npm - scimgateway - Versions diffs - 6.2.1 → 6.2.2 - Mend

scimgateway 6.2.1 → 6.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +1116 -3445
package/config/plugin-entra-id.json +3 -3
package/lib/helper-rest.ts +4 -4
package/lib/plugin-entra-id.ts +587 -187
package/lib/plugin-generic.ts +11 -0
package/lib/plugin-ldap.ts +15 -2
package/lib/plugin-loki.ts +11 -0
package/lib/plugin-mongodb.ts +11 -0
package/lib/plugin-mssql.ts +11 -0
package/lib/plugin-saphana.ts +11 -0
package/lib/plugin-soap.ts +11 -0
package/lib/scimgateway.ts +55 -37
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,3733 +1,1404 @@
-# SCIM Gateway
+# SCIM Gateway
-[![Build Status](https://app.travis-ci.com/jelhub/scimgateway.svg?branch=master)](https://app.travis-ci.com/github/jelhub/scimgateway) [![npm Version](https://img.shields.io/npm/v/scimgateway.svg?style=flat-square&label=latest)](https://www.npmjs.com/package/scimgateway)[![npm Downloads](https://img.shields.io/npm/dm/scimgateway.svg?style=flat-square)](https://www.npmjs.com/package/scimgateway) [![chat disqus](https://jelhub.github.io/images/chat.svg)](https://elshaug.xyz/docs/scimgateway#disqus_thread) [![GitHub forks](https://img.shields.io/github/forks/jelhub/scimgateway.svg?style=social&label=Fork)](https://github.com/jelhub/scimgateway)
+[![Build Status](https://app.travis-ci.com/jelhub/scimgateway.svg?branch=master)](https://app.travis-ci.com/github/jelhub/scimgateway)
+[![npm Version](https://img.shields.io/npm/v/scimgateway.svg?style=flat-square&label=latest)](https://www.npmjs.com/package/scimgateway)
+[![npm Downloads](https://img.shields.io/npm/dm/scimgateway.svg?style=flat-square)](https://www.npmjs.com/package/scimgateway)
+[![GitHub forks](https://img.shields.io/github/forks/jelhub/scimgateway.svg?style=social&label=Fork)](https://github.com/jelhub/scimgateway)
----
-**Author:** Jarle Elshaug
-**Validated through IdPs:**
+**Author:** [Jarle Elshaug](https://www.elshaug.xyz)
-*   Symantec/Broadcom Identity Manager
-*   Microsoft Entra ID
-*   One Identity Manager
-*   Okta
-*   Omada
-*   SailPoint/IdentityNow
----
+SCIM Gateway is a user provisioning bridge built with [Bun](https://bun.sh/) and [Node.js](https://nodejs.dev/) using TypeScript. It translates incoming SCIM 1.1/2.0 requests into endpoint-specific protocols — turning any destination into a SCIM-compatible interface without vendor lock-in.
-Latest news:
-- New `plugin-generic` replacing previous `plugin-scim`. This new plugin use the endpointMapper for flexible attribute mapping and also supports the new mapper option `valueMap` (e.g., group filtering and mapping).
-- Now supports `GET /Roles` and `GET /Entitlements` endpoint requests, with corresponding user management via the standard SCIM `roles` and `entitlements` attributes. The Entra ID plugin uses `entitlements` for Entra ID licenses (read-only) and `roles` for Entra ID Permanent and Eligible roles (full management).
-- Bun binary build is now supported, allowing SCIM Gateway to be compiled into a single executable binary for simplified deployment and execution. SCIM Gateway can now run as an ES module (TypeScript) in Node.js.
-- Major release **v6.0.0** introduces changes to API method responses (not SCIM-related) and a new method `publicApi()` for handling public path `/pub/api` requests with no authentication required. In addition, the configuration option `bearerJwtAzure.tenantIdGUID` has been replaced by `bearerJwt.azureTenantId`. See the version history for details.
-- Support for Entra ID [Federated Identity Credentials](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) has been added through internal JWKS (JSON Web Key Set), allowing SCIM Gateway to access Microsoft Entra–protected resources without the need to manage secrets
-- External JWKS (JSON Web Key Set) is now supported by JWT authentication, allowing external applications to access SCIM Gateway without the need to manage secrets
-- [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) is now supported for secure and hassle-free outbound-only communication — with just one minute of configuration
-- [ETag](https://datatracker.ietf.org/doc/html/rfc7644#section-3.14) is now supported
-- [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) is now supported
-- Remote real-time log subscription for centralized logging and monitoring. Using browser `https://<host>/logger`, curl or custom client API - see configuration notes
-- By configuring the chainingBaseUrl, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway behave like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
-- Email, onError and sendMail() supports more secure RESTful OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlBearer, oauthJwtBearer and Auth PassTrough
-- Major release **v5.0.0** marks a shift from JavaScript to native TypeScript and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.
-- **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
-- Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. E.g., using Entra ID application OAuth
-- Supports OAuth Client Credentials authentication
-- Major release **v4.0.0** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
-- ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure IP-range
-- General LDAP plugin configured for Active Directory
-- [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
-- Each authentication configuration allowing more than one admin user including option for readOnly
-- Codebase moved from callback of h... to the the promise(d) land of async/await
-- Supports configuration by environments and external files
-- Health monitoring through "/ping" URL, and option for error notifications by email
-- Entra ID user provisioning including license management e.g. Office 365, installed and configured within minutes!
-- Includes API Gateway for none SCIM/provisioning - becomes what you want it to become
-- Running SCIM Gateway as a Docker container
+![SCIM Gateway Architecture](https://jelhub.github.io/images/ScimGateway.svg)
 ---
-## Overview
+## Table of Contents
+- [SCIM Gateway](#scim-gateway)
+  - [Table of Contents](#table-of-contents)
+  - [What's New](#whats-new)
+  - [Included Plugins](#included-plugins)
+  - [Installation](#installation)
+    - [Prerequisites](#prerequisites)
+    - [Install SCIM Gateway](#install-scim-gateway)
+    - [Verify the Default Loki Plugin](#verify-the-default-loki-plugin)
+    - [Upgrading](#upgrading)
+  - [Configuration](#configuration)
+    - [Entry Point — `index.ts`](#entry-point--indexts)
+    - [Plugin File Naming](#plugin-file-naming)
+    - [Core Options](#core-options)
+    - [Authentication](#authentication)
+      - [Basic Authentication](#basic-authentication)
+      - [Bearer Token (Shared Secret)](#bearer-token-shared-secret)
+      - [JWT (Standard)](#jwt-standard)
+      - [OAuth Client Credentials](#oauth-client-credentials)
+      - [Authentication PassThrough](#authentication-passthrough)
+    - [IP Allow List](#ip-allow-list)
+    - [TLS \& Certificates](#tls--certificates)
+      - [Using PEM files](#using-pem-files)
+      - [Using PFX / PKCS#12](#using-pfx--pkcs12)
+      - [No TLS](#no-tls)
+    - [Email Notifications](#email-notifications)
+      - [Microsoft Exchange Online (OAuth)](#microsoft-exchange-online-oauth)
+      - [Google Workspace Gmail (OAuth)](#google-workspace-gmail-oauth)
+      - [SMTP Auth](#smtp-auth)
+    - [Azure Relay](#azure-relay)
+    - [Secrets from External Sources](#secrets-from-external-sources)
+    - [Remote Log Subscription](#remote-log-subscription)
+    - [Gateway Chaining](#gateway-chaining)
+    - [HelperRest](#helperrest)
+      - [Basic Auth](#basic-auth)
+      - [Entra ID — Client Secret](#entra-id--client-secret)
+      - [Entra ID — Certificate Secret](#entra-id--certificate-secret)
+      - [Entra ID — Federated Credentials (no secrets)](#entra-id--federated-credentials-no-secrets)
+      - [General OAuth (Client Credentials)](#general-oauth-client-credentials)
+    - [Single Binary Deployment](#single-binary-deployment)
+  - [Running the Gateway](#running-the-gateway)
+    - [Manual Startup](#manual-startup)
+    - [Windows Task Scheduler](#windows-task-scheduler)
+  - [Docker](#docker)
+    - [Single Image](#single-image)
+    - [Docker Compose](#docker-compose)
+  - [Identity Provider Integration](#identity-provider-integration)
+    - [Microsoft Entra ID as IdP](#microsoft-entra-id-as-idp)
+    - [Symantec/Broadcom Identity Manager as IdP](#symantecbroadcom-identity-manager-as-idp)
+  - [Entra ID Provisioning Plugin](#entra-id-provisioning-plugin)
+    - [Entra ID App Registration](#entra-id-app-registration)
+    - [Plugin Configuration](#plugin-configuration)
+    - [Using with Symantec/Broadcom (ConnectorXpress)](#using-with-symantecbroadcom-connectorxpress)
+  - [API Gateway](#api-gateway)
+  - [Building Custom Plugins](#building-custom-plugins)
+    - [Setup](#setup)
+    - [Mandatory Plugin Initialization](#mandatory-plugin-initialization)
+    - [Implementation Order](#implementation-order)
+    - [Plugin Methods](#plugin-methods)
+    - [Custom Schemas](#custom-schemas)
+  - [License](#license)
+  - [Change Log](#change-log)
+    - [v6.2.2](#v622)
+    - [v6.2.1](#v621)
+    - [v6.2.0](#v620)
+    - [v6.1.20](#v6120)
+    - [v6.1.19](#v6119)
+    - [v6.1.18](#v6118)
+    - [v6.1.17](#v6117)
+    - [v6.1.16](#v6116)
+    - [v6.1.15](#v6115)
+    - [v6.1.14](#v6114)
+    - [v6.1.13](#v6113)
+    - [v6.1.12](#v6112)
+    - [v6.1.11](#v6111)
+    - [v6.1.10](#v6110)
+    - [v6.1.9](#v619)
+    - [v6.1.8 / v6.1.7](#v618--v617)
+    - [v6.1.6](#v616)
+    - [v6.1.5](#v615)
+    - [v6.1.4](#v614)
+    - [v6.1.3](#v613)
+    - [v6.1.2](#v612)
+    - [v6.1.1](#v611)
+    - [v6.1.0](#v610)
+    - [v6.0.0 — Major](#v600--major)
+    - [v5.x — Previous Major Series](#v5x--previous-major-series)
-SCIM Gateway facilitates user management using the standardized REST-based SCIM 1.1 or 2.0 protocol, offering easier, more powerful, and consistent provisioning while avoiding vendor lock-in. Acting as a translator for incoming SCIM requests, the gateway seamlessly enables CRUD functionality (create, read, update, and delete) for users and groups. By implementing endpoint-specific protocols, it ensures provisioning across diverse destinations. With the gateway, your destinations become SCIM-compatible interfaces, streamlining integration and simplifying user management.
+---
-![](https://jelhub.github.io/images/ScimGateway.svg)
+## What's New
+- **`plugin-entra-id`** now supports Entra ID roles and access packages, in addition to reading licenses.
+- **`plugin-generic`** replaces `plugin-scim` — a flexible template using `endpointMapper` with the new `valueMap` option for allowlisting and name mapping e.g., groups
+- **`GET /Roles` and `GET /Entitlements`** endpoint support, with user management via SCIM `roles` and `entitlements` attributes; `plugin-entra-id` uses `entitlements` for Entra ID licenses (read-only) and `roles` for Permanent and Eligible PIM roles (full management)
+- **AI Agent ready** — `x-agent-schema` configuration in `endpointMapper` enables custom schema generation with MCP tool instructions for autonomous provisioning agents
+- **Bun binary builds** — compile a plugin into a single executable for simplified deployment
+- **ES module / TypeScript support in Node.js** via `tsx`
+- **v6.0.0** — API method response bodies returned as-is; new `publicApi()` method for unauthenticated `/pub/api` routes; `bearerJwtAzure.tenantIdGUID` replaced by `bearerJwt.azureTenantId`
+- **Federated Identity Credentials** (Entra ID) — access Microsoft-protected resources without managing secrets, via internal JWKS
+- **External JWKS** support for JWT authentication
+- **Azure Relay** — secure outbound-only tunnel with one minute of setup (~$10/month per listener)
+- **ETag** and **Bulk Operations** support (SCIM RFC 7644)
+- **Remote real-time log subscription** via browser, curl, or custom client at `https://<host>/logger`
+- **Gateway chaining** — chain `gateway1 → gateway2 → gateway3 → endpoint` with reverse-proxy-style auth validation
+- **OAuth for email** — Microsoft Exchange Online and Google Workspace Gmail alongside traditional SMTP Auth
+- [SCIM Stream](https://elshaug.xyz/docs/scim-stream) — subscribe-based provisioning as an alternative to top-down IGA polling
-SCIM Gateway is built on the modern, asynchronous, event-driven framework [Bun](https://bun.sh/) or [Node.js](https://nodejs.dev/) using TypeScript/JavaScript. It is designed to be cloud and firewall friendly, runs on nearly all operating systems
+---
-The following fully functional plugins are included for demonstration and production use:
+## Included Plugins
 | Plugin | Endpoint Type | Description |
-| :--- | :--- | :--- |
-| **Loki** | NoSQL Database | Transforms the SCIM Gateway into a standalone SCIM endpoint utilizing the internal [LokiJS](https://github.com/techfort/LokiJS) database. Includes two test users and groups |
-| **MongoDB** | NoSQL Database | Similar to the Loki plugin, but using an externally managed MongoDB database, showcasing multi-tenant and multi-endpoint capabilities via `baseEntity` |
-| **Entra ID** | REST Webservices | Entra ID user provisioning via Microsoft Graph API |
-| **Generic** | REST Webservice | Generic template plugin configured to use plugin-loki as a SCIM provisioning endpoint. Supports the endpointMapper `valueMap` option for allowlisting and mapping (e.g., groups). Can also be used as a SCIM version gateway (e.g., 1.1 => 2.0) |
-| **API** | REST Webservices | A non-SCIM plugin demonstrating API Gateway functionality for custom REST specifications |
-| **Soap** | SOAP Webservice | Demonstrates user provisioning to a SOAP-based endpoint with example WSDLs |
-| **MSSQL** | Database | Demonstrates user provisioning to an MSSQL database |
-| **SAP HANA** | Database | Demonstrates SAP HANA-specific user provisioning |
-| **LDAP** | Directory | A fully functional LDAP plugin pre-configured for Microsoft Active Directory |
-## Installation
-To get started with SCIM Gateway, follow the instructions below.
-#### Install Bun
-[Bun](https://bun.sh/) is a prerequisite and must be installed
-Note, Bun installs by default in the current user’s `HOMEPATH\.bun`. To install it elsewhere, set `BUN_INSTALL=<install-path>` as a global or system environment variable before installing. The installation will add Bun to the current user’s path, but consider adding it to the global or system path for easier access across all users.
-#### SCIM Gateway Installation
-Create a package directory and install the SCIM Gateway:
-	mkdir c:\my-scimgateway
-	cd c:\my-scimgateway
-	bun init -y
-	bun install scimgateway
-	bun pm trust scimgateway
-index.ts, lib and config directories containing example plugins are copied to your package. The command `bun pm trust scimgateway` is required to allow the `postinstall` script to copy these files.
-#### Startup and verify default Loki plugin
-	bun c:\my-scimgateway
-	Start a browser
-	http://localhost:8880/ping
-	=> Returns a health check with a "hello" response
-	http://localhost:8880/Users
-	http://localhost:8880/Groups
-	=> Logon using gwadmin/password and two users and groups should be listed
-	Start a new browser for remote log monitoring
-	using url: http://localhost:8880/logger
-	http://localhost:8880/Users/bjensen
-	http://localhost:8880/Groups/Admins
-	or
-	http://localhost:8880/Users?filter=userName eq "bjensen"
-	http://localhost:8880/Groups?filter=displayName eq "Admins"
-	=> Lists all attributes for specified user/group
-	http://localhost:8880/Groups?filter=displayName eq "Admins"&excludedAttributes=members
-	http://localhost:8880/Groups?filter=members.value eq "bjensen"&attributes=id,displayName,members.value
-	http://localhost:8880/Users?filter=userName eq "bjensen"&attributes=userName,id,name.givenName
-	http://localhost:8880/Users?filter=meta.created ge "2010-01-01T00:00:00Z"&attributes=userName,name.familyName,meta.created
-	http://localhost:8880/Users?filter=emails.value co "@example.com"&attributes=userName,name.familyName,emails&sortBy=name.familyName&sortOrder=descending
-	=> Filtering and attribute examples
-	"Ctrl + c" to stop the SCIM Gateway
-> For Node.js, the startup command is:
-`node --import=tsx ./index.ts`
-#### Upgrade Process
-The recommended upgrade method is to rename the existing package folder, perform a fresh installation, and then copy your custom `index.ts`, `config`, and `lib` folders from the previous installation.
-- Minor Upgrade: `bun install scimgateway`
-- Major Upgrade: `bun install scimgateway@latest` (Use with caution, as it may break compatibility with existing custom plugins)
-##### Avoid (re-)adding the example plugins created during `postinstall`
-For production we do not need example plugins to be incuded by the `postinstall` job
-Bun will by default exlude any `postinstall` jobs unless we have trusted the scimgateway package using the `bun pm trust scimgateway` that updates package.json `{ trustedDependencies: ["scimgateway"] }`
-For Node.js (and also Bun), we might set the property `scimgateway_postinstall_skip = true` in `.npmrc` or setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
-## Configuration
-The `index.ts` file spesifies one or more plugins to be started.
-	// start one or more plugins:
-	import './lib/plugin-entra-id.ts'
-	export {}
-Each endpoint plugin needs a TypeScript file (.ts) and a configuration file (.json).
-They both must have the **same naming prefix**. For the Entra ID endpoint, the corresponding files are:
->lib\plugin-entra-id.ts
->config\plugin-entra-id.json
-A plugin configuration file has two main JSON objects: `scimgateway` and `endpoint`
-	{
-	  "scimgateway": {
-	    ...
-	  },
-	  "endpoint": {
-	    ...
-	  }
-	}
-`scimgateway`: Contains fixed attributes used by the core gateway functionality, such as port, logging, and authentication.
-`endpoint`: Contains customized definitions required by the plugin code for communication with the destination system, including host, port, and credentials.
-- **port**: The gateway will listen on this port number. Clients, such as a provisioning server, will use this port to communicate with the gateway.
-- **localhostonly**: Set to `true` to accept incoming requests only from localhost (127.0.0.1). Set to `false` to accept requests from all clients.
-- **chainingBaseUrl**: The base URL for chaining another gateway, with the syntax `http(s)://host:port`. When defined, the gateway behaves like a reverse proxy, validating authorization unless PassThrough mode is enabled. See `Configuration notes` for details.
-- **idleTimeout**: The number of seconds to wait before timing out a connection due to inactivity. The default value is 120 seconds.
-- **scim.version**: Specifies the SCIM protocol version to use, either "1.1" or "2.0". The default is "2.0".
-- **scim.skipTypeConvert**: When set to `true`, multivalue attributes with types (e.g., emails, phoneNumbers, ims, photos, addresses, entitlements, and x509Certificates, but not roles, groups, and members) will not be converted into "type converted objects" when sent to `modifyUser` and `createUser`. This is useful for simplifying attribute checks and for the `endpointMapper` method used by `plugin-ldap` and `plugin-entra-id`. For example:
-		"emails": {
-		  "work": {"value": "jsmith@example.com", "type": "work"},
-		  "home": {"value": "", "type": "home", "operation": "delete"},
-		  "undefined": {"value": "jsmith@hotmail.com"}
-		}
-        When `skipTypeConvert` is set to `true`, the attribute is provided "as-is" as an array, allowing duplicate types including blank types. Values to be deleted are marked with `"operation": "delete"`.
-		"emails": [
-		  {"value": "jsmith@example.com", "type": "work"},
-		  {"value": "john.smith.org", "type": "home", "operation": "delete"},
-		  {"value": "jsmith@hotmail.com"}
-		]
-- **scim.skipMetaLocation**: When set to `true`, the `meta.location` attribute, which contains the protocol and hostname from the request URL, will be excluded from the response (e.g., `"{...,meta":{"location":"https://my-company.com/<...>"}}`). This is useful when using a reverse proxy and not including the `X-Forwarded-Proto` and `X-Forwarded-Host` headers, as the originator will be the proxy and the internal protocol and hostname should not be exposed.
-- **scim.groupMemberOfUser**: When set to `true`, and the request body contains groups, the `groups` attribute will remain on the user object (groups are members of the user). The default behavior is for the user to be a member of the groups, which uses the `modifyGroup` method to maintain group members.
-- **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If set to `true`, only PUT body content will be replaced. Any additional existing user attributes and groups supported by plugin will remain as-is.
-- **log.loglevel.file** - off, debug, info, warn or error. Default off. Output to plugin-logfile e.g. `logs\plugin-saphana.log`
-- **log.loglevel.console** - off, debug, info, warn or error. Default off. Output to stdout and errors to stderr
-- **log.loglevel.push** - debug, info, warn or error. Default info. Push to stream used by remote real-time log subscription
-- **log.logDirectory** - custom defined log directory e.g. `/var/log/scimgateway` that will override default `<scimgateway path>/logs`. If not exist it will be created.
-- **log.customMasking** - array of attributes to be masked e.g. `"customMasking": ["SSN", "weight"]`. By default SCIM Gateway includes masking of some standard attributes like password.
-- **log.colorize** - default true, gives colorized and minimized console output, if redirected to stdout/stderr standard JSON formatted output and no colors. Set to false give standard JSON
-- **log.maxSize** - default 20 (MB) log file size
-- **log.maxFiles** - default 5, keep only the last 5 logs - note, new and rotated file on startup
-- **auth** - Contains one or more authentication/authorization methods used by clients for accessing gateway - may also include:
-  - **auth.xx.readOnly** - true/false, true gives read only access - only allowing `GET` requests for corresponding admin user
-  - **auth.xx.baseEntities** - array containing one or more `baseEntity` allowed for this user e.g. ["client-a"] - empty array allowing all.
