult(ctx)
       return response
     }
@@ -2688,21 +2700,28 @@ export class ScimGateway {
   * logDebug logs debug message
   **/
   logDebug(baseEntity: string | undefined, msg: string) {
-    this.logger.debug(`${this.pluginName}[${baseEntity}]} ${msg}`)
+    this.logger.debug(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
   /**
   * logInfo logs info message
   **/
   logInfo(baseEntity: string | undefined, msg: string) {
-    this.logger.info(`${this.pluginName}[${baseEntity}]} ${msg}`)
+    this.logger.info(`${this.pluginName}[${baseEntity}] ${msg}`)
+  }
+
+  /**
+  * logWarn logs warning message
+  **/
+  logWarn(baseEntity: string | undefined, msg: string) {
+    this.logger.warn(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
   /**
   * logError logs error message
   **/
   logError(baseEntity: string | undefined, msg: string) {
-    this.logger.error(`${this.pluginName}[${baseEntity}]} ${msg}`)
+    this.logger.error(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
   /**
@@ -2919,15 +2938,28 @@ export class ScimGateway {
       if (!this.helperRest) this.helperRest = new HelperRest(this, { entity: { undefined: { connection: this.config.scimgateway.email } } })
       if (this.config.scimgateway.email.auth?.options?.tenantIdGUID) {
         // Graph API
+        let content: string
+        if (isHtml) { // ExO workaround for national special caracters in html content - require singleValueExtendedProperties being used
+          var enc = new TextEncoder() // utf-8
+          const buf = enc.encode(msgObj.content)
+          content = new TextDecoder('windows-1252').decode(buf)
+        } else content = msgObj.content
+
         const emailMessage: Record<string, any> = {
           message: {
             subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
             body: {
-              content: msgObj.content,
+              content,
               contentType: isHtml ? 'HTML' : 'Text',
             },
             toRecipients: [],
             ccRecipients: [],
+            singleValueExtendedProperties: [ // force using ExO header: Content-Type: text/plain; charset="utf-8"
+              {
+                id: 'Integer 0x3fde', // Content-Type header - can be verifed by checking raw mail
+                value: '65001', // text/plain; charset="utf-8"
+              },
+            ],
           },
           saveToSentItems: 'false',
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.6",
+  "version": "5.0.8",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",