scimgateway 6.1.9 → 6.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -5
- package/bun.lock +9 -3
- package/config/plugin-entra-id.json +555 -538
- package/lib/azure-license-mapping.json +100 -0
- package/lib/helper-rest.ts +7 -7
- package/lib/plugin-entra-id.ts +332 -219
- package/lib/postinstall.ts +4 -2
- package/lib/scimdef-v1.json +32 -39
- package/lib/scimdef-v2.json +91 -2
- package/lib/scimgateway.ts +173 -68
- package/lib/utils-scim.ts +158 -79
- package/lib/utils.ts +2 -1
- package/package.json +2 -2
- package/test/lib/plugin-loki_test.ts +3 -1
package/README.md
CHANGED
|
@@ -1027,6 +1027,7 @@ For testing purposes we could get an Azure free account
|
|
|
1027
1027
|
- Application permissions
|
|
1028
1028
|
- Directory - Directory.ReadWriteAll
|
|
1029
1029
|
- Organization - Organization.ReadWrite.All
|
|
1030
|
+
- AuditLog - AuditLog.Read.All (only required if using plugin configuration `map.user.signInActivity`)
|
|
1030
1031
|
- Click "Add permissions"
|
|
1031
1032
|
- API permissions: - Grant Admin consent
|
|
1032
1033
|
Or we could go to Enterprise application to grant these consents:
|
|
@@ -1036,11 +1037,6 @@ For testing purposes we could get an Azure free account
|
|
|
1036
1037
|
- In the logon dialog, logon as global administrator
|
|
1037
1038
|
- In permissions request dialog, click "Accept"
|
|
1038
1039
|
- Click "Refresh", directory and organization permissions are now listed and OK
|
|
1039
|
-
|
|
1040
|
-
|
|
1041
|
-
**Seems Application needs to be member of "User administrator" for having privileges to manage office/mobile phone on users that is member of any administrator roles**
|
|
1042
|
-
|
|
1043
|
-
Also note, enable/disable user (accountEnabled - through Graph API) will fail if user have an "Administrator" role other than above mentioned "User Administrator" e.g. "Group Administrator"/"Application Administrator". To be sure we can enable/disable all users, application needs to be member of **"Global administrator"** - 62e90394-69f5-4237-9190-012177145e10.
|
|
1044
1040
|
|
|
1045
1041
|
- Microsoft Entra ID - Manage - Roles and administrators
|
|
1046
1042
|
- Search: User administrator
|
|
@@ -1052,6 +1048,11 @@ Also note, enable/disable user (accountEnabled - through Graph API) will fail if
|
|
|
1052
1048
|
- Click Next
|
|
1053
1049
|
- Assignment type=Active and enable "Permanent assigned", add some justification text and click "Assign"
|
|
1054
1050
|
|
|
1051
|
+
Note: Entra ID has a role hierarchy, and running SCIM Gateway as a `User Administrator` has some limitations when administering users who have administrative roles. For full administrative access to all users, SCIM Gateway must have the `Global Administrator` role (`62e90394-69f5-4237-9190-012177145e10`).
|
|
1052
|
+
|
|
1053
|
+
Also note: The `plugin-entra-id.json` configuration file includes `map.user.signInActivity`. Using the `signInActivity` attribute requires an Entra ID Premium license and the API permission `AuditLog.Read.All`.
|
|
1054
|
+
**Remove this mapping configuration if these conditions are not met**, otherwise provisioning will fail and errors such as `Authentication_RequestFromNonPremiumTenantOrB2CTenant` may occur.
|
|
1055
|
+
|
|
1055
1056
|
### SCIM Gateway configuration
|
|
1056
1057
|
|
|
1057
1058
|
**Edit index.ts**
|
|
@@ -1303,6 +1304,26 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
|
|
|
1303
1304
|
|
|
1304
1305
|
## Change log
|
|
1305
1306
|
|
|
1307
|
+
### v6.1.11
|
|
1308
|
+
|
|
1309
|
+
[Fixed]
|
|
1310
|
+
|
|
1311
|
+
- From v6.1.6, schemas are autogenerated when using `endpointMapper` (configuration `map.user` and `map.group`). Fixed incorrect schema generation logic.