-  **Methods are disabled by setting corresponding admin user to null or remove methods not used**
-- **auth.basic** - Array of one ore more basic authentication objects - Basic Authentication with **username**/**password**. Note, we set a clear text password that will become encrypted when gateway is started.
-- **auth.bearerToken** - Array of one or more bearer token objects - Shared token/secret (supported by Entra ID). Clear text value will become encrypted when gateway is started.
-- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret**, **publicKey**, **wellKnownUri** or **azureTenantId** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. For JWKS (JSON Web Key Set), the **wellKnownUri** must be set to identity provider well-known URI which will be used for lookup the jwks_uri key. **options.issuer** should normally be set for validation when using secret or publicKey, for JWKS (wellKnownUri), the issuer will be included automatically. Other options may also be included according to the JWT standard. When using Azure Entra ID provisioning through scimgateway, set **azureTenantId** to the Entra tenant id. When using Entra ID application accessing gateway use: `wellKnownUri=https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration` and `options.audience={application-id}`
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. `http://localhost:8880/oauth/token`
-- **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
-- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory unless absolute path being defined e.g:
-		"certificate": {
-		  "key": "key.pem",
-		  "cert": "cert.pem",
-		  "ca": "ca.pem" // if several: "ca": ["ca1.pem", "ca2.pem"]
-		}
-	Example of how to make a self signed certificate:
-		openssl req -nodes -newkey rsa:2048 -x509 -sha256 -days 3650 -keyout key.pem -out cert.pem -subj "/O=My Company/OU=Application/CN=SCIM Gateway" -addext "subjectAltName=DNS:localhost,DNS:127.0.0.1,DNS:*.mycompany.com" -addext "extendedKeyUsage=serverAuth" -addext "keyUsage=digitalSignature"
-    Note, when using Symantec/Broadcom Provisioning, the "certificate authority - CA" also must be imported on the Connector Server. For self-signed certificate, CA and the certificate (public key) is the same.
-    PFX / PKCS#12 bundle can be used instead of key/cert/ca e.g:
+|---|---|---|
+| **loki** | NoSQL | Standalone SCIM endpoint using [LokiJS](https://github.com/techfort/LokiJS). Includes test users and groups. Ideal for development. |
+| **mongodb** | NoSQL | Like Loki but backed by an external MongoDB. Demonstrates multi-tenant via `baseEntity`. |
+| **entra-id** | REST | Users/Groups/Roles/AccessPackages/Licenses provisioning to Microsoft Entra ID via Microsoft Graph API. |
+| **generic** | REST | Generic template using `endpointMapper` and the `valueMap` option for allowlisting and name mapping e.g., groups. Defaults to plugin-loki as the SCIM target. Can also act as a SCIM version gateway (e.g. 1.1 → 2.0). |
+| **api** | REST | Non-SCIM plugin demonstrating API Gateway mode for custom REST specifications. |
+| **soap** | SOAP | User provisioning to a SOAP-based endpoint with example WSDLs. |
+| **mssql** | SQL | User provisioning to Microsoft SQL Server. |
+| **saphana** | SQL | SAP HANA–specific user provisioning. |
+| **ldap** | Directory | Full LDAP plugin pre-configured for Microsoft Active Directory. |
-        "pfx": {
-          "bundle": "certbundle.pfx",
-          "password": "password"
-        }
-	Note, we should normally use certificate (https) for communicating with SCIM Gateway unless we install gateway locally on the manager (e.g. on the provisioning Connector Server). When installed on the manager, we could use `http://localhost:port` or `http://127.0.0.1:port` which will not be passed down to the data link layer for transmission. We could then also set {"localhostonly": true}
-- **ipAllowList** - Array of one or more IPv4/IPv6 subnets (CIDR) allowed for incoming traffic.  E.g. using Entra ID as IdP, we would like to restrict access to IP addresses used by Azure. Azure IP-range can be downloaded from: [https://azureipranges.azurewebsites.net](https://azureipranges.azurewebsites.net), enter **AzureActiveDirectory** in the search list and select JSON download. Copy the "addressPrefixes" array content and paste into ipAllowList array. CIDR single IP-host syntax is a.b.c.d/32. Note, front-end HTTP proxy or a load balancer must include client IP-address in the **X-Forwarded-For** header. Configuration example:
-        "ipAllowList": [
-          "13.64.151.161/32",
-          "13.66.141.64/27",
-          ...
-          "2603:1056:2000::/48",
-          "2603:1057:2::/48"
-        ]
-- **email** - Sending email from plugin or automated error notifications emailOnError. For emailOnError only the first error will be sent until sendInterval have passed. Supporting both SMTP Auth and modern REST OAuth. For OAuth, currently Microsoft Exchange Online (ExO) and Google Workspace Gmail are supported - see configuration notes
-- **email.auth** - Authentication configuration
-- **email.auth.type** - `oauth` or `smtp`
-- **email.auth.options** - Authentication options - note, different options for type oauth and smtp
-- **email.auth.options.azureTenantId (oauth/ExO)** - Entra tenant id or domain name
-- **email.auth.options.clientId (oauth/ExO)** - Entra OAuth application Client ID
-- **email.auth.options.clientSecret (oauth/ExO)** - Entra OAuth application Client Secret
-- **email.auth.options.serviceAccountKeyFile (oauth/Gmail)** - Google Service Account key json-file name located in the `package-root>\config\certs` directory unless absolute path being defined
-- **email.auth.options.host (smtp)** - Mailserver e.g. "smtp.gmail.com" - mandatory for smtp
-- **email.auth.options.port (smtp)** - Port used by mailserver e.g. 587, 25 or 465 - mandatory for smtp
-- **email.auth.options.username (smtp)** - Mail account for authentication normally same as sender of the email, e.g. "user@gmail.com"
-- **email.auth.options.password (smtp)** - Mail account password
-- **email.proxy** - Proxy configuration if using mailproxy
-- **email.proxy.host** - Proxy host e.g. `http://proxy-host:1234`
-- **email.proxy.username** - username if authentication is required
-- **email.proxy.password** - password if authentication is required
-- **email.emailOnError** - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed
-- **email.emailOnError.enabled** - true or false, value set to true will enable email notifications
-- **email.emailOnError.sendInterval** - Default 15. Mail notifications on error are deferred until sendInterval **minutes** have passed since the last notification
-- **email.emailOnError.from** - Sender email addresses e.g: "noreply@example.com". **Mandatory for oauth**. For smtp email.auth.options.username will be used
-- **email.emailOnError.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
-- **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
-- **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
-- **azureRelay** - Azure Relay outbound listener
-- **azureRelay.enabled** - true or false, true will enable the Azure Relay listener
-- **azureRelay.connectionUrl** - `https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>` - `<namespace-name>` is the name of the Relay created and `<hybrid-connection-name>` is the name of the Hybrid Connection entity created in the Relay
-- **azureRelay.apiKey** - The `Private Key` found in the `Shared access policy` (RootManageSharedaccessKey)
-- **azureRelay.keyRule** - Optional, the `Shared access policy` name - default using `RootManageSharedaccessKey`
-- **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
-- **endpoint** - Contains endpoint specific configuration according to customized **plugin code**.
-### Configuration notes - general
-- Custom Schemas, ServiceProviderConfig and ResourceType can be used if `./lib/scimdef-v2.json or scimdef-v1.json` exists. Original scimdef-v2.json/scimdef-v1.json can be copied from node_modules/scimgateway/lib to your plugin/lib and customized.
-- Using reverse proxy and we want ipAllowList and correct meta.location response, following headers must be set by proxy: `X-Forwarded-For`, `X-Forwarded-Proto` and `X-Forwarded-Host`
-- Setting environment variable `SEED` with some random characters will override default password seeding logic. This also allow copying configuration file with encrypted secrets from one machine to another.
-- All configuration can be set based on environment variables. Syntax will then be `"process.env.<ENVIRONMENT>"` where `<ENVIRONMENT>` is the environment variable used. E.g. scimgateway.port could have value "process.env.PORT", then using environment variable PORT.
-- All configuration values can be moved to a single external file having JSON dot notation content with plugin name as parent JSON object. Syntax in original configuration file used by the gateway will then be `"process.file.<path>"` where `<path>` is the file used. E.g. key endpoint.password could have value "process.file./var/run/vault/secrets.json"
-- All configuration values can be moved to multiple external files, each file containing one single value. Syntax in original configuration file used by the gateway will then be `"process.text.<path>"` where `<path>` is the file which contains raw (`UTF-8`) character value. E.g. key endpoint.password could have value "process.text./var/run/vault/endpoint.password".
-	Example:
-		{
-		  "scimgateway": {
-		    ...
-		    "port": "process.env.PORT",
-		    ...
-		    "loglevel": {
-		      "file": "process.env.LOG_LEVEL_FILE",
-		      ...
-		    "auth": {
-		      "basic": [
-		        {
-		          "username": "process.file./var/run/vault/secrets.json",
-		          "password": "process.file./var/run/vault/secrets.json"
-		        },
-		        ...
-		      ],
-		      "bearerJwt": [
-		         "secret": "process.text./var/run/vault/jwt.secret",
-		         "publicKey": "process.text./var/run/vault/jwt.pub",
-				 ...
-			  ],
-		      ...
-		    },
-		  "endpoint": {
-		    ...
-		    "username": "process.file./var/run/vault/secrets.json",
-		    "password": "process.file./var/run/vault/secrets.json",
-		    ...
-		  }
-		}
-    jwt.secret file content example:
-    	thisIsSecret
-	secrets.json file content example for plugin-soap:
-		{
-		  "plugin-soap.scimgateway.auth.basic[0].username": "gwadmin",
-		  "plugin-soap.scimgateway.auth.basic[0].password": "password",
-		  "plugin-soap.endpoint.username": "superuser",
-		  "plugin-soap.endpoint.password": "secret"
-		}
-### Configuration notes - Email, using Microsoft Exchange Online (ExO)
-- Entra ID application must have application permissions `Mail.Send`
-- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.
-	First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from
-	Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
-		##Connect to Exchange
-		Install-Module -Name ExchangeOnlineManagement
-		Connect-ExchangeOnline
-		##Create ApplicationAccessPolicy
-		New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
-### Configuration notes - Email, using Google Workspace Gmail
-- https://console.cloud.google.com
-	- IAM & Admin > Service Accounts > Create Service Account
-		- Name=email-sender
-		- Create and Continue
-		- Grant this service account access to project - not needed
-		- Grant users access to this service - not needed
-	- IAM & Admin > Service Accounts > "email-sender" account > Keys
-		- Add Key > Create new key > JSON
-		- download json Service Account Key file, refere to configuration `email.auth.options.serviceAccountKeyFile`
-- https://admin.google.com
-	- Security > Access and data control > API controls
-		- Manage Domain Wide Delegation > Add new
-		- Client ID = id of service account created
-		- OAuth scope = `https://www.googleapis.com/auth/gmail.send`
-- https://admin.google.com
-	- Billing > Subscriptions - verify Google Workspace license
-	- Directory > Users > "user"
-	- Licenses > Edit > enable Google Workspace license
-	`email.emailOnError.from` mail address must have Google Workspace license
-### Configuration notes - Gateway chainging and chainingBaseUrl
-By configuring the `chainingBaseUrl`, it is possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway behave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
-	{
-	  "scimgateway": {
-	    ...
-	    "chainingBaseUrl": "https:\\gateway2:8880",
-	    ...
-	    "auth": {
-	      ...
-	      "passThrough": {
-	        "enabled": false,
-	        "readOnly": false,
-	        "baseEntities": []
-	      }
-		  ...
-	    }
-	  },
-	  ...
-	}
-Using above configuration example on gateway1, incoming requests will be routed to `https:\\gateway2:8880`
-The plugin and its associated authentication configuration can mirror the setup running on the final gateway. However, in chaining mode, the plugin binary is used solely for initializing and configuring the gateway. This allows for the use of a simplified `plugin-<name>.ts` binary containing only the essential mandatory components:
-	// start - mandatory plugin initialization
-	const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
-	  try {
-	    return (await import('scimgateway')).ScimGateway
-	  } catch (err) {
-	    const source = './scimgateway.ts'
-	    return (await import(source)).ScimGateway
-	  }
-	})()
-	const scimgateway = new ScimGateway()
-	const config = scimgateway.getConfig()
-	scimgateway.authPassThroughAllowed = false
-	// end - mandatory plugin initialization
-Using `scimgateway.authPassThroughAllowed = true` and `plugin-<name>.json` configuration `scimgateway.auth.passThrough=true` enables Authentication PassTrhough
-### Configuration notes - HelperRest used by plugins
-For REST endpoints, plugins may use HelperRest to simplify authentication and communication
-doRequest() executes REST request and return response
-`doRequest(<baseEntity>, <method>, <path>, <body>, <ctx>, <options>)`
-* baseEntity - 'undefined' if not used and must correspond with endpoint configuration that defines baseUrls and connection options.
-* method - GET, PATCH, PUT, DELETE
-* path - either full url or just the path that will be added to baseUrl. Using full url will override baseUrl. Using path is preferred because of auth caching logic and simplicity
-* body - optional body to be used
-* ctx - optional, passing authorization header if Auth PassThrough is enabled
-* opt - optional, connection options that will extend/override any endpoint.entity.undefined.connection definitions
-Configuration showing connection settings:
-	{
-	  "scimgateway": {
-	    ...
-	  }
-	  "endpoint": {
-	    "entity": {
-	      "undefined": {
-	        "connection": {
-	          "baseUrls": [],
-	          "auth": {
-	            "type": "xxx",
-	            "options": {
-	              ...
-	              "jwtPayload": {},
-	              "samlPayload": {},
-	              "tls": {} // files located in ./config/certs
-	            }
-	          },
-	          "options": {
-	            "headers": {},
-	            "tls": {} // files located in ./config/certs
-	          },
-	          "proxy": {}
-	        }
-	      }
-	    }
-	  }
-	}
-* baseUrls - Endpoint URL. Several may be defined for failower. There are retry logic on connection failures
-* auth.type - defines authentication being used: `basic`, `oauth`, `token`, `bearer`, `oauthSamlBearer` or `oauthJwtBearer`
-* auth.options - for each valid type there are different options. azureTenantId is special for Entra ID and serviceAccountKeyFile is special for Google. Using these will simplify and reduce options to be included. Also note we do not need to include baseUrls when using azureTenantId/serviceAccountKeyFile as long as endpoint is Entra ID (Microsoft Graph) or Google.
-Example using basic auth:
-	"connection": {
-	  "baseUrls": [
-	    "https://localhost:8880"
-	  ],
-	  "auth": {
-	    "type": "basic",
-	    "options": {
-	      "username": "gwadmin",
-	      "password": "password"
-	    }
-	  },
-	  "options": {
-	    "tls": {
-	      "rejectUnauthorized": false,
-	      "ca": "ca.pem"
-	    }
-	  }
-	}
-Example Entra ID (plugin-entra-id) using clientId/clientSecret:
-	"connection": {
-	  "baseUrls": [],
-	  "auth": {
-	    "type": "oauth",
-	    "options": {
-	      "azureTenantId": "<tenantId>",
-	      "clientId": "<clientId>",
-	      "clientSecret": "<clientSecret>"
-	    }
-	  }
-	}
-Example Entra ID (plugin-entra-id) using certificate secret:
-	"connection": {
-	  "baseUrls": [],
-	  "auth": {
-	    "type": "oauthJwtBearer",
-	    "options": {
-	      "azureTenantId": "<tenantId>",
-	      "clientId": "<clientId>",
-	      "tls": {
-	        "key": "key.pem",
-	        "cert": "cert.pem"
-	      }
-	    }
-	  }
-	}
-Example Entra ID (plugin-entra-id) using federated credentials:
-	"connection": {
-	  "baseUrls": [],
-	  "auth": {
-	    "type": "oauthJwtBearer",
-	    "options": {
-	      "azureTenantId": "<tenantId>",
-	      "fedCred": {
-	        "issuer": "<https://FQDN-scimgateway>",
-	        "subject": "<entra id application object id - client id>",
-	        "name": "<entra id federated credentials unique name>"
-	      }
-	    }
-	  }
-	}
-  	// Note, fedCred configuration must match corresponding configuration in Entra ID Application - Certificates & Secrets - Federated credentials - scenario "Other issuer"
-	// example issuer: "https://scimgateway.my-company.com" note, this scimgateway base URL must be reachable from the internet
-	// example name: "plugin-entra-id"
-Example using general OAuth:
-	"connection": {
-	  "baseUrls": [<"endpointUrl">],
-	  "auth": {
-	    "type": "oauth",
-	    "options": {
-	      "tokenUrl": "<tokenUrl>"
-	      "clientId": "<clientId>",
-	      "clientSecret": "<clientSecret>"
-	    }
-	  }
-	}
-Please see code editor method HelperRest doRequest() IntelliSense for type and option details
-### Configuration notes - Remote real-time log subscription
-Using remote real-time log subscription we may implement custom logic like monitoring and centralized logging
-- browser and url: https://host/logger
-- curl with -u or -H "Authorization: Bearer secret"
-	```
-	curl -Ns http://localhost:8880/logger -u gwadmin:password | awk '
-	/^data: / {sub(/^data: /,""); printf "%s", $0; last=1; next}
-	/^$/ {if (last) print ""; last=0}
-	'
-	```
-- custom client API (see example below)
-- not supported by Azure Relay
-We may configure read-only user/secret for log collection purpose
-	"auth": {
-	  "basic": [
-	    {
-	      "username": "gwadmin",
-	      "password": "password",
-	      "readOnly": false,
-	      "baseEntities": []
-	    },
-	    {
-	      "username": "gwread",
-	      "password": "password",
-	      "readOnly": true,
-	      "baseEntities": []
-	    }
-	  ],
-	  "bearerToken": [
-	    {
-	      "token": "secret",
-	      "readOnly": true,
-	      "baseEntities": []
-	    }
-	  ],
-	  ...
-	}
-Remote log subscription is configured by log.loglevel.push and the push logger has default loglevel set to `info`
-Example using debug loglevel:
-	"log": {
-	  "loglevel": {
-	    "push": "debug"
-	  }
-	}
-Example code implementing remote real-time log subscription and custom message handling
-```
-//
-// usage: bun <scriptname.ts>
-// update url and the auth according to environment used
-//
-const username = "gwadmin"
-const password = "password"
-const url = "http://localhost:8880/logger"
-const headers = new Headers({
-  Authorization: "Basic " + btoa(`${username}:${password}`),
-  Accept: "text/event-stream"
-})
-// message handling and custom logic
-// we could also do JSON.parse(message) and granular filtering on log "level"
-const messageHandler = async (message: string) => {
-  console.log(message)
-}
-async function startup() {
-  while (true) {
-    try {
-      const resp = await fetch(url, { headers });
-      if (!resp.ok || !resp.body) {
-        console.error(`❌ Response error: ${resp.status} ${resp.statusText}`)
-        await Bun.sleep(10_000)
-        continue
-      }
-      console.log('✅ Now awaiting log events...\n')
-      const reader = resp.body.pipeThrough(new TextDecoderStream()).getReader()
-      while (true) {
-        const { value, done } = await reader.read()
-        if (done) break
-        if (!value.startsWith('data: ')) continue
-        const i = value.indexOf("\n\n")
-        if (i < 1) continue
-        const msg = value.slice(6, i)
-        messageHandler(msg)
-      }
-      console.error("⚠️ Connection closed");
-      await Bun.sleep(10_000)
-    } catch (err: any) {
-      console.error("❌ Connection error:", err?.message || err)
-      await Bun.sleep(10_000)
-    }
-  }
-}
-startup()
-```
-### Configuration notes - Azure Relay
-Using Azure technology we have different options for setting up a communication tunnel to SCIM Gateway:
-- `Microsoft Entra Application Proxy + Microsoft Entra Application Proxy Connector` (SCIM Gateway located on-premises or using Azure private VNet/IP)
-- `Azure Application Gateway` - Layer 7 (SCIM Gateway located in Azure)
-- `Azure Relay` (SCIM Gateway located on-premises or in Azure)
-SCIM Gateway have builtin [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) support which gives secure and hassle-free outbound communication — with just one minute of configuration
+---
-Azure pricing for using Azure Relay is approx. 10$ per month for each listener (SCIM Gateway plugin)
+## Installation
-**Using out-of-the-box Azure Relay:**
+### Prerequisites
-- Prerequisite: SCIM Gateway having outbound internet access (https/443)
-- In Azure create a `Relay` - `<namespace-name>`
-- In the Relay, create an entity of type `Hybrid Connection` - `<hybrid-connection-name>` **one for each SCIM Gateway plugin**
-- The `Requires Client Authorization` option **should be unchecked (not activated)**, unless we are using custom IdP/API having logic for including SAS-token in the communication header
-- Shared access policies - RootManageSharedaccessKey - Primary Key (copy this one)
-	Instead of RootManageSharedaccessKey policy in the `<namespace-name>`, we could create dedicated policy in the sub level `<hybrid-connection-name>` and use this policy name in plugin configuration `scimgateway.azureRelay.keyRule`
+Install [Bun](https://bun.sh/) first. By default Bun installs to `HOMEPATH\.bun`. To install elsewhere, set `BUN_INSTALL=<path>` as a system environment variable before running the installer. Consider adding Bun to the system path for all users.
-SCIM Gateway plugin configuration:
+### Install SCIM Gateway
+```sh
+mkdir c:\my-scimgateway
+cd c:\my-scimgateway
+bun init -y
+bun install scimgateway
+bun pm trust scimgateway   # required to allow postinstall to copy example files
 ```
-{
-  "scimgateway: {
-    ...
-    "azureRelay": {
-      "enabled": true,
-      "connectionUrl": "https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>",
-      "apiKey": "<primary-key>"
-    },
-    ...
-  },
-  ...
