scimgateway 6.1.18 → 6.1.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -5
- package/config/plugin-entra-id.json +586 -562
- package/lib/helper-rest.ts +2 -2
- package/lib/plugin-entra-id.ts +505 -57
- package/lib/scimdef-v1.json +43 -43
- package/lib/scimdef-v2.json +119 -94
- package/lib/scimgateway.ts +86 -29
- package/lib/utils-scim.ts +46 -25
- package/package.json +1 -1
- package/test/lib/plugin-loki_test.ts +5 -4
package/README.md
CHANGED
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
|
|
18
18
|
Latest news:
|
|
19
19
|
|
|
20
|
+
- Now supports `GET /Roles` and `GET /Entitlements` endpoint requests, with corresponding user management via the standard SCIM `roles` and `entitlements` attributes. The Entra ID plugin uses `entitlements` for Entra ID licenses (read-only) and `roles` for Entra ID Permanent and Eligible roles (full management).
|
|
20
21
|
- Bun binary build is now supported, allowing SCIM Gateway to be compiled into a single executable binary for simplified deployment and execution. SCIM Gateway can now run as an ES module (TypeScript) in Node.js.
|
|
21
22
|
- Major release **v6.0.0** introduces changes to API method responses (not SCIM-related) and a new method `publicApi()` for handling public path `/pub/api` requests with no authentication required. In addition, the configuration option `bearerJwtAzure.tenantIdGUID` has been replaced by `bearerJwt.azureTenantId`. See the version history for details.
|
|
22
23
|
- Support for Entra ID [Federated Identity Credentials](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) has been added through internal JWKS (JSON Web Key Set), allowing SCIM Gateway to access Microsoft Entra–protected resources without the need to manage secrets
|
|
@@ -1028,7 +1029,9 @@ For testing purposes we could get an Azure free account
|
|
|
1028
1029
|
- Application permissions
|
|
1029
1030
|
- Directory - Directory.ReadWriteAll
|
|
1030
1031
|
- Organization - Organization.ReadWrite.All
|
|
1031
|
-
- AuditLog - AuditLog.Read.All (
|
|
1032
|
+
- AuditLog - AuditLog.Read.All (required if using plugin configuration `map.user.signInActivity`)
|
|
1033
|
+
- RoleEligibilitySchedule - RoleEligibilitySchedule.Read.Directory (PIM Eligible roles; required if using plugin configuration `map.user.roles`)
|
|
1034
|
+
- RoleManagement - RoleManagement.ReadWrite.Directory' (PIM Permanent roles; required if using plugin configuration `map.user.roles`)
|
|
1032
1035
|
- Click "Add permissions"
|
|
1033
1036
|
- API permissions: - Grant Admin consent
|
|
1034
1037
|
Or we could go to Enterprise application to grant these consents:
|
|
@@ -1049,10 +1052,7 @@ For testing purposes we could get an Azure free account
|
|
|
1049
1052
|
- Click Next
|
|
1050
1053
|
- Assignment type=Active and enable "Permanent assigned", add some justification text and click "Assign"
|
|
1051
1054
|
|
|
1052
|
-
Note: Entra ID has a role hierarchy, and running SCIM Gateway as a `User Administrator` has some limitations when administering users who have administrative roles. For full administrative access to all users, SCIM Gateway must have the `Global Administrator` role (`62e90394-69f5-4237-9190-012177145e10`).
|
|
1053
|
-
|
|
1054
|
-
Also note: The `plugin-entra-id.json` configuration file includes `map.user.signInActivity`. Using the `signInActivity` attribute requires an Entra ID Premium license and the API permission `AuditLog.Read.All`.
|
|
1055
|
-
**Remove this mapping configuration if these conditions are not met or override by configuring endpoint.entity.[baseEntity].skipSignInActivity = true**, otherwise provisioning will fail and errors such as `Authentication_RequestFromNonPremiumTenantOrB2CTenant` may occur.
|
|
1055
|
+
Note: Entra ID has a role hierarchy, and running SCIM Gateway as a `User Administrator` has some limitations when administering users who have administrative roles. For full administrative access to all users, SCIM Gateway must have the `Global Administrator` role (`62e90394-69f5-4237-9190-012177145e10`).
|
|
1056
1056
|
|
|
1057
1057
|
### SCIM Gateway configuration
|
|
1058
1058
|
|
|
@@ -1304,6 +1304,21 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
|
|
|
1304
1304
|
|
|
1305
1305
|
## Change log
|
|
1306
1306
|
|
|
1307
|
+
### v6.1.19
|
|
1308
|
+
|
|
1309
|
+
[Fixed]
|
|
1310
|
+
|
|
1311
|
+
- SCIM v2.0 ResourceType endpoint schemas using incorrect id.
|
|
1312
|
+
|
|
1313
|
+
[Improved]
|
|
1314
|
+
|
|
1315
|
+
- SCIM Gateway now supports `GET /Roles` and `GET /Entitlements` endpoint requests, with corresponding user management via the standard SCIM `roles` and `entitlements` attributes.
|
|
1316
|
+
- plugin-entra-id: Uses `entitlements` for Entra ID licenses (read-only) and `roles` for Entra ID Permanent and Eligible roles (full management).
|
|
1317
|
+
- PIM Eligible roles requires API permissions `RoleEligiblitySchedule.ReadWrite.All`
|
|
1318
|
+
- PIM Permanent roles requires API permissions `RoleManagement.ReadWrite.Directory`
|
|
1319
|
+
- Remove mapping configuration `map.user.roles` if conditions not met (or use only the Eligible permissions set to Read if user role management is not needed).
|
|
1320
|
+
- The `skipSignInActivity` option, introduced in v6.1.17, is no longer used. Instead, permissions for both `signInActivity` and PIM roles are validated at startup.
|
|
1321
|
+
|
|
1307
1322
|
### v6.1.18
|
|
1308
1323
|
|
|
1309
1324
|
[Fixed]
|