|
|
1312
|
+
|
|
1313
|
+
[Improved]
|
|
1314
|
+
|
|
1315
|
+
- New endpoint `GET /Entitlements` and corresponding new plugin method `scimgateway.getEntitlements()`, which is currently used by plugin-entra-id.
|
|
1316
|
+
- plugin-entra-id: User license information through entitlements attribute.
|
|
1317
|
+
- plugin-entra-id: The `plugin-entra-id.json` configuration file includes `map.user.signInActivity`. Using the `signInActivity` attribute requires an Entra ID Premium license and the API permission `AuditLog.Read.All`.
|
|
1318
|
+
**Remove this mapping configuration if these conditions are not met**, otherwise provisioning will fail and errors such as `Authentication_RequestFromNonPremiumTenantOrB2CTenant` may occur.
|
|
1319
|
+
|
|
1320
|
+
### v6.1.10
|
|
1321
|
+
|
|
1322
|
+
[Fixed]
|
|
1323
|
+
|
|
1324
|
+
- plugin-entra-id: user group membership now includes nested (transitive) groups (`direct` and `indirect`)
|
|
1325
|
+
- Docker example files `config/docker/.dockerignore` and `docker-compose-mssql.yml` were missing
|
|
1326
|
+
|
|
1306
1327
|
### v6.1.9
|
|
1307
1328
|
|
|
1308
1329
|
[Improved]
|
package/bun.lock
CHANGED
|
@@ -14,7 +14,7 @@
|
|
|
14
14
|
"@types/tedious": "^18.0.0",
|
|
15
15
|
"dot-object": "^2.1.5",
|
|
16
16
|
"fold-to-ascii": "^5.0.1",
|
|
17
|
-
"https-proxy-agent": "^
|
|
17
|
+
"https-proxy-agent": "^8.0.0",
|
|
18
18
|
"hyco-https": "^1.4.5",
|
|
19
19
|
"is-in-subnet": "^4.0.1",
|
|
20
20
|
"jose": "^6.1.3",
|
|
@@ -384,7 +384,7 @@
|
|
|
384
384
|
|
|
385
385
|
"acorn-jsx": ["acorn-jsx@5.3.2", "", { "peerDependencies": { "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0" } }, "sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ=="],
|
|
386
386
|
|
|
387
|
-
"agent-base": ["agent-base@
|
|
387
|
+
"agent-base": ["agent-base@8.0.0", "", {}, "sha512-QT8i0hCz6C/KQ+KTAbSNwCHDGdmUJl2tp2ZpNlGSWCfhUNVbYG2WLE3MdZGBAgXPV4GAvjGMxo+C1hroyxmZEg=="],
|
|
388
388
|
|
|
389
389
|
"ajv": ["ajv@6.12.6", "", { "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g=="],
|
|
390
390
|
|
|
@@ -542,7 +542,7 @@
|
|
|
542
542
|
|
|
543
543
|
"https": ["https@1.0.0", "", {}, "sha512-4EC57ddXrkaF0x83Oj8sM6SLQHAWXw90Skqu2M4AEWENZ3F02dFJE/GARA8igO79tcgYqGrD7ae4f5L3um2lgg=="],
|
|
544
544
|
|
|
545
|
-
"https-proxy-agent": ["https-proxy-agent@
|
|
545
|
+
"https-proxy-agent": ["https-proxy-agent@8.0.0", "", { "dependencies": { "agent-base": "8.0.0", "debug": "^4.3.4" } }, "sha512-YYeW+iCnAS3xhvj2dvVoWgsbca3RfQy/IlaNHHOtDmU0jMqPI9euIq3Y9BJETdxk16h9NHHCKqp/KB9nIMStCQ=="],
|
|
546
546
|
|
|
547
547
|