-}
-````
-`connectionUrl` will be the SCIM base URL used by IdP/API for accessing SCIM Gateway
-Example:
-GET `https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>/Users`
-GET `https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>/<baseEntity>/Users`
-If several SCIM Gateway´s (same plugin) connect listeners using the same Azure Relay connectionUrl, there will be load-balancing and round-robin distribution
-### Configuration notes - running SCIM Gateway as a single binary
-Bun binary build allowing SCIM Gateway to be compiled into a single executable binary for simplified deployment and execution. The binary must have the same name (prefix) as the configuration file in the config directory, and this directory must be located in the same folder as the binary.
-	cd my-scimgateway
-	bun build --compile ./lib/plugin-loki.ts --target=bun-darwin-arm64 --outfile ./build/plugin-loki
-	# for target options, see: https://bun.com/docs/bundler/executables#cross-compile-to-other-platforms
-	cp -r ./config ./build
-	# build directory now ready for production deployment
-	cd build
-	# run the binary - note, binary must have same name (prefix) as the configuration file in the config directory
-	./plugin-loki
-## Manual startup
-Gateway can be started from a command window running in administrative mode
-3 ways to start:
-	bun c:\my-scimgateway
-	bun c:\my-scimgateway\index.ts
-	<package-root>bun .
-<kbd>Ctrl</kbd>+<kbd>c</kbd> to stop
-## Automatic startup - Windows Task Scheduler
-Start Windows Task Scheduler (taskschd.msc), right click on "Task Scheduler Library" and choose "Create Task"
-	General tab:
-	-----------
-	Name = SCIM Gateway
-	User account = SYSTEM
-	Run with highest privileges
-	Triggers tab:
-	-------------
-	Begin the task = At startup
-	Actions tab:
-	------------
-	Action = Start a program
-	Program/script = <install path>\bun.exe
-	Arguments = c:\my-scimgateway
-	Settings - tab:
-	---------------
-	Stop the task if runs longer than = Disabled (greyed out)
-Verification:
-- Right click task - **Run**, verify process node.exe (SCIM Gateway) can be found in the task manager (not the same as task scheduler). Also verify logfiles `<pakage-root>\logs`
-- Right click task - **End**, verify process node.exe have been terminated and disappeared from task manager
-- **Reboot** server and verify SCIM Gateway have been automatically started
-## Running as a isolated virtual Docker container
-Installing Docker Desktop may be an alternative for creating and testing docker images and containers
-There are two options: run SCIM Gateway in a single image, or use Docker Compose, which allows configuration and data outside the image and including other images as dependencies (e.g., MSSQL)
-### Docker single image
-- Install SCIM Gateway within your own package and copy provided docker files:
-	```
-	mkdir /opt/my-scimgateway
-	cd /opt/my-scimgateway
-	bun init -y
-	bun install scimgateway
-	bun pm trust scimgateway
-	cp ./config/docker/* .
-	cp ./config/docker/.dockerignore .
-	```
-	**Dockerfile**   <== Main dockerfile
-	**.dockerignore** <== Files to exclude from the build context
-- Build docker images
-	`docker build --platform linux/amd64 --force-rm=true -t my-scimgateway:1.0.0 .`
-- Create container
-	`docker create --init --ulimit memlock=-1:-1 --name my-scimgateway -p 8880:8880 my-scimgateway:1.0.0`
-	Note, consider using `-e SEED=<random-characters>` and plugin configuration file my-scimgateway.json must already be encrypted using same SEED environment
-- Start container
-	`docker start my-scimgateway`
-- Stop container
-	`docker stop my-scimgateway`
-### Docker image using docker-compose
-* Docker Pre-requisites:
-**docker-ce
-docker-compose**
-- Install SCIM Gateway within your own package and copy provided docker files:
-	```
-	mkdir /opt/my-scimgateway
-	cd /opt/my-scimgateway
-	bun init -y
-	bun install scimgateway
-	bun pm trust scimgateway
-	cp ./config/docker/* .
-	```
-	**docker-compose.yml**   <== Here is where you would set the exposed port and environment
-	**Dockerfile**   <== Main dockerfile
-	**DataDockerfile**   <== Handles volume mapping
-	**docker-compose-debug.yml** <== Debugging
-	**docker-compose-mssql.yml** <== Example including MSSQL docker image
-	**.dockerignore** <== Files to exclude from the build context
-- Create a scimgateway user on your Linux VM.
-	`adduser scimgateway`
-- Create a directory on your VM host for the scimgateway configs:
-	`mkdir /home/scimgateway/config`
-- Copy your updated configuration file e.g. /opt/my-scimgateway/config/plugin-loki.json to /home/scimgateway/config.  Use scp to perform the copy.
-	NOTE: /home/scimgateway/config is where all important configuration and loki datastore will reside outside of the running docker container.  If you upgrade scimgateway you won't lose your configurations and data.
-- Build docker images and start it up
-	`docker-compose up --build -d`
-	NOTE: Add the -d flag to run the command above detached.
-	Be sure to confirm that port 8880 is available with a simple http request
-	If using default plugin-loki and we have configured `{"persistence": true}`, we could confirm scimgateway created loki.db:
-	```
-	su scimgateway
-	cd /home/scimgateway/config
-	ls loki.db
-	```
-To list running containers information:
-`docker ps`
-To list available images:
-`docker images`
-To view the logs:
-`docker logs scimgateway`
-To execute command within your running container:
-`docker exec scimgateway <bash command>`
-To stop scimgateway:
-`docker-compose stop`
-To restart scimgateway:
-`docker-compose start`
-To debug running container (using Visual Studio Code):
-`docker-compose -f docker-compose.yml -f docker-compose-debug.yml up -d`
-Start Visual Studio Code and follow [these](https://code.visualstudio.com/docs/nodejs/nodejs-debugging) debugging instructions
-To upgrade scimgateway docker image (remove the old stuff before running docker-compose up --build):
-	docker rm scimgateway
-	docker rm $(docker ps -a -q); docker rmi $(docker images -q -f "dangling=true")
-## Entra ID as IdP using SCIM Gateway
-Entra ID could do automatic user provisioning by synchronizing users towards SCIM Gateway, and gateway plugins will update endpoints.
-Plugin configuration file must include **SCIM Version "2.0"** (scimgateway.scim.version) and either **Bearer Token** (scimgateway.auth.bearerToken[x].token) or **Entra ID Tenant ID** (scimgateway.auth.bearerJwt[x].azureTenantId) or both:
-	scimgateway: {
-	  "scim": {
-	    "version": "2.0",
-	    ...
-	  },
-	  ...
-	  "auth": {
-        "bearerToken": [
-          {
-            "token": "shared-secret"
-          }
-        ],
-        "bearerJwt": [
-          {
-            "azureTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-          }
-        ]
-      }
-      ...
-	}
-`token` configuration must correspond with "Secret Token" defined in Entra ID
-`azureTenantId` configuration must correspond with Entra ID Tenant ID
-In Azure Portal:
-`Azure-Microsoft Entra ID-Enterprise Application-<My Application>-Provisioning-Secret Token`
-Note, when "Secret Token" is left blank, Azure will use JWT (azureTenantId)
-`Azure-Microsoft Entra ID-Overview-Tenant ID`
-User mappings attributes between AD and SCIM also needs to be configured
-`Azure-Microsoft Entra ID-Enterprise Application-<My Application>-Provisioning-Edit attribute mappings-Mappings`
-Entra ID default SCIM attribute mapping for **USER** must have:
-	userPrincipalName mapped to userName (matching precedence #1)
-Entra ID default SCIM attribute mapping for **GROUP** must have:
-	displayName mapped to displayName (matching precedence #1)
-	members mapped to members
-Some notes related to Entra ID:
-- Entra ID SCIM [documentation](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups)
-- For using OAuth/JWT credentials, Entra ID configuration "Secret Token" (bearer token) should be blank. Plugin configuration must then include bearerJwt.azureTenantId. Click "Test Connection" in Azure to verify
-- Entra ID do a regular check for a "non" existing user/group. This check seems to be a "keep alive" to verify connection.
-- Entra ID first checks if user/group exists, if not exist they will be created (no explore of all users like CA Identity Manager)
-- Deleting a user in Entra ID sends a modify user `{"active":"False"}` which means user should be disabled. This logic is default set in attribute mappings expression rule `Switch([IsSoftDeleted], , "False", "True", "True", "False")`. Standard SCIM "DELETE" method seems not to be used.
-## Symantec Identity Manager as IdP using SCIM Gateway
-Using Symantec/Broadcom Identity Manger, plugin configuration must use **SCIM Version "1.1"** (scimgateway.scim.version).
-In the Provisioning Manager we could use `Endpoint type = SCIM (DYN Endpoint)` or create our own custom endpoint type based on this one
-SCIM endpoint configuration example for Loki plugin (plugin-loki)
-	Endpoint Name = Loki-8880
-	User Name = gwadmin
-	Password = password
-	SCIM Authentication Method = HTTP Basic Authentication
-	SCIM Based URL = http://localhost:8880
-	or:
-	SCIM Based URL = http://localhost:8880/<baseEntity>
-Username, password and port must correspond with plugin configuration file. For "Loki" plugin it will be `config\plugin-loki.json`
-"SCIM Based URL" refer to the FQDN (or localhost) having SCIM Gateway installed. Portnumber must be included. Use HTTPS instead of HTTP if SCIM Gateway configuration includes certificates.
-"baseEntity" is optional. This is a parameter used for multi tenant or multi endpoint solutions. We could create several endpoints having same base url with unique baseEntity. e.g:
-http://localhost:8880/client-a
-http://localhost:8880/client-b
-Each baseEntity should then be defined in the plugin configuration file with custom attributes needed. Please see examples in plugin-soap.json
-## Entra ID provisioning
-Using plugin-entra-id we could do user provisioning towards Entra ID
-For testing purposes we could get an Azure free account
-### Entra ID configuration
-- Logon to [Azure](https://portal.azure.com) as global administrator
-- Microsoft Entra ID - App registrations
-	- Click "New registration"
-	- Name = SCIM Gateway Inbound
-	- Select: Accounts in this organizational directory only
-	- Click "Register"
-	- Overview:
-		- Copy "Application (client) ID"
-		- Copy "Directory (tentant) ID"
-	- Certificates & secrets:
-		- Click "New client secret"
-		- Description = SCIM Gateway Inbound secret#1
-		- Select an appropriate "Expires"
-		- Click "Add"
-		- Copy "Value" of the new secret that was created
-	- API permissions: - Add a permission - Microsoft Graph - Application permissions
-		- Optionally remove any defaults included e.g. User.Read
-		- Click "Add a permission"
-		- Microsoft Graph
-		- Application permissions
-		- Directory - Directory.ReadWriteAll
-		- Organization - Organization.ReadWrite.All
-		- AuditLog - AuditLog.Read.All (required if using plugin configuration `map.user.signInActivity`)
-		- RoleEligibilitySchedule - RoleEligibilitySchedule.Read.Directory (PIM Eligible roles; required if using plugin configuration `map.user.roles`)
-		- RoleManagement - RoleManagement.ReadWrite.Directory' (PIM Permanent roles; required if using plugin configuration `map.user.roles`)
-		- Click "Add permissions"
-	- API permissions: - Grant Admin consent
-		 Or we could go to Enterprise application to grant these consents:
-		- Microsoft Entra ID - Enterprise applications - SCIM Gateway Inbound
-			- Permissions:
-				- Click "Grant admin consent for [tenant name]"
-				- In the logon dialog, logon as global administrator
-				- In permissions request dialog, click "Accept"
-				- Click "Refresh", directory and organization permissions are now listed and OK
-- Microsoft Entra ID - Manage - Roles and administrators
-	- Search: User administrator
-	- Click on role **User administrator**
-	- Click "Add assignments"
-	- Click "No member selected" to add members
-	- Search: SCIM Gateway Inbound (name of the application we have created)
-	- Select the application name that shows up and click "Add"
-	- Click Next
-	- Assignment type=Active and enable "Permanent assigned", add some justification text and click "Assign"
-Note: Entra ID has a role hierarchy, and running SCIM Gateway as a `User Administrator` has some limitations when administering users who have administrative roles. For full administrative access to all users, SCIM Gateway must have the `Global Administrator` role (`62e90394-69f5-4237-9190-012177145e10`).
-### SCIM Gateway configuration
-**Edit index.ts**
-Set plugin to be started to `entra-id`
-	const plugins = ['entra-id']
-**Edit plugin-entra-id.json**
-Note, for Symantec/Broadcom Provisioning we must use SCIM version 1.1
-	scimgateway: {
-	  "scim": {
-	    "version": "1.1"
-	  },
-`username` and `password` used to connect the SCIM Gateway must be defined.
-        "auth": {
-          "basic": [
-            {
-              "username": "gwadmin",
-              "password": "password",
-              "readOnly": false,
-              "baseEntities": []
-            }
-          ],
-Update `azureTenantId`, `clientID` and `clientSecret` according to what you copied from the previous Entra ID configuration.
-If using proxy, set proxy.host to `"http://<FQDN-ProxyHost>:<port>"` e.g `"http://proxy.mycompany.com:3128"`
-	"endpoint": {
-	  "entity": {
-	    "undefined": {
-		  "connection": {
-		    "baseUrls": [
-			  "not in use for Entra ID when azureTenantId is defined"
-		    ],
-		    "auth": {
-			  "type": "oauth",
-			  "options": {
-			    "tokenUrl": "oauth token_url - not in use when azureTenantId is defined",
-			    "azureTenantId": "Entra ID Tenant ID (GUID) or Primary domain name - only used by plugin-entra-id",
-			    "clientId": "oauth client_id - Entra ID: Application ID",
-			    "clientSecret": "oauth client_secret - Entra ID: generated application secret value"
-			  }
-		    },
-		    "proxy": {
-			  "host": null,
-			  "username": null,
-			  "password": null
-		    }
-		  }
-	    }
-	  },
-	  "map": {
-	    ...
-	  }
-	}
-Note, clientSecret and any proxy.password will become encrypted in this file on the first Azure connection.
-For multi-tenant or multi-endpoint support, we may add several entities:
-	"endpoint": {
-	  "entity": {
-	    "undefined": {
-			...
-	    },
-	    "client-a": {
-			...
-	    },
-	    "client-b": {
-			...
-	    }
-	  }
-	}
-For additional details, see baseEntity description.
-Note, we should normally use certificate (https) for communicating with SCIM Gateway unless we install gateway locally on the manager (e.g. on the CA Connector Server). When installed on the manager, we could use `http://localhost:port` or `http://127.0.0.1:port` which will not be passed down to the data link layer for transmission. We could then also set {"localhostonly": true}
-### Using Symantec/Broadcom Provisioning
-Create a new endpoint type "Azure - ScimGateway"
-- Start SCIM Gateway
-	- Using plugin-entra-id: `const plugins = ['entra-id']` in `index.ts`
-	- username, password and port defined in `plugin-entra-id.json` must also be known
-- Start ConnectorXpress
-- Setup Data Sources
-	- Add
-	- Layer7 (this is SCIM)
-	- Name = SCIM Gateway-8881
-	- Base URL = http://localhost:8881 (SCIM Gateway installed locally on Connector Server)
-- Add the new "Azure - ScimGateway" endpoint type
-	- Metadata - Import - "my-scimgateway\node_modules\scimgateway\config\resources\Azure - ScimGateway.xml"
-	- Select the datasource we created - SCIM Gateway-8881
-	- Enter password for the user defined in datasource (e.g. gwadmin/password)
-	- On the right - expand Provisioning Servers - your server - and logon
-	- Right Click "Endpoint Types", Create New Endpoint Type
-		- You may use default name "Azure - ScimGateway" and click "OK" to create endpoint
-Note, metafile "Azure - ScimGateway.xml" is based on CA "Azure - WSL7" with some minor adjustments like using Microsoft Graph API attributes instead of Azure AD Graph attributes.
-**Provisioning Manager configuration**
-`Endpoint type = Azure - ScimGateway (DYN Endpoint)`
-Endpoint configuration example:
-	Endpoint Name = AzureAD-8881
-	User Name = gwadmin
-	Password = password
-	SCIM Authentication Method = HTTP Basic Authentication
-	SCIM Based URL = http://localhost:8881
-	or
-	SCIM Based URL = http://localhost:8881/<baseEntity>
-For details, please see section "CA Identity Manager as IdP using SCIM Gateway"
-## API Gateway
-SCIM Gateway also works as an API Gateway when using url `/api` or `/<baseEntity>/api`
-Following methods for the none SCIM based api-plugin are supported:
-		GET /api
-		GET /api?queries
-		GET /api/{id}
-		POST /api + body
-		PUT /api/{id} + body
-		PATCH /api/{id} + body
-		DELETE /api/{id}
-These methods can also be included in standard SCIM plugins
-Please see example plugin: **plugin-api.ts**
-## How to build your own plugins
-For coding editor you may use [Visual Studio Code](https://code.visualstudio.com/ "Visual Studio Code")
-Preparation:
-* Copy "best matching" example plugin e.g. `lib\plugin-mssql.ts` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.ts and plugin-mine.json
-* Edit plugin-mine.json and define a unique port number for the gateway setting
-* Edit index.ts and include your plugin in the startup e.g. `import './lib/plugin-mine.ts'`
-* Start SCIM Gateway and verify
-We are now ready for custom coding by editing plugin-mine.ts
-Coding should be done step by step and each step should be verified and tested before starting the next
-1. **Turn off group functionality** - getGroups to return empty response (gateway automatically use getGroups for some of the methods if groups not included)
-Please see plugin-saphana that do not use groups.
-2. **getUsers** (test provisioning retrieve all accounts and single account)
-3. **createUser** (test provisioning new account)
-4. **deleteUser** (test provisioning delete account)
-5. **modifyUser** (test provisioning modify account)
-6. **Turn on group functionality** - getGroups having logic for returning groups if groups are supported
-7. **getGroups** (test provisioning retrieve groups)
-8. **modifyGroup** (test provisioning modify group members)
-9.  **createGroup** (test provisioning new group)
-10.  **deleteGroup** (test provisioning delete account)
-Template used by CA Provisioning role should only include endpoint supported attributes defined in our plugin. Template should therefore have no links to global user for none supported attributes (e.g. remove %UT% from "Job Title" if our endpoint/code do not support title)
-CA Provisioning using default SCIM endpoint do not support SCIM Enterprise User Schema Extension (having attributes like employeeNumber, costCenter, organization, division, department and manager). If we need these or other attributes not found in CA Provisioning, we could define our own by using the free-text "type" definition in the multivalue entitlements or roles attribute. In the template entitlements definition, we could for example define type=Company and set value to %UCOMP%. Please see plugin-soap.ts using Company as a multivalue "type" definition.
-Using CA Connector Xpress we could create a new SCIM endpoint type based on the original SCIM. We could then add/remove attributes and change from default assign "user to groups" to assign "groups to user". There are also other predefined endpoints based on the original SCIM. You may take a look at "ServiceNow - WSL7" and "Zendesk - WSL7".
-For project setup:
-* Datasource =  Layer7 (CA API) - this is SCIM
-* Layer7 Base URL = SCIM Gateway url and port (SCIM Base URL)
-* Authentication = Basic Authentication
-(connect using gwadmin/password defined in plugin config-file)
-### How to change "user member of groups" to "group member of users"
-Using Connector Xpress based on the original SCIM endpoint.
-Delete defaults:
-Group - Associations - with User Account
-Group - Attributes - members
-User Account - Attributes - Group Membership
-Create new attribute:
-User Account - Attributes: Groups - Flexi DN - Multivalue - **groups**
-Create User - Group associations:
-User Account - Accociations - **Direct association with = Group**
-User Account - Accociations - with Group
-Note, "Include a Reverse Association" - not needed if we don't need Group object functionality e.g list/add/remove group members
-User Attribute = **Physical Attribute = Groups**
-Match Group = By Attribute = ID
-Objects Must Exist
-Use DNs in Attribute = activated (toggled on)
-Include a Reverse Association (if needed)
-Group Attribute = **Virtual Attribute = User Membership**
-Match User Account = By Attribute = User Name
-Note, groups should be capability attribute (updated when account is synchronized with template):
-advanced options - **Synchronized** = enabled (toggled on)
-## Methods
-Plugins should have following initialization:
-	// start - mandatory plugin initialization
-	import { ScimGateway, HelperRest } from 'scimgateway'
-	const scimgateway = new ScimGateway()
-	const helper = new HelperRest(scimgateway)
-	const config = scimgateway.getConfig()
-	scimgateway.authPassThroughAllowed = false
-	// end - mandatory plugin initialization
-	HelperRest could included and used by REST plugins
-Plugins should include following SCIM Gateway methods:
-* scimgateway.getUsers()
-* scimgateway.createUser()
-* scimgateway.deleteUser()
-* scimgateway.modifyUser()
-* scimgateway.getGroups()
-* scimgateway.createGroup()
-* scimgateway.deleteGroup()
-* scimgateway.modifyGroup()
-In addition following general API methods are available for use:
-* scimgateway.postApi()
-* scimgateway.putApi()
-* scimgateway.patchApi()
-* scimgateway.getApi()
-* scimgateway.deleteApi()
-* scimgateway.publicApi()
-In code editor (e.g., Visual Studio Code), method details and documentation are shown by IntelliSense
-## License
-MIT © [Jarle Elshaug](https://www.elshaug.xyz)
-## Change log
-### v6.2.1
-[Fixed]
-- `HelperRest`: fixed some minor log cosmetics introduced in v6.2.0
-### v6.2.0
-[Fixed]
-- `HelperRest`: failed on Bun v1.3.14 due to stricter compliance with Fetch standards.
-[Improved]
-- New `plugin-generic` replacing previous `plugin-scim`. This new plugin use the endpointMapper for flexible attribute mapping and also supports the new mapper option `valueMap` (e.g., group filtering and mapping). The default configuration uses one-to-one SCIM mapping, with plugin-loki as the target SCIM endpoint.
-- endpointMapper now supports the `valueMap` option
-	Example configuration:
-		"map": {
-		  "group": {
-		    ...
-		    "displayName": {
-		      "mapTo": "displayName",
-		      "type": "string",
-		      "valueMap": {
-		        "outboundEndpointGrp1": "inboundScimGrp1",
-		        "Employees": "Admins"
-		      }
-		    },
-		    ...
-		  }
-		  ...
-		}
-	Using the above settings restricts the client using SCIM Gateway with regard to group management.
-	The client will only see and be able to manage groups with SCIM names "inboundScimGrp1" and "Admins",
-	if their mapped counterparts exist at the target endpoint as "outboundEndpointGrp1" and "Employees".
-	Use case:
-	- Allowlisting specific groups or user objects that includes attribute mapping having the valueMap option configured.
-	- Supporting different inbound/outbound names (e.g., Entra ID group provisioning to SCIM Gateway).
-### v6.1.20
-[Fixed]
-- plugin-entra-id: Roles introduced in v6.1.19 were missing when retrieving a single user.
-### v6.1.19
-[Fixed]
-- SCIM v2.0 ResourceType endpoint schemas using incorrect id.
-[Improved]
-- SCIM Gateway now supports `GET /Roles` and `GET /Entitlements` endpoint requests, with corresponding user management via the standard SCIM `roles` and `entitlements` attributes.
-- plugin-entra-id: Uses `entitlements` for Entra ID licenses (read-only) and `roles` for Entra ID Permanent and Eligible roles (full management).
-  - PIM Eligible roles requires API permissions `RoleEligiblitySchedule.ReadWrite.All`
-  - PIM Permanent roles requires API permissions `RoleManagement.ReadWrite.Directory`
-  - Remove mapping configuration `map.user.roles` if conditions not met (or use only the Eligible permissions set to Read if user role management is not needed).
-  - The `skipSignInActivity` option, introduced in v6.1.17, is no longer used. Instead, permissions for both `signInActivity` and PIM roles are validated at startup.
-### v6.1.18
-[Fixed]
-- createUser and modifyUser returns full user object. Some endpoints like Entra ID hasn’t caught up yet due to internal sync and changes are not reflected. This update ensure returned user object contains what have been modified.
-### v6.1.17
-[Fixed]
-- plugin-entra-id:
-  - Fixed an issue where `filter=userName eq "user_upn"` was broken in v6.1.11 when using the updated configuration file that includes `map.user.signInActivity`.
-  - Added new configuration option `endpoint.entity.[baseEntity].skipSignInActivity = true` to exclude the `signInActivity` attribute. This attribute requires a Microsoft Entra ID Premium license and the `AuditLog.Read.All` API permission.
-### v6.1.16
-[Improved]
-- plugin-entra-id: `GET /Entitlements` using derivedIncludes, fully flattened (recursive expansion of previous includes).
-### v6.1.15
-[Fixed]
-- plugin-entra-id: fixed `filter=entitlements pr`
-### v6.1.14
-[Improved]
-- Some cosmetics like supporting filter `attribute not pr`
-- Dependencies bump
-### v6.1.13
-[Improved]
-- plugin-entra-id: `signInActivity` attributes are filterable
-### v6.1.12
-[Improved]
-- filter operator `pr` (precense) now sent to plugin (previoulsy rejected)
-- plugin-entra-id: now handles the pr filter operator for entitlements
-### v6.1.11
-[Fixed]
-- From v6.1.6, schemas are autogenerated when using `endpointMapper` (configuration `map.user` and `map.group`). Fixed incorrect schema generation logic.
-[Improved]
-- New endpoint `GET /Entitlements` and corresponding new plugin method `scimgateway.getEntitlements()`, which is currently used by plugin-entra-id.
-- plugin-entra-id: User license information through entitlements attribute.
-- plugin-entra-id: The `plugin-entra-id.json` configuration file includes `map.user.signInActivity`. Using the `signInActivity` attribute requires an Entra ID Premium license and the API permission `AuditLog.Read.All`.
-**Remove this mapping configuration if these conditions are not met**, otherwise provisioning will fail and errors such as `Authentication_RequestFromNonPremiumTenantOrB2CTenant` may occur.
-### v6.1.10
-[Fixed]
-- plugin-entra-id: user group membership now includes nested (transitive) groups (`direct` and `indirect`)
-- Docker example files `config/docker/.dockerignore` and `docker-compose-mssql.yml` were missing
-### v6.1.9
-[Improved]
-- Some improvements to createUser/createGroup regarding the response object, which should contain the newly generated ID
-### v6.1.8
-[Fixed]
-- Incorrect masking of secrets in the final info log message for requests
-### v6.1.7
-[Fixed]
-- Incorrect masking of secrets in the final info log message for requests
-- plugin-entra, fixed an issue where creating a user with a manager sometimes failed
-### v6.1.6
-[Fixed]
-- plugin-loki and plugin-mongodb, using extension schema attributes in search returned empty result
-- Auth validation failure because of readOnly protection now returns 405 instead of 401
-- The post-install step now verifies and updates `package.json` to ensure the mandatory `"type": "module"` setting is applied. Using `npm init -y` instead of the recommended `bun init -y` sets `"type": "commonjs"` by default, which is incorrect.
-[Improved]
-- Using the endpointMapper configuration (`endpoint.map.user` / `endpoint.map.group`) will now generate a custom schema instead of using the default SCIM schema by `GET /Schemas`. In addition the configuration `endpoint.map` now supports a special `"x-agent-schema": {...}` configuration which is used by the schema generator for updating `description` and including AI MCP tools related instructions. See `plugin-entra-id.json` for examples.
-- Dependencies bump
-### v6.1.5
-[Improved]
-- complex filtering (and/or) now handled by scimgateway using plugin's simple filtering logic
-- modify group response now returns http status 204 (No Content) instead of 200 OK (full group object)
-- url `/auth` can now be used for validating external authentication
-- plugin-entra-id, now supports filter `sw` (startsWith)
-### v6.1.4
-[Fixed]
-- plugin-entra-id, OData paging was not working, so some users/groups/members might be missing
-- helper-rest, OData paging
-- user’s group membership did not iterate through paging and may be incomplete
-### v6.1.3
-[Fixed]
-- azure relay, recover on failure
-- plugin-ldap, some improvements for Active Directory and the use of objectGUID/mS-DS-ConsistencyGuid
-- plugin-mongodb, group meta.version not standarized
-- when modifying group members, if an error occurs, the gateway now checks whether it was caused by adding an existing member or removing a non-existing member. In such cases, it returns 200 OK instead of an error.
-[Improved]
-- Dependencies bump
-### v6.1.2
-[Fixed]
-- SMTP mail functionality failed because of an updated dependency
-- endpointMapper failed when `mapTo` included multiple comma-separated attributes and one of them was a multivalued attribute, e.g. `{ "mail": { "mapTo": "userName,emails.work.value" } }`
-### v6.1.1
-[Fixed]
-- plugin-ldap, a createUser operation followed immediately by a readUser (automatically performed by SCIM Gateway) may not find the newly created user on some systems, such as Samba AD, due to timing issues
-[Improved]
-- the final info log message now includes a JSON serialization of all elements, such as durationMs, status, requestBody, responseBody, ...
-### v6.1.0
-[Improved]
-- `tsx` is now included, allowing SCIM Gateway to run as an ES module (TypeScript) in Node.js. The mandatory plugin section, which previously required complex dynamic loading, can now be simplified using static imports
-	**Old plugin-xxx.ts:**
-		// start - mandatory plugin initialization
-		const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
-		try {
-		  return (await import('scimgateway')).ScimGateway
-		} catch (err) {
-		  const source = './scimgateway.ts'
-		  return (await import(source)).ScimGateway
-		}
-		})()
-		const scimgateway = new ScimGateway()
-		const config = scimgateway.getConfig()
-		scimgateway.authPassThroughAllowed = false
-		// end - mandatory plugin initialization
-	**New plugin-xxx.ts:**
-		// start - mandatory plugin initialization
-		import { ScimGateway } from 'scimgateway'
-		const scimgateway = new ScimGateway()
-		const config = scimgateway.getConfig()
-		scimgateway.authPassThroughAllowed = false
-		// end - mandatory plugin initialization
-	**Old Node.js startup:**
-		node --experimental-strip-types c:\scimgateway\index.ts // scimgateway downloaded from github
-	**New Node.js startup:**
-		node --import=tsx ./index.ts // running in local package
-- index.ts now using static import instead of dynamic
-	**Old index.ts:**
-		const plugins = ['loki']
-		for (const plugin of plugins) {
-		  try {
-		    await import(`./lib/plugin-${plugin}.ts`)
-		  } catch (err: any) {
-		    console.error(err)
-		  }
-		}
-	**New index.ts:**
-		// start one or more plugins:
-		// import './lib/plugin-scim.ts'
-		// import './lib/plugin-entra-id.ts'
-		// import './lib/plugin-ldap.ts'
-		// import './lib/plugin-mongodb.ts'
-		// import './lib/plugin-api.ts'
-		// import './lib/plugin-mssql.ts'
-		// import './lib/plugin-saphana.ts'
-		// import './lib/plugin-soap.ts'
-		import './lib/plugin-loki.ts'
-		export {}
-- Bun binary build is now supported allowing SCIM Gateway to be compiled into a single executable binary for simplified deployment and execution. The binary must have the same name (prefix) as the configuration file in the config directory, and this directory must be located in the same folder as the binary.
-		cd my-scimgateway
-		bun build --compile ./lib/plugin-loki.ts --target=bun-darwin-arm64 --outfile ./build/plugin-loki
-		# for target options, see: https://bun.com/docs/bundler/executables#cross-compile-to-other-platforms
-		cp -r ./config ./build
-		# build directory now ready for production deployment
-		cd build
-		# run the binary - note, binary must have same name (prefix) as the configuration file in the config directory
-		./plugin-loki
-- Dependencies bump
-### v6.0.2
-[Fixed]
-- Gateway now passing provided filter attributes for getUsers()/getGroups to plugin instead of using empty array for having all supported attributes returned
-### v6.0.1
-[Fixed]
-- plugin-ldap, failed when the RDN value contained the character '=' e.g., `CN=Firstname \= Lastname,CN=Users,DC=my-company,DC=com`
-- GET using filter failed when filter value contained the character '%' e.g., `GET /Users?filter=userName eq "my % name"`
-### v6.0.0
-**[MAJOR]**
-- API method response bodies (no SCIM related) will now be returned "as-is". Previously response body had format `{ result: <content> }`. If response body is parsed by client, client must be changeed to reflect the new response body format.
-- New plugin API method `scimgateway.publicApi()` for handling public path `/pub/api` with no authentication required, please see `plugin-api`
-e.g. `GET /pub/api?model=Tesla`
-- Configuration `scimgateway.auth.bearerJwtAzure` is no longer supported. Instead use the new `scimgateway.auth.bearerJwt.azureTenantId` for allowing Entra ID initiated provisioning through scimgateway
-	**Old configuration:**
-		"bearerJwtAzure": [
-			{
-			  "tenantIdGUID": {entra-tenant-id},
-			  "readOnly": false,
-			  "baseEntities": []
-			}
-		],
-	**New configuration:**
-		"bearerJwt": [
-			{
-			  "secret": null,
-			  "publicKey": null,
-			  "wellKnownUri": null,
-			  "azureTenantId": {entra-tenant-id},
-			  "options": {
-			    "issuer": null
-			  },
-			  "readOnly": false,
-			  "baseEntities": []
-			}
-		],
-- All existing configurations having key `tenantIdGUID` must be replaced with the new key `azureTenantId`. This also applies to endpoint configuration used by HelperRest()
-	**Old configuration:**
-		"email": {
-			"auth": {
-			  "type": "oauth",
-			  "options": {
-			    "tenantIdGUID": null,
-			    "clientId": null,
-			    "clientSecret": null
-			  }
-			},
-	**New configuration:**
-		"email": {
-			"auth": {
-			"type": "oauth",
-			"options": {
-			  "azureTenantId": null,
-			  "clientId": null,
-			  "clientSecret": null
-			}
-	Example of HelperRest() endpoint configuration used by plugin-entra-id having tenantIdGUID replaced with azureTenantId:
-		"connection": {
-			"baseUrls": [],
-			"auth": {
-			"type": "oauth",
-			"options": {
-			  "azureTenantId": "Entra ID Tenant ID (GUID)",
-			  "clientId": "Entra ID Application ID",
-			  "clientSecret": "Entra ID Application secret value"
-			}
-		},
-### v5.5.5
-[Improved]
-- Dependencies bump
-- Docker - `.dockerignore` included at root, same as `./config/docker/.dockerignore`
-### v5.5.4
-[Fixed]
-- Docker - exclude any package postinstall script to be run `--ignore-scripts`, because of `bun pm trust` prerequirement
-### v5.5.3
-[Fixed]
-- Docker - fixed `docker build` error introduced in v5.5.0 (using bun.lock instead of binary bun.lockb)
-[Improved]
-- plugin-mssql - attribute externalId included
-- .dockerignore - new docker configuration file, contains files to be excluded from the build context
-### v5.5.2
-[Improved]
-- Entra ID Federated Identity Credentials introduced in v5.5.0, the issuer configuration should be scimgateway base URL
-	old: `"issuer": "<https://FQDN-scimgateway>/oauth"`
-	new: `"issuer": "<https://FQDN-scimgateway>"`
-	Change log v5.5.0 have been corrected with the new issuer having base URL only
-### v5.5.1
-[Fixed]
-- 401 Unauthorized response did include scim-formatted error message when using `helper-rest` and authentication `PassThrough`. 401 should not include scim-formatted error message
-### v5.5.0
-[Improved]
-- Entra ID [Federated Identity Credentials](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) is now supported. Identity federation allows SCIM Gateway to access Microsoft Entra protected resources without needing to manage secrets
-	helper-rest includes options for federated credentials:
-		"auth {
-		  "type": "oauthJwtBearer",
-		  "options": {
-		    "tenantIdGUID": "<Entra ID tenantIdGUID",
-		    "fedCred": {
-		      "issuer": "<https://FQDN-scimgateway>",
-		      "subject": "<entra id application object id - client id>",
-		      "name": "<entra id federated credentials unique name>"
-		    }
-		  }
-		}
-	Example:
-		"auth {
-		  "type": "oauthJwtBearer",
-		  "options": {
-		    "tenantIdGUID": "11111111-2222-3333-4444-555555555555",
-		    "fedCred": {
-		      "issuer": "https://scimgateway.my-company.com",
-		      "subject": "99999999-8888-7777-6666-555555555555",
-		      "name": "plugin-entra-id"
-		    }
-		  }
-		}
-	Note: Federated credentials (scenario "Other issuer") defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name` values defined in the SCIM Gateway endpoint configuration. An example of this can be using `plugin-entra-id` and other plugins that interact with endpoints or applications protected by Entra ID.
-	Also note: SCIM Gateway must be reachable from the internet (as defined by the `issuer` URL). This requires allowing inbound internet communication — or alternatively, Azure Relay can be used for outbound-only communication.
-### v5.4.4
-[Improved]
-- External JWKS (JSON Web Key Set) is now supported by JWT Authentication. These are public and typically frequent rotated by modern identity providers
-	JKWS is enabled by setting scimgateway.auth.bearerJwt[].wellKnownUri to the identity provider's well-known URI
-	Keycloak example:
-		auth: {
-		  "bearerJwt": [
-		    {
-		      "wellKnownUri": "https://keycloak.example.com/realms/example-realm/.well-known/openid-configuration",
-		      "options": {
-		        ...
-		      },
-		      ...
-		     }
-		  ]
-		}
-### v5.4.3
-[Fixed]
-- helper-rest, fixed an issue introduced in v5.3.8 that caused problems using OAuth
-[Improved]
-- Remote real-time logger
-### v5.4.2
-[Improved]
-- baseEntity included as json-key in logs
-- Remote real-time logger now supports baseEntity. `http(s)://host/logger` gives all log entries for plugin. `http(s)://host/<baseEntity>/logger` gives only log entries for the baseEntity used.
-Note, using `baseEntity` is optional. This is a parameter used for multi tenant or multi endpoint solutions. We could create several endpoint configurations having unique baseEntity. Also note that we can configure auth linked to baseEntity including readOnly.
-### v5.4.1
-[Improved]
-- Remote real-time logger, stop/start button added when using browser
-### v5.4.0
-[Improved]
-- Some underlying enhancements have been made to the remote real-time logger. When using a browser, log level colors are now shown. Note: the remote logger is not supported via Azure Relay
-### v5.3.8
-[Improved]
-- [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) is now supported for secure and hassle-free outbound communication — with just one minute of configuration
-	Using Azure technology we have different options for setting up a communication tunnel to SCIM Gateway:
-	`Microsoft Entra Application Proxy + Microsoft Entra Application Proxy Connector` (SCIM Gateway located on-premises or using Azure private VNet/IP)
-	`Azure Application Gateway` - Layer 7 (SCIM Gateway located in Azure)
-	`Azure Relay` (SCIM Gateway located on-premises or in Azure)
-	Azure pricing for using Azure Relay is approx. 10$ per month for each listener (SCIM Gateway plugin)
-    **Using out-of-the-box Azure Relay:**
-	Prerequisite: SCIM Gateway having outbound internet access (https/443)
-	In Azure create a `Relay` - `<namespace-name>`
-	In the Relay, create an entity of type `Hybrid Connection` - `<hybrid-connection-name>` **one for each SCIM Gateway plugin**
-	The `Requires Client Authorization` option **should be unchecked (not activated)**, unless we are using custom IdP/API having logic for including SAS-token in the communication header
-	Shared access policies - RootManageSharedaccessKey - Primary Key (copy this one)
-	SCIM Gateway plugin configuration:
-		{
-		  "scimgateway: {
-		    ...
-		    "azureRelay": {
-		      "enabled": true,
-		      "connectionUrl": "https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>",
-		      "apiKey": "<primary-key>"
-		    },
-		    ...
-		  },
-		  ...
-		}
-	`connectionUrl` will be the SCIM base URL used by IdP/API for accessing SCIM Gateway
-	Example:
-	GET `https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>/Users`
-	GET `https://<namespace-name>.servicebus.windows.net/<hybrid-connection-name>/<baseEntity>/Users`
-	If several SCIM Gateway´s (same plugin) connect listeners using the same Azure Relay connectionUrl, there will be load-balancing and round-robin distribution
-### v5.3.7
-[Improved]
-- Normalize line endings to LF
-### v5.3.6
-[Fixed]
-- Some minor ETag improvements
-### v5.3.5
-[Improved]
-- ETag now supported and default included for all requests. Plugin may use custom ETag by returning meta.version.
-### v5.3.4
-[Fixed]
-- PATCH operations (modifyUser/modifyGroup) that includes `null` values, will now be converted to empty string `""`
-		{
-		  "schemas": [
-		    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
-		  ],
-		  "Operations": [{
-		    "op": "replace",
-		    "value": {
-		      "name": {
-		        "formatted": "Smith, John",
-		        "honorificPrefix": null
-		      }
-		    }}
-		  ]
-		}
-	In the example above, following will be sent to plugin:
-	{ "name": { "formatted": "Smith, John", "honorificPrefix": "" } }
-### v5.3.3
-[Fixed]
-- helper-rest, SamlBearer token-request now includes `new_token=true` to avoid retrieving an existing token that is about to expire
-### v5.3.2
-[Improved]
-- helper-rest, retry on request error 504 Gateway Timeout
-- performance micro-optimization on log mask logic
-### v5.3.1
-[Fixed]
-- Incorrect log masking of SCIM 2.0 PATCH Operations
-- plugin-ldap, create user/group having DN special character `#` failed on OpenLDAP
-### v5.3.0
-[Improved]
-- [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) now supported
-- Dependencies bump
-### v5.2.5
-[Fixed]
-- endpointMapper (used by plugin-entra-id and plugin-ldap) in v5 when using mapping type=array, the first element was excluded on outbound mapping in some use cases
-### v5.2.4
-[Improved]
-- New configuration `log.logDirectory` for custom defined log directory e.g. `/var/log/scimgateway` that will override default `<scimgateway path>/logs`.
-  **Thanks to [@Gerrit Lansing](https://github.com/gerritlansing)**
-- Base URL like `/scim/v1` and `/scim/v2` is now supported, also with baseEntity e.g. `/scim/v2/client1/Users`
-### v5.2.3
-[Fixed]
-- GET /ResourceTypes was missing in v5
-### v5.2.2
-[Fixed]
-- plugin-ldap, tls configuration now supported for Bun > v1.2.4, previously environments had to be used
-		"tls": {
-			"ca": "ca-file-name", // located in config/certs
-			"rejectUnauthorized": true
-		}
-[Improved]
-- Dependencies bump
-### v5.2.1
-[Fixed]
-- Logger did not use the correct plugin rollover filename when the gateway ran multiple plugins
-### v5.2.0
-[Improved]
-- Logger have been redesigned
-	Supports console, file and push (client subscriber) logging
-	Remote real-time log subscription, see configuration notes
-	JSON formatted log messages
-	UTC (Coordinated Universal Time)
-	File logging will rotate on startup
-	File logging now includes configuration options for maxFiles and maxSize
-	Console using default colorized and minimized output. If redirecting stdout/stderr, standard JSON will be used and no color encoding
-### v5.1.8
-[Fixed]
-- plugin-ldap, dn that includes double underscore `__` not correctly handled
-### v5.1.7
-[Fixed]
-- Using gateway certificate CA, the CA did not load correctly. It now also supports an array of multiple CAs.