"hyco-https": ["hyco-https@1.4.5", "", { "dependencies": { "crypto": "latest", "events": "latest", "https": "latest", "moment": "^2.22.2", "util": "latest", "ws": "^6.0.0" } }, "sha512-V9StoZf+GikbtiOBmUE1V8tzuiinox0XDU2YoCvD2vd09CYvyv2XU6gT4jP76WOVTcHSbCnci9l6EirESc9dzA=="],
|
|
548
548
|
|
|
@@ -774,6 +774,8 @@
|
|
|
774
774
|
|
|
775
775
|
"@typescript-eslint/visitor-keys/eslint-visitor-keys": ["eslint-visitor-keys@5.0.1", "", {}, "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA=="],
|
|
776
776
|
|
|
777
|
+
"@typespec/ts-http-runtime/https-proxy-agent": ["https-proxy-agent@7.0.6", "", { "dependencies": { "agent-base": "^7.1.2", "debug": "4" } }, "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw=="],
|
|
778
|
+
|
|
777
779
|
"eslint/@eslint-community/eslint-utils": ["@eslint-community/eslint-utils@4.9.0", "", { "dependencies": { "eslint-visitor-keys": "^3.4.3" }, "peerDependencies": { "eslint": "^6.0.0 || ^7.0.0 || >=8.0.0" } }, "sha512-ayVFHdtZ+hsq1t2Dy24wCmGXGe4q9Gu3smhLYALJrr473ZH27MsnSL+LKUlimp4BWJqMDMLmPpx/Q9R3OAlL4g=="],
|
|
778
780
|
|
|
779
781
|
"eslint/eslint-visitor-keys": ["eslint-visitor-keys@5.0.1", "", {}, "sha512-tD40eHxA35h0PEIZNeIjkHoDR4YjjJp34biM0mDvplBe//mB+IHCqHDGV7pxF+7MklTvighcCPPZC7ynWyjdTA=="],
|
|
@@ -784,6 +786,8 @@
|
|
|
784
786
|
|
|
785
787
|
"glob/minimatch": ["minimatch@3.1.2", "", { "dependencies": { "brace-expansion": "^1.1.7" } }, "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw=="],
|
|
786
788
|
|
|
789
|
+
"http-proxy-agent/agent-base": ["agent-base@7.1.4", "", {}, "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ=="],
|
|
790
|
+
|
|
787
791
|
"vasync/verror": ["verror@1.10.0", "", { "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw=="],
|
|
788
792
|
|
|
789
793
|
"xml-crypto/xpath": ["xpath@0.0.32", "", {}, "sha512-rxMJhSIoiO8vXcWvSifKqhvV96GjiD5wYb8/QHdoRyQvraTpp4IEv944nhGausZZ3u7dhQXteZuZbaqfpB7uYw=="],
|
|
@@ -796,6 +800,8 @@
|
|
|
796
800
|
|
|
797
801
|
"@typescript-eslint/typescript-estree/minimatch/brace-expansion": ["brace-expansion@2.0.2", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ=="],
|
|
798
802
|
|
|
803
|
+
"@typespec/ts-http-runtime/https-proxy-agent/agent-base": ["agent-base@7.1.4", "", {}, "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ=="],
|
|
804
|
+
|
|
799
805
|
"eslint/@eslint-community/eslint-utils/eslint-visitor-keys": ["eslint-visitor-keys@3.4.3", "", {}, "sha512-wpc+LXeiyiisxPlEkUzU6svyS1frIO3Mgxj1fdy7Pm8Ygzguax2N3Fa/D/ag1WqbOprdI+uY6wMUl8/a2G+iag=="],
|
|
800
806
|
|
|
801
807
|
"eslint/espree/acorn": ["acorn@8.16.0", "", { "bin": { "acorn": "bin/acorn" } }, "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw=="],
|