-[Improved]
-- Dependencies bump
-### v5.1.6
-[Improved]
-- HelperRest, payload/claims configuration now defined in auth.options.jwtPayload and auth.options.samlPayload. Previously all was defiend in auth.options
-- README configuration notes updated
-### v5.1.5
-[Improved]
-- 404 NOT_FOUND is now logged as a warning instead of error
-### v5.1.4
-[Fixed]
-- Postinstall failed using the new Bun v1.2.0
-### v5.1.3
-[Fixed]
-- HelperRest, auth.type=`oauthJwtBearer` and auth.options=`tenantIdGUID`
-	Configuration example using Entra ID application having uploaded cert.pem as certificate secret:
-		"endpoint": {
-		  "entity": {
-		    "undefined": {
-		      "connection": {
-		        "baseUrls": [],
-		        "auth": {
-		          "type": "oauthJwtBearer",
-		          "options": {
-		            "tenantIdGUID": "Entra ID Tenant ID (GUID)",
-		            "clientId": "<application clientId>",
-		            "tls": { // files located in ./config/certs
-		              "key": "key.pem",
-		              "cert": "cert.pem"
-		            }
-		          }
-		        }
-		      }
-		    }
-		  }
-		}
-	Please see code editor method HelperRest doRequest() IntelliSense for details
-	Note, this fix may break `plugin-entra-id` if baseUrls configuration not empty. If baseUrl not empty, it will be used. If empty, baseUrl will automatically be set according to graph api when using tenantIdGUID definition
-### v5.1.2
-[Improved]
-- Simplified some initialization logic
-### v5.1.1
-[Fixed]
-- SCIM Gateway failed to start on linux using Bun >= v1.1.43
-### v5.1.0
-[Improved]
-- By configuring the `chainingBaseUrl`, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway beave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
-	Please see `Configuration notes` for details
-### v5.0.15
-[Improved]
-- HelperRest, auth.type=oauthSamlAssertion and auth.type=oauthJwtAssertion have been updated to `oauthSamlBearer` and `oauthJwtBearer` for consistency
-### v5.0.14
-[Improved]
-- email now supports Google Workspace Gmail using REST OAuth
-- email workaround for ExO national characters introduced in v5.0.7 not needed anymore - ExO/GraphApi seems to have been fixed
-- some minor cosmetics on email message layout formatting when using plain text message
-- HelperRest now includes authentication type `oauthJwtAssertion`
-### v5.0.13
-[Improved]
-- scim-stream, using the new reorganized nats.js v3 client library
-- cosmetics, `use strict` not needed and removed because ES modules are always strict mode
-### v5.0.12
-[Fixed]
-- HelperRest doRequest() incorrect Auth PassThrough handling
-[Improved]
-- Dependencies bump
-### v5.0.11
-[Fixed]
-- OAuth token response on error missing error_description in v5
-- HelperRest doRequest() now also includes retry logic on invalid token that has not expired - will renew token
-### v5.0.10
-[Improved]
-- OAuth token request now accept missing or invalid Content-Type header
-### v5.0.9
-[Improved]
-- HelperRest doRequest() now support configuration auth type `oauthSamlAssertion` for OAuth SAML token assertion. Please see code editor method IntelliSense for details
-### v5.0.8
-[Fixed]
-- Ensure Bun compatibility with Azure Reverse Proxy for large and long running response
-- HelperRest was not compatible with Node.js
-- plugin-mssql, some error handling should not throw an error
-- Configuration files updated according to the v5 configuration syntax of `scimgateway.auth.bearerOAuth` - `clientId/clientSecret` now replacing deprecated `client_id/client_secret`
-### v5.0.7
-[Improved]
-- plugin-mssql all methods now implemented, also includes docker and dbinit configuration, **thanks to [@Peter Havekes](https://github.com/phavekes) and [@mrvanes](https://github.com/mrvanes)**
-[Fixed]
-- mail sending option introduced in v5.0.6 did not fully support national special charcters when using Microsoft Exchange Online and html formatted email
-### v5.0.6
-[Improved]
-- new configuration option: `scimgateway.idleTimeout` default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
-- deprecated configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
-- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication
-**old configuration:**
-	{
-	  "scimgateway": {
-	    ...
-	    "emailOnError": {
-	      "smtp": {
-	        "enabled": false,
-	        "host": null,
-	        "port": 587,
-	        "proxy": null,
-	        "authenticate": true,
-	        "username": null,
-	        "password": null,
-	        "sendInterval": 15,
-	        "to": null,
-	        "cc": null
-	      }
-	    },
-	    ...
-	  },
-	  ...
-	}
-**new configuration:**
-Using Microsoft Exchange Online and oauth authencation which also is default and recommended by Microsoft. For other mail servers and options like SMTP AUTH (basic/oauth), please see configuration description. Plugin may also send mail using method scimgateway.sendMail()
-	{
-	  "scimgateway": {
-	    ...
-	    "email": {
-	      "auth": {
-	        "type": "oauth",
-	        "options": {
-	          "tenantIdGUID": null,
-	          "clientId": null,
-	          "clientSecret": null
-	        }
-	      },
-	      "emailOnError": {
-	        "enabled": false,
-	        "from": null,
-	        "to": null
-	      }
-	    },
-	    ...
-	  },
-	  ...
-	}
-Configuration notes when using oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
-- Entra ID application must have application permissions `Mail.Send`
-- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.
-	First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from
-	Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
-		##Connect to Exchange
-		Install-Module -Name ExchangeOnlineManagement
-		Connect-ExchangeOnline
-		##Create ApplicationAccessPolicy
-		New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
-### v5.0.5
-[Fixed]
-- plugin-ldap, dn special character not correct for ascii code 128(dec)/80(hex)
-### v5.0.4
-[Improved]
-- minor type definition cosmetics
-### v5.0.3
-[Fixed]
-- unauthorized connection when using configuration bearerJwtAzure
-[Improved]
-- minor type definition cosmetics
-### v5.0.2
-[Improved]
-- minor cosmetics readme updates
-### v5.0.1
-[Fixed]
-- postinstall did not update index.ts when default bun index.ts did exist
-### v5.0.0
-**[MAJOR]**
-Major version v5.0.0 marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js.
-Besides going from JavaScript to TypeScript, following can be mentioned:
-* Code editor now having IntelliSense showing available methods and documentation details for scimgateway methods
-* index.ts having new logic for starting plugins e.g.: `const plugins = ['ldap']` for starting plugin-ldap
-* If using Node.js: node must be version >= 22.6.0, scimgateway must be downloaded from github (because stripping types is currently unsupported for files under node_modules) and startup argument `--experimental-strip-types` e.g.; `node --experimental-strip-types index.ts`
-* Plugins can use `scimgateway.HelperRest()` for REST functionality. Previously this logic was included in each plugin that used REST.
-		// start - mandatory plugin initialization
-		...
-		const HelperRest: typeof import('scimgateway').HelperRest = await (async () => {
-		  try {
-			return (await import('scimgateway')).HelperRest
-		  } catch (err) {
-			const source = './scimgateway.ts'
-			return (await import(source)).HelperRest
-		  }
-		})()
-		...
-		// end - mandatory plugin initialization
-	Note, HelperRest use fetch which is not fully supported by Node.js regarding TLS.
-	For TLS and Node.js, environment must instead be used and set before started, e.g.,:
-	`export NODE_EXTRA_CA_CERTS=/package-path/config/certs/ca.pem`
-	or
-	`export NODE_TLS_REJECT_UNAUTHORIZED=0`
-* Configuration secrets (password, secret, token, client_secret, ... ) defined in the `endpoint` section of the configuration file, will automatically be encrypted/decrypted. If there are secrets not handled by the automated encryption/decryption, we may use `scimgateway.getSecret()`. In the old version, corresponding method was named scimgateway.getPassword().
-* kubernetes configuration and logic have been removed. Kubernetes can use default `/ping` url for healthchecks, and graceful shutdown is taken care of the gateway
-* In case using custom schemas defined in lib/scimdef-v1/v2.js, these files have now changed to scimdef-v1/v2.json
-* `config/docker/Dockerfile` now using Bun
-* plugin-entra, modify licenses/servicePlans is not included anymore, only listing. For license management we instead use groups.
-* plugin-ldap, for LDAPS/TLS and Bun, we must use environments e.g.:
-	`export NODE_EXTRA_CA_CERTS=/package-path/config/certs/ca.pem`
-	or
-	`export NODE_TLS_REJECT_UNAUTHORIZED=0`
-**How to migrate existing plugins:**
-* Remove old index.js, use the new index.ts and update `const plugins = ['xxx']` to include your plugin name(s)
-* Rename plugin-xxx.js to plugin-xxx.ts
-* import must be used instead of require for loading modules e.g.:
-  const Loki = require('lokijs') => `import Loki from 'lokijs'`
-* Use the new mandatory settings:
-		// start - mandatory plugin initialization
-		const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
-		  try {
-		    return (await import('scimgateway')).ScimGateway
-		  } catch (err) {
-		    const source = './scimgateway.ts'
-		    return (await import(source)).ScimGateway
-		  }
-		})()
-		const scimgateway = new ScimGateway()
-		const config = scimgateway.getConfig()
-		scimgateway.authPassThroughAllowed = false
-		// end - mandatory plugin initialization
-* Use the new `config` object (mentioned above) which contains the `scimgatway.endpoint` configuration having automated encryption/decryption of any attributes named password, secret, client_secret, token and APIKey
-* The old scimgateway.getPassword() is not normally not needed because of scimgateway automated `config` logic. If needed, use the new scimgateway.getSecret().
-* Use the new logging syntax:
-		replace: scimgateway.logger.debug(`${pluginName}[${baseEntity}] xxx`)
-		with: scimgateway.logDebug(baseEntity, `xxx`)
-* Use scimgateway.HelperRest() for REST functionlity, also supports Auth PassThrough
-* scimgateway.endpointMapper() may be used for inbound/outbound attribute mappings
-* In general when using TypeScript, variables should be type-defined: `let isDone: boolean = false`, `catch (err: any)`, ...
-### v4.5.12
-[Improved]
-- plugin-ldap, new configuration { allowModifyDN: true } allows DN being changed based on modified mapping or namingAttribute
-### v4.5.11
-[Improved]
-- deleteUser will try to revoke user from groups before deleting user
-- advanced or-filter (e.g., used by One Identity Manager) will be chunked and handled by scimgateway as separate calls to plugin
-- baseEntity now included in scimgateway log entries like plugin log entries
-[Fixed]
-- plugin-ldap, using OpenLDAP - configuration { "isOpenLdap": true } and adding an already existing group member returned 500 Error instead of 200 OK.
-- plugin-ldap, using OpenLDAP in combination with endpoint user mapping `"type":"array"` and `"typeInbound":"string"` for handling comma separated SCIM string mapping towards an endpoint array/multivalue attribute, did not return correct sort order of the comma separated string when using OpenLDAP.   Mapping example:
-        "<endpointAttr>": {
-          "mapTo": "<scimAttr>",
-          "type": "array",
-          "typeInbound": "string"
-        },
-### v4.5.10
-[Fixed]
-- PUT changes introduced in v4.5.7 had incorrect check of configuration groupMemberOfUser (default not set)
-### v4.5.9
-[Improved]
-- Dependencies bump
-### v4.5.8
-[Fixed]
-- plugin-ldap failed when using national special characters and some other LDAP special characters in DN
-Note, plugin-ldap now has following new configuration:
-	"ldap": {
-	  "isOpenLdap": false,
-	  ...
-	  "namingAttribute": {
-		"user": [
-		  {
-			"attribute": "CN",
-			"mapTo": "userName"
-		  }
-		],
-		"group": [
-		  {
-			"attribute": "CN",
-			"mapTo": "displayName"
-		  }
-		]
-	  },
-	  ...
-	}
-`isOpenLdap` true/false decides whether or not OpenLDAP Foundation protocol should be used for national characters and special characters in DN. For Active Directory, default isOpenLdap=false should be used.
-`namingAttribute` can now be linked to scim `mapTo` attribute and is not hardcoded like it was in previous version.
-Previous `userNamingAttr` and `groupNamingAttr` shown below, is now deprecated
-	"ldap": {
-	  ...
-	  "userNamingAttr": "CN",
-	  "groupNamingAttr": "CN",
-	  ...
-	}
-### v4.5.7
-[Fixed]
-- PUT changes introduced in v4.4.6 did not handle PUT /Groups correctly
-[Improved]
-- configuration scim.usePutGroupMemberOfUser replaced by scim.groupMemberOfUser
-- misc cosmetics
-### v4.5.6
-[Improved]
-- plugin-ldap preserve multivalue-attribute order on modify. Do not apply to groups/members.
-### v4.5.5
-[Fixed]
-- PUT /Groups/xxx failed on final group lookup and returned error
-- endpointMapper failed to correctly map customExtensions in certain use cases
-### v4.5.4
-[Fixed]
-- Delete User missing url-decoding of id e.g. using ldap-dn as id
-### v4.5.3
-[Fixed]
-- plugin-api configuration file having new credentials for dummy-json testing
-[Improved]
-- Dependencies bump
-- plugin-loki and plugin-mongodb, minor improvements for handling raw mulitivalue updates when not using default skipTypeConvert=false
-- endpointMapper supporting comma separated string to be converted to array, e.g.:
-	SCIM otherMails = "myAlias1@company.com,myAlias2@company.com,myAlias3@company.com"
-  	endpointMapper configuration for endpoint attribute emails of type array:
-	"map": {
-	  "user": {
-	    "emails": {
-	      "mapTo": "otherMails",
-	      "type": "array",
-	      "typeInbound": "string"
-	    },
-		...
-### v4.5.1
-[Improved]
-- scim-stream, client reconnect improvements
-### v4.5.0
-[Improved]
-- scim-stream, scimgateway now supports stream publishing mode having [SCIM Stream](https://elshaug.xyz/docs/scim-stream) as a prerequisite. In this mode, standard incoming SCIM requests from your Identity Provider (IdP) or API are directed and published to the stream. Subsequently, one of the gateways subscribing to the channel utilized by the publisher will manage the SCIM request, and response back to the publisher. Using SCIM Stream we have `egress/outbound only traffic` and get loadbalancing/failover by adding more gateways subscribing to same channel.
-- scim-stream, subscriber will do automatic retry until connected when plugin not able to connect to endpoint (offline endpoint)
-- plugin-ldap, modifyGroup now supports all attributes and not only add/remove members
-- certificate absolute path may be used in plugin configuration file instead of default relative path
-- dependencies bump
-### v4.4.6
-[Improved]
-- Some PUT logic redesign. More granularity on mulitvalues, instead of including all elements, now only those that differ are sent to modifyUser.
-### v4.4.5
-[Fixed]
-- PATCH group members=[] should remove all members
-- scim-stream modify user fix
-[Improved]
-- plugin-entra-id, plugin-scim and plugin-api having updated `REST endpoint helpers-template` that includes `tokenAuth` (now used by plugin-api). Auth PassTrhough also supported for oauth/tokenAuth endpoint
-- PUT improvements
-### v4.4.4
-[Improved]
-- New configuration: **scim.skipMetaLocation**
- true or false, default false. If set to true, `meta.location` which contains protocol and hostname from request-url, will be excluded from response e.g. `"{...,meta":{"location":"https://my-company.com/<...>"}}`. If using reverse proxy and not including headers `X-Forwarded-Proto` and `X-Forwarded-Host`, originator will be the proxy and we might not want to expose internal protocol and hostname being used by the proxy request.
-Below is an example of nginx reverse proxy configuration supporting SCIM Gateway ipAllowList and correct meta.location response:
-	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Forwarded-Proto $scheme;
-	proxy_set_header X-Forwarded-Host $http_host;
-### v4.4.3
-[Improved]
-- Dependencies bump
-### v4.4.2
-[Improved]
-- scim-stream subscriber configuration have been changed:
-  old: `"convertRolesToGroups": false`
-  new: `"skipConvertRolesToGroups": false`
-  This means convert roles to groups is default behavior unless skipConvertRolesToGroups=true
-### v4.4.1
-[Improved]
-- scim-stream subscriber using latest api and some additional recovery logic
-	Prerequisite: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) version > v1.0.0
-[Fixed]
-- plugin-loki was missing async await and could cause problems in some stress test use cases
-### v4.4.0
-[Improved]
-- SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using [SCIM Stream](https://elshaug.xyz/docs/scim-stream)
-- plugin-entra-id, plugin-scim and plugin-api having updated `REST endpoint helpers-template` to address and resolve endpoint throttling
-Note, module soap is not default included anymore. SOAP based plugins e.g., plugin-soap therefore needs `npm install soap` for including module in your package
-### v4.3.0
-[Improved]
-- configuration `scimgateway.scim.port` can now be set to 0 or removed for deactivating listener
-- configuration `cimgateway.scim.usePutSoftSync` set to `true` now includes additional logic that do not change existing user attributes not included in PUT body content
-- createUser/createGroup no longer return id if id have not been returned by plugin or by getUser filtering on userName. Previously userName was returned as id when missing plugin logic.
-- plugin-ldap supporting simpel filtering
-- plugin-loki using baseEntity configuration for supporting multi loki endpoints
-- plugin-azure-ad renamed to plugin-entra-id
-- plugin-entra-id and plugin-scim now using an updated default REST helpers-template that gives more flexible endpoint authentication support like OAuth, Basic, Bearer, custom-headers, no-auth,...
-- Dependencies bump
-### v4.2.17
-[Fixed]
-- plugin-loki incorrect unique filtering
-[Improved]
-- Dependencies bump
-### v4.2.15
-[Improved]
-- Plugin can set error statusCode returned by scimgateway through error object key `err.name`. This can be done by adding suffix `#code` to err.name where code is HTTP status code e.g., `err.name += '#401'`. This can be useful for auth.PassThrough and other scenarios like createUser where user already exist (409) and modifyUser where user does not exist (404)
-	This change replace statusCode logic introduced in v4.2.11
-### v4.2.14
-[Fixed]
-- PUT now returning 404 instead of 500 when trying to update a user/group that does not exist
-### v4.2.13
-[Fixed]
-- `/ping` now excluded from info logs. If we want ping logging, use something else than lowercase e.g., `/Ping` or `/PING`
-### v4.2.12
-[Improved]
-- Schemas, ServiceProviderConfig and ResourceType can be customized if `lib/scimdef-v2.js (or scimdef-v1.js)` exists. Original scimdef-v2.js/scimdef-v1.js can be copied from node_modules/scimgateway/lib to your plugin/lib and customized.
-### v4.2.11
-[Improved]
-Note, obsolete - see v4.2.15 comments
-- Plugin can set error statusCode returned by scimgateway through error message. Error message must then contain string `"statusCode":xxx` where xxx is HTTP status code e.g., 401. Plugin using REST will have statusCode automatically included in error message thrown by plugin. This could be useful for auth.PassThrough.
-### v4.2.10
-[Fixed]
-- plugin-ldap broken after dependencies bump of ldapjs (from 2.x.x to 3.x.x) in version 4.2.7
-### v4.2.9
-[Fixed]
-- installation require nodejs >= v.16.0.0 due to previous dependencies bump
-### v4.2.8
-[Fixed]
-- PUT did not allow group name to be modified
-### v4.2.7
-[Improved]
-- new plugin configuration **scim.usePutGroupMemberOfUser** can be set to true or false, default false. `PUT /Users/<user>` will replace user with body content. If body contains groups and usePutGroupMemberOfUser=true, groups will be set on user object (groups are member of user) instead of default user member of groups
-- plugin-forwardinc renamed to plugin-soap
-- Dependencies bump
-[Fixed]
-- plugin-azure-ad fixed some issues introduced in v4.2.4
-- plugin-mongodb fixed some issues introduced in v4.2.4
-### v4.2.6
-[Fixed]
-- cosmetics related to 401 error handling introduced in v4.2.4
-### v4.2.5
-[Fixed]
-- travis test build cosmetics
-### v4.2.4
-[Improved]
-- provided plugins now supports Auth PassThrough. See helpers methods like getClientIdentifier(), getCtxAuth() and changes in doRequest() and getServiceClient(). In general, PassThrough is supported for both basic and bearer auth. Password/secret/client_secret are then not needed in configuration file. Username may still be needed in configuration file depended on how logic is implemented (ref. mongodb/mssql) and what auth beeing used (basic/bearer). Plugin scim, api and azure-ad are all REST plugins having the same helpers (but, some minor differences to azure-ad using OAuth and the getAccessToken() method)
-### v4.2.3
-[Fixed]
-- plugin-loki and plugin-mongodb, for multi-value attributes like emails,phoneNumbers,... that includes primary attribute, only one is allowed having primary value set to true in the multi-value set.
-### v4.2.2
-[Fixed]
-- some minor SCIM protocol complient adjustments for beeing fully SCIM API complient with [https://scimvalidator.microsoft.com](https://scimvalidator.microsoft.com)
-### v4.2.1
-[Fixed]
-- plugin-azure-ad createUser failed when manager was included
-- plugin-ldap slow when not using group/groupBase configuration
-### v4.2.0
-[Improved]
-- Kubernetes health checks and shutdown handler support
-    Plugin configuration prerequisite: **kubernetes.enabled=true**
-        "kubernetes": {
-          "enabled": true,
-          "shutdownTimeout": 15000,
-          "forceExitTimeout": 1000
-        }
-    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
-### v4.1.15
-[Improved]
-- Authentication PassThrough for passing the authentication directly to plugin without being processed by scimgateway. Plugin can then pass this authentication to endpoint for avoid maintaining secrets at the gateway.
-    Plugin configuration prerequisites: **auth.passThrough.enabled=true**
-        "auth": {
-           ...
-           "passThrough": {
-             "enabled": true,
-             "readOnly": false,
-             "baseEntities": []
-           }
-           ...
-         }
-    Plugin binary prerequisites:
-        scimgateway.authPassThroughAllowed = true
-        // also need endpoint logic for handling/passing ctx.request.header.authorization
-    For upgrading existing custom plugins, above mention prerequisites needs to be included and in addition all plugin methods must include the `ctx` parameter e.g.:
-        scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx)
-        // tip, see provided example plugins
-    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
-### v4.1.14
-[Fixed]
-- Do not create logs directory or log-file when configuration `log.loglevel.file` not defined or set to `"off"`. This fix will allow SCIM Gateway to run on systems having read-only disk like Google Cloud App Engine Standard
-### v4.1.12
-[Improved]
-- Dependencies bump
-### v4.1.11
-[Fixed]
-- basic auth logon dialog should not show up when not configured
-### v4.1.10
-[Improved]
-- new plugin configuration `payloadSize`. If not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size e.g. "5mb"
-    **Thanks to [@Sam Murphy*](https://github.com/SamMurphyDev)**
-[Fixed]
-- using `GET /Users`, scimgateway automatically adds groups if not included by plugin. This operation calls plugin getGroups having attributes=['members.value', 'id', 'displayName']. Now, `members.value` is excluded. This attribute was in use and could cause unneeded load when having many group members.
-### v4.1.9
-[Fixed]
-- plugin-azure-ad.json configuration file introduced in v.4.1.7 was missing passwordProfile attribute mappings
-- Symantec/Broadcom/CA ConnectorXpress configuration file `config\resources\Azure - ScimGateway.xml` now using standard text on manager attribute instead of selection dialogbox.
-### v4.1.8
-[Fixed]
-- endpointMap and Symantec/Broadcom/CA ConnectorXpress configuration file `config\resources\Azure - ScimGateway.xml` introduced in v.4.1.7 had some missing logic
-### v4.1.7
-**Note, this version breaks compability with previous versions of plugin-azure-ad**
-[Improved]
-- endpointMap moved from scimgateway to plugin-azure-ad
-- plugin-azure-ad.json configuration file now includes attribute mapping giving flexibility to add or customize AAD-SCIM attribute mappings
-- Symantec/Broadcom/CA ConnectorXpress configuration file `config\resources\Azure - ScimGateway.xml` for defining the Azure endpoint, have been updated with some new attributes according to plugin-azure-ad.json attribute mappings
-### v4.1.6
-[Improved]
-- Dependencies bump
-### v4.1.5
-[Improved]
-SCIM Gateway related news:
-- [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
-### v4.1.4
-[Fixed]
-- TypeConvert logic for multivalue attribute `addresses` did not correctly catch duplicate entries
-- PUT (Replace User) configuration `scim.usePutSoftsync=true` will also prevent removing any existing roles that are not included in body.roles ref. v4.1.3
-### v4.1.3
-[Fixed]
-- createUser response did not include the id that was returned by plugin
-[Improved]
-- PUT (Replace User) now includes group handling. Using configuration `scim.usePutSoftsync=true` will prevent removing any existing groups that are not included in body.groups
-    Example:
-        PUT /Users/bjensen
-        {
-          ...
-		  "groups": [
-            {"value":"Employees","display":"Employees"},
-            {"value":"Admins","display":"Admins"}
-           ],
-          ...
-        }
-### v4.1.2
-[Improved]
-- endpointMapper supporting one to many mappings using a comma separated list of attributes in the `mapTo`
-    Configuration example:
-        "map": {
-          "user": {
-            "PersonnelNumber": {
-              "mapTo": "id,userName",
-              "type": "string"
-            },
-            ...
-          }
-        }
-### v4.1.1
-[Improved]
-- plugin-ldap support userFilter/groupFilter configuration for restricting scope
-    Configuration example:
-        {
-          ...
-          "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
-          "groupFilter": "(!(cn=grp2))",
-          ...
-        }
-### v4.1.0
-[Improved]
-- Supporting OAuth Client Credentials authentication
-    Configuration example:
-        "bearerOAuth": [
-          {
-            "client_id": "my_client_id",
-            "client_secret": "my_client_secret",
-            "readOnly": false,
-            "baseEntities": []
-          }
-        ]
-    In example above, client using SCIM Gateway must have OAuth configuration:
-        client_id = my_client_id
-        client_secret = my_client_secret
-        token request url = http(s)://<host>:<port>/oauth/token
+This copies `index.ts`, `lib/`, and `config/` (with example plugins) into your package directory.
+### Verify the Default Loki Plugin
-### v4.0.1
-[Improved]
+```sh
+bun c:\my-scimgateway
+```
-- create user/group supporting externalId
-- plugin-restful renamed to plugin-scim
-- plugin-ldap having improved SID/GUID support for Active Directory, also supporting domain map of userPrincipalName e.g. Azure AD => Active Directory
-        "userPrincipalName": {
-           "mapTo": "userName",
-           "type": "string",
-	       "mapDomain": {
-	         "inbound": "test.onmicrosoft.com",
-	         "outbound": "my-company.com"
-        }
+Then open a browser and try:
-- postinstall copying example plugins may be skipped by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
-- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to [@Raymond Augé](https://github.com/rotty3000)**
+```
+# Health check
+GET http://localhost:8880/ping
+# List users and groups (basic auth: gwadmin / password)
+GET http://localhost:8880/Users
+GET http://localhost:8880/Groups
-### v4.0.0
-**[MAJOR]**
-- New `getUsers()` replacing deprecated exploreUsers(), getUser() and getGroupUsers()
-- New `getGroups()` replacing deprecated exploreGroups(), getGroup() and getGroupMembers()
-- Fully filter and sort support
-- Authentication configuration may now include a baseEntities array containing one or more `baseEntity` allowed for corresponding admin user
-- New plugin-mongodb, **Thanks to [@Filipe Ribeiro](https://github.com/fribeiro-keeps) and [@Miguel Ferreira](https://github.com/jmaferreira) (KEEP SOLUTIONS)**
+# Real-time remote log monitoring
+http://localhost:8880/logger
-Note, using this major version **require existing custom plugins to be upgraded**. If you do not want to upgrade your custom plugins, the old version have to be installed using: `npm install scimgateway@3.2.11`
+# Fetch a specific user or group
+GET http://localhost:8880/Users/bjensen
+GET http://localhost:8880/Groups/Admins
-How to upgrade your custom plugins:
+# Filter examples
+GET http://localhost:8880/Users?filter=userName eq "bjensen"
+GET http://localhost:8880/Users?filter=emails.value co "@example.com"&attributes=userName,name.familyName,emails&sortBy=name.familyName&sortOrder=descending
+GET http://localhost:8880/Groups?filter=displayName eq "Admins"&excludedAttributes=members
+GET http://localhost:8880/Groups?filter=members.value eq "bjensen"&attributes=id,displayName,members.value
+```
-	Replace: scimgateway.exploreUsers = async (baseEntity, attributes, startIndex, count) => {
-	With: scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
+Press `Ctrl+C` to stop.
-See comments in provided plugins regarding the new `getObj`. Also note that `attributes` is now an array and not a comma separated string like previous versions
+> Using **Node.js**, the startup command is: `node --import=tsx ./index.ts`
-In the very beginning, add:
+### Upgrading
-	  // mandatory if-else logic - start
-	  if (getObj.operator) {
-	    if (getObj.operator === 'eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
-	      // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
-	    } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
-	      // optional - only used when groups are member of users, not default behavior - correspond to getGroupUsers() in versions < 4.x.x
-	      throw new Error(`${action} error: not supporting groups member of user filtering: ${getObj.rawFilter}`)
-	    } else {
-	      // optional - simpel filtering
-	      throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
-	    }
-	  } else if (getObj.rawFilter) {
-	    // optional - advanced filtering having and/or/not - use getObj.rawFilter
-	    throw new Error(`${action} error: not supporting advanced filtering: ${getObj.rawFilter}`)
-	  } else {
-	    // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all users to be returned - correspond to exploreUsers() in versions < 4.x.x
-	  }
-	  // mandatory if-else logic - end
+The recommended approach is to rename the old package folder, do a fresh install, then copy your customized `index.ts`, `config/`, and `lib/` from the previous install.
+```sh
+# Minor upgrade
+bun install scimgateway
-In the new getUsers() replacing exploreUsers() "as-is", we then need some logic in the last "else" statement listed above.
-We also need to add logic from existing getGroup() and getGroupMembers()
-**Please have a look at provieded plugins to see different ways of doing this logic.**
+# Major upgrade (may break existing plugins — review change log first)
+bun install scimgateway@latest
+```
+**Excluding example plugins in production:** Bun skips `postinstall` unless you run `bun pm trust scimgateway`. For npm or Node.js environments, set `scimgateway_postinstall_skip = true` in `.npmrc` or the environment variable `SCIMGATEWAY_POSTINSTALL_SKIP=true`.
-	Replace: scimgateway.exploreGroups = async (baseEntity, attributes, startIndex, count) => {
-	With: scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
+---
-In the very beginning, add:
+## Configuration
-	  // mandatory if-else logic - start
-	  if (getObj.operator) {
-	    if (getObj.operator === 'eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
-	      // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
-	    } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
-	      // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
-	      // Resources = [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
-	    } else {
-	      // optional - simpel filtering
-	      throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
-	    }
-	  } else if (getObj.rawFilter) {
-	    // optional - advanced filtering having and/or/not - use getObj.rawFilter
-	    throw new Error(`${action} error: not supporting advanced filtering: ${getObj.rawFilter}`)
-	  } else {
-	    // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all groups to be returned - correspond to exploreGroups() in versions < 4.x.x
-	  }
-	  // mandatory if-else logic - end
+### Entry Point — `index.ts`
+`index.ts` defines which plugins to start:
-In the new getGroups() replacing exploreGroups() "as-is", we then need some logic in the last "else" statement listed above.
-We also need to add logic from existing getGroup() and getGroupMembers()
-**Please have a look at provieded plugins to see different ways of doing this logic.**
+```ts
+// Start one or more plugins:
+import './lib/plugin-entra-id.ts'
+export {}
+```
+### Plugin File Naming
-    Delete deprecated exploreUsers(), getUser(), getGroupUsers(), exploreGroups(), getGroup() and getGroupMembers()
+Each plugin requires a TypeScript file and a JSON configuration file sharing the same name prefix:
+```
+lib/plugin-entra-id.ts
+config/plugin-entra-id.json
+```
-### v3.2.11
-[Fixed]
+The JSON file has two top-level objects:
-- errorhandling related to running scimgateway as unikernel
+```json
+{
+  "scimgateway": { ... },
+  "endpoint": { ... }
+}
+```
-### v3.2.10
-[Fixed]
+`scimgateway` holds gateway core settings (port, auth, logging, TLS). `endpoint` holds plugin-specific connection details (host, credentials, mappings).
-- for SCIM 2.0 exploreUsers/exploreGroups now includes schemas/resourceType on each object in the Resources response. This may be required by som IdP's.
+---
-[Improved]
-- Dependencies bump
+### Core Options
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `port` | number | — | Port the gateway listens on |
+| `localhostonly` | boolean | false | Accept requests only from `127.0.0.1` |
+| `chainingBaseUrl` | string | — | Route requests to another gateway (`http(s)://host:port`) |
+| `idleTimeout` | number | 120 | Seconds before an idle connection is dropped |
+| `scim.version` | string | `"2.0"` | SCIM protocol version: `"1.1"` or `"2.0"` |
+| `scim.skipTypeConvert` | boolean | false | Pass multivalue attributes as-is instead of type-converted objects |
+| `scim.skipMetaLocation` | boolean | false | Omit `meta.location` from responses (useful behind a reverse proxy) |
+| `scim.groupMemberOfUser` | boolean | false | Keep `groups` on the user object instead of managing group membership via `modifyGroup` |
+| `scim.usePutSoftSync` | boolean | false | `PUT` replaces only the attributes in the body; existing attributes are preserved |
+**Logging options (`log.*`):**
+| Option | Values | Default | Description |
+|---|---|---|---|
+| `log.loglevel.file` | off, debug, info, warn, error | off | Log level for the plugin log file |
+| `log.loglevel.console` | off, debug, info, warn, error | off | Log level for stdout/stderr |
+| `log.loglevel.push` | debug, info, warn, error | info | Log level for the remote real-time subscriber |
+| `log.logDirectory` | path | `<package>/logs` | Override the default log directory |
+| `log.customMasking` | string[] | `[]` | Additional attribute names to mask in logs, e.g. `["SSN", "weight"]` |
+| `log.colorize` | boolean | true | Colorized console output; set false for plain JSON |
+| `log.maxSize` | number | 20 | Max log file size in MB |
+| `log.maxFiles` | number | 5 | Number of rotated log files to keep |
+**`scim.skipTypeConvert` example:**
+With `skipTypeConvert: false` (default), emails are converted to type-keyed objects:
+```json
+"emails": {
+  "work": { "value": "jsmith@example.com", "type": "work" },
+  "home": { "value": "", "type": "home", "operation": "delete" }
+}
+```
-### v3.2.9
-[Fixed]
+With `skipTypeConvert: true`, the array is passed as-is:
-- plugin-loki pagination fix
+```json
+"emails": [
+  { "value": "jsmith@example.com", "type": "work" },
+  { "value": "john.smith.org", "type": "home", "operation": "delete" }
+]
+```
-### v3.2.8
-[Fixed]
+---
-- plugin-ldap `objectGUID` introduced in v.3.2.7 had some missing logic
+### Authentication
-### v3.2.7
-[Improved]
+The `auth` object supports multiple concurrent methods. Set any admin user to `null` to disable that method. Each entry supports:
-- plugin-ldap supports using Active Directory `objectGUID` instead of `dn` mapped to `id`
-  configuration example:
-        "objectGUID": {
-          "mapTo": "id",
-          "type": "string"
-        }
+- `readOnly` — if `true`, only `GET` requests are allowed
+- `baseEntities` — restrict this credential to specific baseEntity values (empty array = all)
-[Fixed]
+#### Basic Authentication
-- Return 500 on GET handler error instead of 404
-  **Thanks to [@Nipun Dayanath](https://github.com/nipund)**
-- createUser/createRole response now includes id retrieved by getUser/getRole instead of using posted userName/displayName value
+```json
+"auth": {
+  "basic": [
+    {
+      "username": "gwadmin",
+      "password": "password",
+      "readOnly": false,
+      "baseEntities": []
+    }
+  ]
+}
+```
-### v3.2.6
-[Fixed]
+Cleartext passwords are encrypted on first gateway start.
-- bearerJwt authentication missing public key handling
-- plugin-azure-ad getGroup did not return all members when group had more than 100 members (Azure page size is 100). getGroup now using paging
+#### Bearer Token (Shared Secret)
-### v3.2.5
-[Fixed]
+```json
+"bearerToken": [
+  {
+    "token": "my-shared-secret",
+    "readOnly": false,
+    "baseEntities": []
+  }
+]
+```
-- default "type converted object" logic may fail on requests that includes a mix of type and blank type. Now blank type will be converted to type "undefined", and all types must be unique within the same request. "type converted object" logic can be turned off by configuration `scim.skipTypeConvert = true`
-- plugin-loki supporting type = "undefined"
+Supported by Entra ID provisioning. The token is encrypted on first start.
-[Improved]
+#### JWT (Standard)
-- new configuration `scim.skipTypeConvert` allowing overriding the default behaviour "type converted object" when set to true. See attribute list for details
-- `scimgateway.isMultivalue` used by plugin-loki have been changed, and **custom plugins using this method must be updated**
-        old syntax:
-        scimgateway.isMultivalue('User', key)
+```json
+"bearerJwt": [
+  {
+    "secret": null,
+    "publicKey": "jwt-public-key.pem",
+    "wellKnownUri": null,
+    "azureTenantId": null,
+    "options": {
+      "issuer": "https://my-idp.example.com"
+    },
+    "readOnly": false,
+    "baseEntities": []
+  }
+]
+```
-        new syntax:
-        scimgateway.isMultiValueTypes(key)
+- `secret` — HMAC shared secret (encrypted on start)
+- `publicKey` — filename of a PEM file in `config/certs/`
+- `wellKnownUri` — JWKS discovery URL, e.g. `https://keycloak.example.com/realms/my-realm/.well-known/openid-configuration`
+- `azureTenantId` — Entra ID tenant ID; enables Entra-initiated provisioning using JWT validation
-### v3.2.4
-[Fixed]
+For Entra ID apps accessing the gateway:
-- plugin-loki some code cleanup
+```json
+"wellKnownUri": "https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration",
+"options": { "audience": "{application-id}" }
+```
-### v3.2.3
-[Fixed]
+#### OAuth Client Credentials
-- PUT was not according to the SCIM specification
-- plugin-mssql broken after dependencies bump v3.1.0
-- plugin-loki getUser using `find` instead of `findOne` to ensure returning unique user
+```json
+"bearerOAuth": [
+  {
+    "clientId": "my-client-id",
+    "clientSecret": "my-client-secret",
+    "readOnly": false,
+    "baseEntities": []
+  }
+]
+```
-### v3.2.2
-[Fixed]
+Clients request a token from `POST /oauth/token` (e.g. `http://localhost:8880/oauth/token`).
-- plugins missing logic for handling the virtual readOnly user attribute `groups` (when `"user member of groups"`) e.g. GET /Users/bjensen should return all user attributes including the virtual `groups` attribute. Now this user attribute will be automatically handled by scimgateway if not included in the plugin response.
-- Pre and post actions onAddGroups/onRemoveGroups introduced in v.3.2.0 has been withdrawn
+#### Authentication PassThrough
-[Improved]
+```json
+"passThrough": {
+  "enabled": true,
+  "readOnly": false,
+  "baseEntities": []
+}
+```
-- scimgateway will do plugin response filtering according to requested attributes/excludedAttributes
+The gateway forwards the raw `Authorization` header to the plugin. The plugin must set `scimgateway.authPassThroughAllowed = true` and implement its own auth handling against the endpoint.
+---
-### v3.2.1
-[Fixed]
+### IP Allow List
-- plugin-azure-ad updating businessPhones (Office phone) broken after v3.2.0
-- plugin-azure-ad listing groups for user did also include Azure roles
-- SCIM v2.0 none core schema attributes handling
-- response not always including correct schemas
+Restrict incoming traffic to specific subnets (CIDR notation). Useful for Entra ID provisioning where you want to accept traffic only from Azure IP ranges:
-[Improved]
+```json
+"ipAllowList": [
+  "13.64.151.161/32",
+  "13.66.141.64/27",
+  "2603:1056:2000::/48"
+]
+```
-- roles now using array instead of objects based on type. **Note, this may break your custom plugins if roles logic are in use**
+> Azure IP ranges can be downloaded from [azureipranges.azurewebsites.net](https://azureipranges.azurewebsites.net) — search for `AzureActiveDirectory` and copy the `addressPrefixes` array.
-### v3.2.0
-[Improved]
+When running behind a load balancer or reverse proxy, the proxy must include the client IP in the `X-Forwarded-For` header.
-- ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range
-	Configuration example:
-        "ipAllowList": [
-          "13.66.60.119/32",
-          "13.66.143.220/30",
-          ...
-          "2603:1056:2000::/48",
-          "2603:1057:2::/48"
-        ]
+---
-- Example plugins now configured for SCIM v2.0 instead of v1.1
+### TLS & Certificates
-	New configuration:
-	    "scim": {
-            "version": "2.0"
-	    }
-	Old configuration:
-	    "scim": {
-            "version": "1.1"
-	    }
+#### Using PEM files
+```json
+"certificate": {
+  "key": "key.pem",
+  "cert": "cert.pem",
+  "ca": "ca.pem"
+}
+```
-### v3.1.0
-[Improved]
+Files must be in `config/certs/` or use absolute paths. For multiple CAs: `"ca": ["ca1.pem", "ca2.pem"]`.
-- plugin-ldap a general LDAP plugin pre-configured for Microsoft Active Directory. Using endpointMapper logic (like plugin-azure-ad) for attribute flexibility
-- Pre and post actions onAddGroups/onRemoveGroups can be configured and needed logic to be  defined in plugin method `pre_post_Action`
-- Dependencies bump
+**Generate a self-signed certificate:**
-### v3.0.8
-[Fixed]
+```sh
+openssl req -nodes -newkey rsa:2048 -x509 -sha256 -days 3650 \
+  -keyout key.pem -out cert.pem \
+  -subj "/O=My Company/OU=Application/CN=SCIM Gateway" \
+  -addext "subjectAltName=DNS:localhost,DNS:127.0.0.1,DNS:*.mycompany.com" \
+  -addext "extendedKeyUsage=serverAuth" \
+  -addext "keyUsage=digitalSignature"
+```
-- plugin-azure-ad delete account fails in v3.x
+#### Using PFX / PKCS#12
-### v3.0.7
-[Fixed]
+```json
+"pfx": {
+  "bundle": "certbundle.pfx",
+  "password": "password"
+}
+```
-- Using proxy configuration broken in v3.x
+> If communicating over localhost only (e.g. gateway installed directly on the provisioning server), you can skip TLS and use `http://localhost:<port>` with `"localhostonly": true`.
-### v3.0.6
-[Fixed]
+#### No TLS
-- Dependencies bump
+```json
+"certificate": {
+  "key": null,
+  "cert": null,
+  "ca": null
+}
+```
-### v3.0.4
-[Improved]
+---
-- Pagination request having startIndex but no count, now sets count to default 200 and may be overridden by plugin.
+### Email Notifications
-### v3.0.3
-[Fixed]
+The `email` section supports alerting on errors and sending mail from plugin code via `scimgateway.sendMail()`.
-- GET /Users?startIndex=1&count=100 with no attributes filter included did not work
+#### Microsoft Exchange Online (OAuth)
-### v3.0.2
-[Fixed]
+```json
+"email": {
+  "auth": {
+    "type": "oauth",
+    "options": {
+      "azureTenantId": "<tenant-id>",
+      "clientId": "<client-id>",
+      "clientSecret": "<client-secret>"
+    }
+  },
+  "emailOnError": {
+    "enabled": true,
+    "from": "noreply@example.com",
+    "to": "ops-team@example.com",
+    "cc": null,
+    "subject": "SCIM Gateway error",
+    "sendInterval": 15
+  }
+}
+```
-- SCIM v2.0 PUT did not work.
+**Entra ID requirements:**
+1. Grant the application permission `Mail.Send`
+2. Restrict which mailboxes the app can send from via an Exchange `ApplicationAccessPolicy`:
-### v3.0.1
-[Improved]
+```powershell
+Install-Module -Name ExchangeOnlineManagement
+Connect-ExchangeOnline
-- getApi supports body (apiObj).
+New-ApplicationAccessPolicy `
+  -AppId <AppClientID> `
+  -PolicyScopeGroupId <MailEnabledSecurityGroupId> `
+  -AccessRight RestrictAccess `
+  -Description "Restrict app to specific mailboxes"
+```
-	Old syntax:
-	    scimgateway.getApi = async (baseEntity, id, apiQuery) => {
-	New syntax:
-	    scimgateway.getApi = async (baseEntity, id, apiQuery, apiObj) => {
+#### Google Workspace Gmail (OAuth)
+```json
+"email": {
+  "auth": {
+    "type": "oauth",
+    "options": {
+      "serviceAccountKeyFile": "google-service-account.json"
+    }
+  },
+  "emailOnError": {
+    "enabled": true,
+    "from": "sender@example.com",
+    "to": "ops@example.com"
+  }
+}
+```
-### v3.0.0
-**[MAJOR]**
+**Google setup:**
+1. [Google Cloud Console](https://console.cloud.google.com): create a Service Account → download the JSON key
+2. [Google Admin](https://admin.google.com): Security → API controls → Domain Wide Delegation → add Client ID with scope `https://www.googleapis.com/auth/gmail.send`
+3. Ensure `from` address has a Google Workspace license
+#### SMTP Auth
+```json
+"email": {
+  "auth": {
+    "type": "smtp",
+    "options": {
+      "host": "smtp.gmail.com",
+      "port": 587,
+      "username": "user@gmail.com",
+      "password": "app-password"
+    }
+  },
+  "emailOnError": {
+    "enabled": true,
+    "to": "ops@example.com"
+  }
+}
+```
-- getUser/getGroup now using parameter getObj giving more flexibility
-- deprecated modifyGroupMembers - now using modifyGroup
-- deprecated configuration `scimgateway.scim.customUniqueAttrMapping` - replaced by getObj logic
-- loglevel=off turns of logging
-- Auth methods allowing more than one user/object including option for readOnly
-- Includes latest versions of module dependencies
+---
-**[UPGRADE]**
+### Azure Relay
-Note, this is a major upgrade (^2.x.x => ^3.x.x) that will brake compatibility with any existing custom plugins. To force a major upgrade, suffix `@latest` must be include in the npm install command, but it's recommended to do a fresh install and copy any custom plugins instead of upgrading an existing package
+Azure Relay lets the gateway listen for inbound SCIM requests over an outbound HTTPS/443 connection — no inbound firewall rules required.
-Old syntax:
+**Cost:** ~$10/month per Hybrid Connection listener.
-    scimgateway.getUser = async (baseEntity, userName, attributes) => {
-    scimgateway.getGroup = async (baseEntity, displayName, attributes) => {
-    scimgateway.modifyGroupMembers = async (baseEntity, id, members) => {
+**Azure setup:**
+1. Create a Relay namespace in Azure → create a Hybrid Connection entity (one per plugin)
+2. Leave **Requires Client Authorization** unchecked unless your IdP includes a SAS token
+3. Copy the primary key from Shared Access Policies → RootManageSharedaccessKey
-New syntax:
+**Plugin configuration:**
-    scimgateway.getUser = async (baseEntity, getObj, attributes) => {
-      const userName = getObj.identifier // gives v2.x compatibility
+```json
+"azureRelay": {
+  "enabled": true,
+  "connectionUrl": "https://<namespace>.servicebus.windows.net/<hybrid-connection>",
+  "apiKey": "<primary-key>",
+  "keyRule": "RootManageSharedaccessKey"
+}
+```
-    scimgateway.getGroup = async (baseEntity, getObj, attributes) => {
-      const displayName = getObj.identifier // gives v2.x compatibility
+The `connectionUrl` becomes the SCIM base URL. Examples:
-    scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
-      // attrObj.members corresponds to members in deprecated modifyGroupMembers
+```
+GET https://<namespace>.servicebus.windows.net/<hybrid-connection>/Users
+GET https://<namespace>.servicebus.windows.net/<hybrid-connection>/<baseEntity>/Users
+```
-getUser comments:
-getObj = `{ filter: <filterAttribute>, identifier: <identifier> }`
-e.g: getObj = `{ filter: 'userName', identifier: 'bjensen'}`
-filter: userName and id must be supported
+Multiple gateway instances sharing the same `connectionUrl` will round-robin load-balance.
-getGroup comments:
-getObj = `{ filter: <filterAttribute>, identifier: <identifier> }`
-e.g: getObj = `{ filter: 'displayName', identifier: 'GroupA' }`
-filter: displayName and id must be supported
+> Azure Relay does not support remote log subscription.
-**Please see provided example plugins**
+---
-Using the new getObj parameter gives more flexibility in the way of lookup a user e.g:
-`http://localhost:8880/Users?filter=emails.value eq "jsmith@example.com"&attributes=userName,name.givenName`
-getObj = `{ filter: 'emails.value', identifier: 'jsmith@example.com'}`
-attributes = `'userName,name.givenName'`
+### Secrets from External Sources
-Configuration file, auth settings have changed and now using arrays allowing more than one user/object to be set. `"readOnly": true` can also be set for allowing read only access for a spesific user (does not apply to bearerJwtAzure).
+All configuration values can be sourced from environment variables, external JSON files, or plain text files. This supports secret managers and Kubernetes secrets.
-New syntax is:
+**From environment variables:**
-    "auth": {
-      "basic": [
-        {
-          "username": "gwadmin",
-          "password": "password",
-          "readOnly": false
-        }
-      ],
-      "bearerToken": [
-        {
-          "token": null,
-          "readOnly": false
-        }
-      ],
-      "bearerJwtAzure": [
-        {
-          "tenantIdGUID": null
-        }
-      ],
-      "bearerJwt": [
-        {
-          "secret": null,
-          "publicKey": null,
-          "options": {
-            "issuer": null
-          },
-          "readOnly": false
-        }
-      ]
-    }
+```json
+"port": "process.env.PORT",
+"log": { "loglevel": { "file": "process.env.LOG_LEVEL_FILE" } }
+```
+**From a shared JSON file** (dot-notation keyed by plugin name):
-### v2.1.13
-[Fixed]
+```json
+"username": "process.file./var/run/vault/secrets.json"
+```
-- Plugin configuration referring to an external configuration file using an array did not work.
+Where `secrets.json` contains:
-### v2.1.11
-[Fixed]
+```json
+{
+  "plugin-soap.scimgateway.auth.basic[0].username": "gwadmin",
+  "plugin-soap.scimgateway.auth.basic[0].password": "password",
+  "plugin-soap.endpoint.username": "superuser",
+  "plugin-soap.endpoint.password": "secret"
+}
+```
-- Log masking of xml (SOAP) messages.
+**From a single-value text file:**
+```json
+"secret": "process.text./var/run/vault/jwt.secret"
+```
-### v2.1.10
-[Improved]
+Where the file contains the raw value: `thisIsSecret`
-- Log masking of custom defined attributes.
-  customMasking may include an array of attributes to be masked
-  e.g. `"customMasking": ["SSN", "weight"]`
-- Note, configurationfiles must be changed (old syntax still supported)
-  old syntax:
+> Set the environment variable `SEED` to a random string to override default password seeding. This also lets you copy an encrypted configuration file between machines.
-        "loglevel": {
-          "file": "debug",
-          "console": "error"
-        },
-  new syntax:
+---
-        "log": {
-          "loglevel": {
-            "file": "debug",
-            "console": "error"
-          },
-          "customMasking": []
-        },
-  By default SCIM Gateway includes masking of standard attributes like password
+### Remote Log Subscription
-### v2.1.9
-[Fixed]
+Stream real-time logs from the gateway to a browser, curl, or custom client.
-- AAD as IdP broken after content-type validation introduced in v2.1.7
-- AAD as IdP, none gallery app support
-- Incorrect SCIM 2.0 multivalue converting
-- plugin-saphana not correctly ported to v2.x
+**Browser:** `https://<host>/logger`
-**Thanks to Luca Moretto**
+**curl:**
-### v2.1.8
-[Fixed]
+```sh
+curl -Ns http://localhost:8880/logger -u gwadmin:password | awk '
+/^data: / {sub(/^data: /,""); printf "%s", $0; last=1; next}
+/^$/ {if (last) print ""; last=0}
+'
+```
-- plugin-mssql not correctly ported to v2.x, and some config syntax for this plugin have also changed in newer releases of dependencies.
+**Custom client (TypeScript/Bun):**
-### v2.1.7
-[Fixed]
+```ts
+const username = "gwadmin"
+const password = "password"
+const url = "http://localhost:8880/logger"
-- Validates content-type when body is included
-- Case insensitive log-masking
-- Plugins now don't using deprecated `url.parse`
-- Misc cosmetics e.g. using const instead of let when not reassigned
+const headers = new Headers({
+  Authorization: "Basic " + btoa(`${username}:${password}`),
+  Accept: "text/event-stream"
+})
-### v2.1.6
-[Fixed]
+// message handling and custom logic
+const messageHandler = async (message: string) => {
+  console.log(message)
+}
-- plugin-azure-ad did not return correct error code (`err.name = 'DuplicateKeyError'`) when failing on creating a duplicate user
+async function startup() {
+  while (true) {
+    try {
+      const resp = await fetch(url, { headers })
+      if (!resp.ok || !resp.body) {
+        console.error(`❌ Response error: ${resp.status} ${resp.statusText}`)
+        await Bun.sleep(10_000)
+        continue
+      }
+      console.log('✅ Connected — awaiting log events...\n')
+      const reader = resp.body.pipeThrough(new TextDecoderStream()).getReader()
+      while (true) {
+        const { value, done } = await reader.read()
+        if (done) break
+        if (!value.startsWith('data: ')) continue
+        const i = value.indexOf("\n\n")
+        if (i < 1) continue
+        messageHandler(value.slice(6, i))
+      }
+      console.error("⚠️ Connection closed")
+      await Bun.sleep(10_000)
+    } catch (err: any) {
+      console.error("❌ Connection error:", err?.message || err)
+      await Bun.sleep(10_000)
+    }
+  }
+}
-[Improved]
+startup()
+```
-- Includes latest versions of module dependencies
+Set a dedicated read-only credential for log collection:
+```json
+"auth": {
+  "basic": [
+    { "username": "gwadmin", "password": "password", "readOnly": false },
+    { "username": "gwread",  "password": "password", "readOnly": true  }
+  ],
+  "bearerToken": [
+    { "token": "log-secret", "readOnly": true }
+  ]
+}
+```
-### v2.1.4
-[Fixed]
+Set push log level (default `info`):
-- Incorrect SCIM 2.0 error handling after v2.1.0
-- For duplicate key error, setting `err.name = 'DuplicateKeyError'` now gives correct status code 409 instead of defult 500 (see plugin-loki.js)
+```json
+"log": { "loglevel": { "push": "debug" } }
+```
-### v2.1.3
-[Fixed]
+You can also scope log output to a specific `baseEntity`: `https://<host>/<baseEntity>/logger`
-- Standardized the API Gateway response (not SCIM related)
-- Not allowing plugins to return password
-- Colorize option now automatically turned off when using stdout/stderr redirect (configuration file `loglevel.colorize` is not needed)
+---
-### v2.1.2
-[Fixed]
+### Gateway Chaining
-- SCIM 2.0 may use Operations.value as array and none array (issue #16)
+Chain multiple gateways: `gateway1 → gateway2 → gateway3 → endpoint`. Each gateway validates authorization and forwards the request unless PassThrough is enabled.
-[Improved]
+**gateway1 configuration:**
-- Option for replacing mandatory userName/displayName attribute by configuring customUniqueAttrMapping
-- Includes latest versions of module dependencies
+```json
+{
+  "scimgateway": {
+    "chainingBaseUrl": "https://gateway2:8880",
+    "auth": {
+      "passThrough": {
+        "enabled": false
+      }
+    }
+  }
+}
+```
-### v2.1.1
-[Fixed]
+In chaining mode the plugin binary is only used for initialization. You can simplify the plugin to the mandatory section only:
-- SCIM 2.0 may use Operations.value or Operation.value[] for PATCH syntax of the name object (issue #14)
-- plugin-loki failed to modify a none existing object, e.g name object not included in Create User
+```ts
+// start - mandatory plugin initialization
+import { ScimGateway } from 'scimgateway'
+const scimgateway = new ScimGateway()
+const config = scimgateway.getConfig()
+scimgateway.authPassThroughAllowed = true // and configuration file having: scimgateway.auth.passThrough=true
+scimgateway.pluginAndOrFilterEnabled = false
+// end - mandatory plugin initialization
+```
-### v2.1.0
-[Improved]
+---
-- Custom schema attributes can be added by plugin configuration `scim.customSchema` having value set to filename of a JSON schema-file located in `<package-root>/config/schemas`
+### HelperRest
-**[UPGRADE]**
+`HelperRest` provides a unified REST client for plugins with built-in support for authentication, retries, failover, and proxies.
-- Configurationfiles for custom plugins should be changed
-  old syntax:
+```ts
+helper.doRequest(baseEntity, method, path, body?, ctx?, options?)
+```
-        "scimversion": "1.1",
-  new syntax:
+- `baseEntity` — `'undefined'` if not used; must match a key in `endpoint.entity`
+- `method` — `GET`, `POST`, `PATCH`, `PUT`, `DELETE`
+- `path` — full URL or path appended to `baseUrl`
+- `body` — optional request body
+- `ctx` — optional, passes the `Authorization` header for PassThrough auth
+- `options` — optional overrides for connection settings
+**Endpoint connection structure:**
+```json
+"endpoint": {
+  "entity": {
+    "undefined": {
+      "connection": {
+        "baseUrls": ["https://api.example.com"],
+        "auth": {
+          "type": "basic|oauth|token|bearer|oauthSamlBearer|oauthJwtBearer",
+          "options": { ... }
+        },
+        "options": {
+          "headers": {},
+          "tls": {} // // files located in ./config/certs
+        },
+        "proxy": {}
+      }
+    }
+  }
+}
+```
-		"scim": {
-	      "version": "1.1",
-	      "customSchema": null
-	    },
-Note, "1.1" is default, if using "2.0" the new syntax must be used.
+#### Basic Auth
+```json
+"connection": {
+  "baseUrls": ["https://localhost:8880"],
+  "auth": {
+    "type": "basic",
+    "options": {
+      "username": "gwadmin",
+      "password": "password"
+    }
+  },
+  "options": {
+    "tls": { "rejectUnauthorized": false, "ca": "ca.pem" }
+  }
+}
+```
-### v2.0.2
-[Fixed]
+#### Entra ID — Client Secret
+```json
+"connection": {
+  "baseUrls": [],
+  "auth": {
+    "type": "oauth",
+    "options": {
+      "azureTenantId": "<tenant-id>",
+      "clientId": "<client-id>",
+      "clientSecret": "<client-secret>"
+    }
+  }
+}
+```
-- SCIM 2.0 incorrect response for user not found
-- Did not mask logentries ending with newline
+#### Entra ID — Certificate Secret
+```json
+"connection": {
+  "baseUrls": [],
+  "auth": {
+    "type": "oauthJwtBearer",
+    "options": {
+      "azureTenantId": "<tenant-id>",
+      "clientId": "<client-id>",
+      "tls": {
+        "key": "key.pem",
+        "cert": "cert.pem"
+      }
+    }
+  }
+}
+```
+#### Entra ID — Federated Credentials (no secrets)
+```json
+"connection": {
+  "baseUrls": [],
+  "auth": {
+    "type": "oauthJwtBearer",
+    "options": {
+      "azureTenantId": "<tenant-id>",
+      "fedCred": {
+        "issuer": "<https://FQDN-scimgateway>", // https://scimgateway.my-company.com
+        "subject": "<entra-application-object-id>",
+        "name": "<entra-fed-cred-unique-name>" // plugin-entra-id
+      }
+    }
+  }
+}
+```
-### v2.0.0
-**[MAJOR]**
+> The `issuer`, `subject`, and `name` must match the Federated Credentials configured in Entra ID (scenario: "Other issuer"). The gateway must be reachable from the internet at the `issuer` URL, or use Azure Relay for outbound-only communication.
-- Codebase moved from callback to async/await
-- Koa replacing Express
-- Some log enhancements
-- Deprecated cipher methods have been replaced
-- Plugin restful (REST) and
-- forwardinc (SOAP) includes failover logic based on endpoints defined in array baseUrls/baseServiceEndpoints.
+#### General OAuth (Client Credentials)
-**[UPGRADE]**
+```json
+"connection": {
+  "baseUrls": ["https://api.example.com"],
+  "auth": {
+    "type": "oauth",
+    "options": {
+      "tokenUrl": "https://idp.example.com/oauth/token",
+      "clientId": "<client-id>",
+      "clientSecret": "<client-secret>"
+    }
+  }
+}
+```
-Note, this is a major upgrade (^1.x.x => ^2.x.x) and will brake compatibility with any existing custom plugins. To force a major upgrade, suffix `@latest` must be include in the npm install command, but it's recommended to do a fresh install and copy any custom plugins instead of upgrading an existing package
+Use VS Code IntelliSense on `HelperRest.doRequest()` for full type and option documentation.
-	cd c:\my-scimgateway
-	npm install scimgateway@latest
+---
-Custom plugins needs some changes (please see included example plugins)
+### Single Binary Deployment
-- `scimgateway.on(xxx, function (..., callback)` replaced with `scimgateway.xxx = async (...)` returning a result or throwing an error
-- Rest and SOAP using `doRequest` method having endpoint failover logic through array `baseUrls/baseServiceEndpoints` defined in corresponding plugin configuration file.
-- Additional argument `attributes` included in exploreUsers and exploreGroups method
-- Proxy configuration includes option for user/password
-- Encrypted passwords in configuration files needs to be reset to clear text passwords
+Compile a plugin to a self-contained native binary (no Bun/Node runtime required):
+```sh
+cd my-scimgateway
-### v1.0.20
-[Fixed]
+bun build --compile ./lib/plugin-loki.ts \
+  --target=bun-darwin-arm64 \
+  --outfile ./build/plugin-loki
-- HTTP status code 200 and totalResults set to value of 0 when using SCIM 2.0 filter user/group and no resulted user/group found. SCIM 1.1 still using  status code 404.
+# See https://bun.sh/docs/bundler/executables#cross-compile-to-other-platforms for all targets
-**[UPGRADE]**
+cp -r ./config ./build
-- For custom plugins to be compliant with SCIM 2.0, the `getUser` and `getGroup` methods needs to be updated. If user/group not found then return `callback(null, null)` instead of callback(err)
+cd build
+./plugin-loki   # binary name must match the config file prefix
+```
+The `config/` directory must be in the same folder as the binary.
-### v1.0.19
-[Fixed]
+---
-- Fix related to external configuration (ref. v1.0.18) when running multiple plugins
+## Running the Gateway
-### v1.0.18
-[Improved]
+### Manual Startup
-- Includes latest versions of module dependencies
-- Loglevel configuration for file and console now separated
-- Loglevel colorize option (value false could be useful when redirecting console output)
-- All configuration can be set based on environment variables
-- All configuration can be set based on correspondig json-content in external file (supports also dot notation)
+```sh
+# All three are equivalent:
+bun c:\my-scimgateway
+bun c:\my-scimgateway\index.ts
+bun . # from the package root
+```
-**[UPGRADE]**
+Press `Ctrl+C` to stop.
-- Configurationfiles for custom plugins should be changed
-  old syntax:
+### Windows Task Scheduler
-        loglevel: "debug"
-  new syntax:
+Open Task Scheduler (`taskschd.msc`), right-click "Task Scheduler Library" → "Create Task":
-        "loglevel": {
-          "file": "debug",
-          "console": "error",
-          "colorize": true
-        }
+| Tab | Setting |
+|---|---|
+| General | Name: `SCIM Gateway`; User: `SYSTEM`; Run with highest privileges |
+| Triggers | Begin the task: At startup |
+| Actions | Start a program: `<bun-install-path>\bun.exe`; Arguments: `c:\my-scimgateway` |
+| Settings | Stop the task if it runs longer than: **Disabled** |
-### v1.0.14
-[Fixed]
+**Verify:**
+1. Right-click → Run → confirm process appears in Task Manager
+2. Right-click → End → confirm process disappears
+3. Reboot → confirm auto-start
-- Some multiValued attributes not correctly handled (e.g. addresses)
-### v1.0.13
-[Fixed]
+---
-- plugin-azure-ad: New version of "Azure - ScimGateway.xml" fixing CA IM RoleDefGenerator problem (related to creating and importing screens in CA IM)
+## Docker
-**[UPGRADE]**
+### Single Image
-- Use CA ConnectorXpress, import "Azure - ScimGateway.xml" and deploy/redeploy endpoint
+```sh
+mkdir /opt/my-scimgateway
+cd /opt/my-scimgateway
+bun init -y
+bun install scimgateway
+bun pm trust scimgateway
+cp ./config/docker/* .
+cp ./config/docker/.dockerignore .
-### v1.0.12
-[Fixed]
+# Build
+docker build --platform linux/amd64 --force-rm=true -t my-scimgateway:1.0.0 .
-- Incorrect logging of Express stream messages (type info) when running multiple plugins
+# Create and run
+docker create --init --ulimit memlock=-1:-1 --name my-scimgateway -p 8880:8880 my-scimgateway:1.0.0
+docker start my-scimgateway
+docker stop my-scimgateway
+```
-### v1.0.11
-[Fixed]
+Consider passing `-e SEED=<random>` at create time if using encrypted configuration files.
-- plugin-azure-ad: proxy configuration did not work
+### Docker Compose
+Pre-requisites: `docker-compose` and `docker-ce`
-### v1.0.10
-[Fixed]
+```sh
+mkdir /opt/my-scimgateway && cd /opt/my-scimgateway
+bun init -y && bun install scimgateway && bun pm trust scimgateway
+cp ./config/docker/* .
-- An issue with pagination fixed
+adduser scimgateway
+mkdir /home/scimgateway/config
-### v1.0.9
-[Improved]
+# Copy your plugin config to the persistent volume
+scp config/plugin-loki.json scimgateway@host:/home/scimgateway/config/
-- Cosmetics, changed emailOnError logic - now emitted by logger
+docker-compose up --build -d
+```
-### v1.0.8
-[Improved]
+Provided compose files:
+| File | Purpose |
+|---|---|
+| `docker-compose.yml` | Main compose file — set exposed ports and environment here |
+| `Dockerfile` | Main image definition |
+| `DataDockerfile` | Volume mapping |
+| `docker-compose-debug.yml` | Attach VS Code debugger |
+| `docker-compose-mssql.yml` | Compose example including an MSSQL container |
+**Common Docker commands:**
+```sh
+docker ps                                      # list running containers
+docker images                                  # list images
+docker logs scimgateway                        # view logs
+docker exec scimgateway <command>              # run command in container
+docker-compose stop / start                    # stop / restart
+docker-compose -f docker-compose.yml \
+  -f docker-compose-debug.yml up -d           # debug mode (VS Code)
+# Upgrade — remove old container and dangling images first
+docker rm scimgateway
+docker rm $(docker ps -a -q)
+docker rmi $(docker images -q -f "dangling=true")
+```
-- Support health monitoring using the "/ping" URL with a "hello" response, e.g. http://localhost:8880/ping. Useful for frontend load balancing/failover functionality
-- Option for error notifications by email
+---
-**[UPGRADE]**
+## Identity Provider Integration
-- Configuration files for custom plugins must include the **emailOnError** object for enabling error notifications by email. Please see the syntax in provided example plugins and details described in the "Configuration" section of this document.
-### v1.0.7
-[Improved]
+### Microsoft Entra ID as IdP
-- Docker now using node v.9.10.0 instead of v.6.9.2
-- Minor log cosmetics
+Entra ID can automatically provision users to SCIM Gateway, which then forwards to your endpoint plugin.
-### v1.0.6
-[Fixed]
+**Plugin configuration requirements:**
-- Azure AD plugin, failed to create user when licenses (app Service plans) was included
+```json
+"scimgateway": {
+  "scim": { "version": "2.0" },
+  "auth": {
+    "bearerToken": [
+      { "token": "shared-secret" }
+    ],
+    "bearerJwt": [
+      { "azureTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }
+    ]
+  }
+}
+```
-### v1.0.5
-[Improved]
+- `token` must match the "Secret Token" in the Entra ID provisioning configuration
+- `azureTenantId` must match the Entra tenant ID
+- If "Secret Token" is left blank in Entra ID, JWT (`azureTenantId`) is used automatically
-- Supporting GET /Users, GET /Groups, PUT method and delete groups
-- After more than 3 invalid auth attempts, response will be delayed to prevent brute force
+**Azure Portal paths:**
-[Fixed]
+```
+Secret Token:  Microsoft Entra ID → Enterprise Apps → <App> → Provisioning → Secret Token
+Tenant ID:     Microsoft Entra ID → Overview → Tenant ID
+Attribute maps: Enterprise Apps → <App> → Provisioning → Edit attribute mappings → Mappings
+```
-- Some minor compliance fixes
+**Required attribute mappings:**
-**Thanks to [@ywchuang](https://github.com/ywchuang)**
+| Object | Source | Target | Matching |
+|---|---|---|---|
+| User | `userPrincipalName` | `userName` | Precedence #1 |
+| Group | `displayName` | `displayName` | Precedence #1 |
+| Group | `members` | `members` | — |
-### v1.0.4
-[Improved]
+**Entra ID behavior notes:**
+- Deleting a user sends `PATCH { "active": "False" }` rather than a `DELETE` request
+- Entra ID periodically checks for non-existent users/groups as a keep-alive
+- Entra ID checks existence before creating (no full user explore like some other IdPs)
-- Plugin for Azure AD now supports paging for retrieving users and groups. Any existing metafile used by CA ConnectorXpress ("Azure - ScimGateway.xml") must be re-deployed.
+---
-[Fixed]
+### Symantec/Broadcom Identity Manager as IdP
-- Don't use deprecated existsSync in postinstallation
+Use **SCIM version `"1.1"`** for Symantec/Broadcom Provisioning.
-### v1.0.3
-[Fixed]
+In Provisioning Manager use endpoint type `SCIM (DYN Endpoint)` or create a custom type.
-- Undefined root url not handled correctly after v1.0.0
+**Example endpoint configuration (plugin-loki):**
-### v1.0.2
-[Fixed]
+```
+Endpoint Name:              Loki-8880
+User Name:                  gwadmin
+Password:                   password
+SCIM Authentication Method: HTTP Basic Authentication
+SCIM Based URL:             http://localhost:8880
+                        or: http://localhost:8880/<baseEntity>
+```
-- License and group defined as capability attributes in metafile used by CA ConnectorXpress regarding plugin-azure-ad
+The `baseEntity` parameter enables multi-tenant setups — create multiple endpoints with the same base URL but different `baseEntity` values (e.g. `/client-a`, `/client-b`). Define per-entity connection attributes in the plugin JSON configuration.
-### v1.0.1
-[Fixed]
+---
-- Mocha test script did not terminate after upgrading from 3.x to 4.x of Mocha
+## Entra ID Provisioning Plugin
-### v1.0.0
-[Improved]
+`plugin-entra-id` provisions users and groups to Microsoft Entra ID via the Microsoft Graph API.
-- New plugin-azure-ad.js for Azure AD user provisioning including Azure license management e.g. Office 365
-- Includes latest versions of module dependencies
-- Module hdb (for SapHana) and saml is not included by default anymore and therefore have to be manually installed if needed.
+### Entra ID App Registration
-**[UPGRADE]**
-Method `getGroupMembers` must be updated for all custom plugins
+1. **Microsoft Entra ID → App registrations → New registration**
+   - Name: `SCIM Gateway Inbound`
+   - Accounts: This organizational directory only
+2. **Overview** — copy Application (client) ID and Directory (tenant) ID
+3. **Certificates & secrets → New client secret** — copy the value
+4. **API permissions → Add → Microsoft Graph → Application permissions:**
+   - `Directory.ReadWriteAll`
+   - `Organization.ReadWrite.All`
+   - Additional for signInActivity, roles, licenses and access packages:
+     - `AuditLog.Read.All` *(only if using `map.user.signInActivity`; requires Entra ID Premium)*
+     - `RoleEligibilitySchedule.ReadWrite.Directory` *(PIM Eligible roles; only if using `map.user.roles`)*
+     - `RoleManagement.ReadWrite.Directory` *(PIM Permanent roles; only if using `map.user.roles`)*
+     - `EntitlementManagement.ReadWrite.All` *(IGA Access Packages; only if using `map.user.entitlements`)*
+   - Click **Grant admin consent**
+5. **Entra ID → Roles and administrators → User administrator → Add assignments** — add `SCIM Gateway Inbound`
-Replace:
+> For full access to admin users, assign the `Global Administrator` role. The `User Administrator` role has limitations on users with admin roles.
-	scimgateway.on('getGroupMembers', function (baseEntity, id, attributes, startIndex, count, callback) {
-	...
-	let ret = {
-	'Resources' : [],
-	'totalResults' : null
-	}
-	...
-	ret.Resources.push(userGroup)
-	...
-	callback(null, ret)
+> `signInActivity, roles, licenses and access packages` requires permissions above. Note, `ReadWrite` can be replaced with `Read` if management is not required. **Remove any mapping configuration whose conditions are not met** — Minimum read permissions are validated at startup.
+### Plugin Configuration
-With:
+**`index.ts`:**
-	scimgateway.on('getGroupMembers', function (baseEntity ,id ,attributes, callback) {
-	...
-	let arrRet = []
-	...
-	arrRet.push(userGroup)
-	...
-	callback(null, arrRet)
+```ts
+import './lib/plugin-entra-id.ts'
+export {}
+```
-### v0.5.3
-[Improved]
+**`config/plugin-entra-id.json` (key sections):**
-- Includes api gateway/plugin for general none provisioning
-  - GET /api
-  - GET /api?queries
-  - GET /api/{id}
-  - POST /api + body
-  - PUT /api/{id} + body
-  - PATCH /api/{id} + body
-  - DELETE /api/{id}
-- plugin-api.js demonstrates api functionallity (becomes what you want it to become)
+```json
+{
+  "scimgateway": {
+    "scim": { "version": "2.0", "skipTypeConvert": true}, // skipTypeConvert if Access Package management (entitlements)
+    "auth": {
+      "basic": [
+        {
+          "username": "gwadmin",
+          "password": "password",
+          "readOnly": false
+        }
+      ]
+    }
+  },
+  "endpoint": {
+    "entity": {
+      "undefined": {
+        "connection": {
+          "baseUrls": [],
+          "auth": {
+            "type": "oauth",
+            "options": {
+              "azureTenantId": "<Tenant ID>",
+              "clientId": "<Application ID>",
+              "clientSecret": "<Secret value>"
+            }
+          },
+          "proxy": {
+            "host": null,
+            "username": null,
+            "password": null
+          }
+        }
+      }
+    }
+  }
+}
+```
+`clientSecret` and any proxy passwords are automatically encrypted on the first connection.
-### v0.5.2
-[Improved]
+**Multi-tenant setup:**
-- One or more of following authentication/authorization methods are accepted:
-  - Basic Authentication
-  - Bearer token - shared secret
-  - Bearer token - Standard JSON Web Token (JWT)
-  - Bearer token - Azure JSON Web Token (JWT)
+```json
+"endpoint": {
+  "entity": {
+    "undefined": { ... },
+    "client-a":  { ... },
+    "client-b":  { ... }
+  }
+}
+```
-**[UPGRADE]**
+### Using with Symantec/Broadcom (ConnectorXpress)
-- Configuration files for custom plugins `config/plugin-xxx.json` needs to be updated regarding the new `scimgateway.auth` section:
-	- Copy scimgateway.auth section from one of the example plugins
-	- Copy existing scimgateway.username value to new auth.basic.username value
-	- Copy existing scimgateway.password value to new auth.basic.username value
-	- Copy existing scimgateway.oauth.accesstoken value to new auth.bearer.token value
-	- Delete scimgateway.username
-	- Delete scimgateway.password
-	- Delete scimgateway.oauth
+1. Start SCIM Gateway with `plugin-entra-id`
+2. Open ConnectorXpress → Setup Data Sources → Add Layer7 → Base URL: `http://localhost:8881`
+3. Import the endpoint type metadata: `node_modules/scimgateway/config/resources/Azure - ScimGateway.xml`
+4. Create endpoint type `Azure - ScimGateway`
+**Provisioning Manager endpoint example:**
-### v0.4.6
-[Improved]
+```
+Endpoint Name:              AzureAD-8881
+User Name:                  gwadmin
+Password:                   password
+SCIM Authentication Method: HTTP Basic Authentication
+SCIM Based URL:             http://localhost:8881
+```
-- Document updated on how to run SCIM Gateway as a Docker container
-- `config\docker` includes docker configuration examples
-**Thanks to [@cwatsonc](https://github.com/cwatsonc) and [@visualjeff](https://github.com/visualjeff)**
+---
+## API Gateway
-### v0.4.5
-[Improved]
+SCIM Gateway doubles as a general API gateway via the `/api` path (no SCIM schema required):
-- Environment variable `SEED` overrides default password seeding
-- Setting SCIM Gateway port to `"process.env.XXX"` lets environment variable XXX define the port
-- Don't validate config-file port number for numeric value (Azure AD - iisnode using a name pipe for communication)
+```
+GET    /api
+GET    /api?<query>
+GET    /api/{id}
+POST   /api           + body
+PUT    /api/{id}      + body
+PATCH  /api/{id}      + body
+DELETE /api/{id}
+```
-**[UPGRADE]**
+With `baseEntity`: `/<baseEntity>/api`
-- Configuration files for custom plugins `config/plugin-xxx.json` needs to be updated:
-	- Encrypted passwords needs to be reset to clear text passwords
-	- Start SCIM Gateway and passwords will become encrypted
+A public (unauthenticated) API path is also available:
-### v0.4.4
-[Improved]
+```
+GET /pub/api?model=Tesla
+```
-- NoSQL Document-Oriented Database plugin: `plugin-loki`
-This plugin now replace previous `plugin-testmode`
-**Thanks to [@visualjeff](https://github.com/visualjeff)**
-- Minor code/comment reorganizations in provided plugins
-- Minor adjustments to multi-value logic introduced in v0.4.0
+See `lib/plugin-api.ts` for a complete example.
-**[UPGRADE]**
+---
-- Delete depricated `lib/plugin-testmode.js` and `config/plugin-testmode.json`
-- Edit index.js, replace tesmode with loki
+## Building Custom Plugins
-### v0.4.2
-[Fixed]
+**Recommended editor:** [Visual Studio Code](https://code.visualstudio.com/) — provides IntelliSense for all `scimgateway` methods.
-- plugin-restful minor adjustments to multivalue and cleared attributes logic introduced in v0.4.0
+### Setup
-### v0.4.1
-[Improved]
+1. Copy the closest matching example plugin (e.g. `lib/plugin-mssql.ts` + `config/plugin-mssql.json`) and rename both with your prefix (e.g. `plugin-mine`)
+2. Set a unique `port` in `config/plugin-mine.json`
+3. Add your plugin to `index.ts`: `import './lib/plugin-mine.ts'`
+4. Start the gateway and verify
-- Mocha test scripts for automated testing of plugin-testmode
-- Automated tests run on Travis-ci.org (click on build badge)
-- **Thanks to [@visualjeff](https://github.com/visualjeff)**
+### Mandatory Plugin Initialization
+```ts
+// start - mandatory plugin initialization
+import { ScimGateway, HelperRest } from 'scimgateway'
+const scimgateway = new ScimGateway()
+const helper = new HelperRest(scimgateway)  // include if using REST
+const config = scimgateway.getConfig()
+scimgateway.authPassThroughAllowed = false
+scimgateway.pluginAndOrFilterEnabled = false
+// end - mandatory plugin initialization
+```
-[Fixed]
+### Implementation Order
-- Minor adjustments to multi-value logic introduced in v0.4.0
+Build and test incrementally:
-### v0.4.0
-[Improved]
+1. **`getGroups`** — return empty response to disable group handling initially (see `plugin-saphana` for a groups-free example)
+2. **`getUsers`** — retrieve all accounts and a single account by filter
+3. **`createUser`** — create new accounts
+4. **`deleteUser`** — delete accounts
+5. **`modifyUser`** — update accounts
+6. **`getGroups`** — re-enable with real logic if groups are supported
+7. **`createGroup`**, **`deleteGroup`**, **`modifyGroup`** — group lifecycle
-- Not using the SCIM standard for handling multivalue attributes and cleared attributes. Changed from array to object based on type. This simplifies plugin-coding for multivalue attributes like emails, phoneNumbers, entitlements, ...
-- Module dependencies updated to latest versions
+### Plugin Methods
-**[UPGRADE]**
+**SCIM methods (implement in your plugin):**
-- Custom plugins using multivalue attributes needs to be updated regarding methods createUser and modifyUser. Please see example plugins for details.
+| Method | Description |
+|---|---|
+| `scimgateway.getUsers()` | Retrieve users (all or filtered) |
+| `scimgateway.createUser()` | Create a new user |
+| `scimgateway.deleteUser()` | Delete a user |
+| `scimgateway.modifyUser()` | Update user attributes |
+| `scimgateway.getGroups()` | Retrieve groups (all or filtered) |
+| `scimgateway.createGroup()` | Create a new group |
+| `scimgateway.deleteGroup()` | Delete a group |
+| `scimgateway.modifyGroup()` | Update group members/attributes |
+| `scimgateway.getEntitlements()` | Retrieve entitlements (e.g. Entra ID licenses) |
+| `scimgateway.getRoles()` | Retrieve roles (e.g. Entra ID PIM roles) |
-### v0.3.8
-[Fixed]
+**API Gateway methods:**
-- Minor changes related to SCIM specification
+| Method | Path |
+|---|---|
+| `scimgateway.getApi()` | `GET /api` |
+| `scimgateway.postApi()` | `POST /api` |
+| `scimgateway.putApi()` | `PUT /api/{id}` |
+| `scimgateway.patchApi()` | `PATCH /api/{id}` |
+| `scimgateway.deleteApi()` | `DELETE /api/{id}` |
+| `scimgateway.publicApi()` | `GET /pub/api` (no auth) |
-### v0.3.7
-[Improved]
+Use VS Code IntelliSense on any method for inline documentation and type information.
-- PFX / PKCS#12 certificate bundle is supported
+### Custom Schemas
-### v0.3.6
-[Improved]
+If plugin use `endpointMapper`, SCIM schemas will be generated based on configured mapping.
-- SCIM Gateway used by Microsoft Azure Active Directory is supported
-- SCIM version 2.0 is supported
-- Create group is supported
+To use custom SCIM schemas, copy `node_modules/scimgateway/lib/scimdef-v2.json` (or `scimdef-v1.json`) to `lib/` and edit as needed. The gateway will use your version when it detects the file.
-**[UPGRADE]**
+---
-- For custom plugins to support create group, they needs to be updated regarding listener method `scimgateway.on('createGroup',...` Please see example plugins for details.
+## License
+MIT © [Jarle Elshaug](https://www.elshaug.xyz)
+---
-### v0.3.5
-[Fixed]
+## Change Log
-- plugin-mssql not included in postinstall
+### v6.2.2
+- **[Improved]** `plugin-entra-id` now supports Entra ID IGA Access Packages. For required API permissions, see [Entra ID App Registration](#entra-id-app-registration)
-### v0.3.4
-[Improved]
+### v6.2.1
+- `HelperRest`: fixed minor log cosmetics introduced in v6.2.0
-- MSSQL example plugin: `plugin-mssql`
-- Changed multivalue logic in example plugins, now using `scimgateway.getArrayObject`
+### v6.2.0
+- **[Fixed]** `HelperRest`: failed on Bun v1.3.14 due to stricter Fetch standards compliance
+- **[Improved]** New `plugin-generic` replaces `plugin-scim`. Uses `endpointMapper` with the new `valueMap` option for group allowlisting and name mapping. Default config uses one-to-one SCIM mapping with plugin-loki as the target endpoint.
+- **[Improved]** `endpointMapper` now supports `valueMap`:
+  ```json
+  "map": {
+    "group": {
+      "displayName": {
+        "mapTo": "displayName",
+        "type": "string",
+        "valueMap": {
+          "outboundEndpointGrp1": "inboundScimGrp1",
+          "Employees": "Admins"
+        }
+      }
+    }
+  }
+  ```
-[Fixed]
+  Clients only see and manage the SCIM-named groups (`inboundScimGrp1`, `Admins`), mapped to their endpoint counterparts (`outboundEndpointGrp1`, `Employees`). Useful for allowlisting specific groups or supporting different inbound/outbound names.
-- Minor changes related to SCIM specification
+### v6.1.20
+- `plugin-entra-id`: roles introduced in v6.1.19 were missing when retrieving a single user
+### v6.1.19
+- **[Fixed]** SCIM v2.0 ResourceType endpoint schemas using incorrect id
+- **[Improved]** `GET /Roles` and `GET /Entitlements` endpoint support, with user management via SCIM `roles` and `entitlements` attributes
+- **[Improved]** `plugin-entra-id`: `entitlements` for Entra ID licenses (read-only); `roles` for Permanent and Eligible PIM roles (full management)
+  - PIM Eligible roles: requires `RoleEligibilitySchedule.ReadWrite.All`
+  - PIM Permanent roles: requires `RoleManagement.ReadWrite.Directory`
+  - Remove `map.user.roles` if above conditions are not met
+  - `skipSignInActivity` option (v6.1.17) no longer used; `signInActivity` and PIM role permissions are validated at startup
-### v0.3.3
-[Fixed]
+### v6.1.18
+- `createUser` and `modifyUser` now return the full user object, ensuring returned data reflects what was modified even when the endpoint hasn't internally synced yet
-- Logic for handling incorrect pagination request to avoid endless loop conditions (there is a pagination bug in CA Identity Manager v.14)
-- Pagination now supported on getGroupMembers
+### v6.1.17
+- `plugin-entra-id`: fixed broken `filter=userName eq "user_upn"` introduced in v6.1.11 when using updated config with `map.user.signInActivity`
+- `plugin-entra-id`: new option `endpoint.entity.[baseEntity].skipSignInActivity = true` to exclude `signInActivity` (requires Entra ID Premium + `AuditLog.Read.All`)
-**[UPGRADE]**
+### v6.1.16
+- `plugin-entra-id`: `GET /Entitlements` now uses `derivedIncludes` with full recursive expansion
-- Custom plugins needs to be updated regarding listener method `scimgateway.on('getGroupMembers',...` New arguments have been added "startIndex" and "count". Also a new return variable "ret". Please see example plugins for details.
+### v6.1.15
+- `plugin-entra-id`: fixed `filter=entitlements pr`
-### v0.3.2
-[Fixed]
+### v6.1.14
+- Support for filter `attribute not pr`
+- Dependencies bump
-- Minor changes related to SCIM specification
+### v6.1.13
+- `plugin-entra-id`: `signInActivity` attributes are now filterable
-### v0.3.1
-[Improved]
+### v6.1.12
+- Filter operator `pr` (presence) now forwarded to plugins (previously rejected)
+- `plugin-entra-id`: handles `pr` filter on entitlements
-- REST Webservices example plugin: `plugin-restful`
+### v6.1.11
+- **[Fixed]** Incorrect schema generation when using `endpointMapper` (regression from v6.1.6)
+- **[Improved]** New `GET /Entitlements` endpoint and `scimgateway.getEntitlements()` method
+- `plugin-entra-id`: user license information via `entitlements`; remove `map.user.signInActivity` if Entra ID Premium is unavailable
-### v0.3.0
-[Improved]
+### v6.1.10
+- `plugin-entra-id`: group membership now includes nested (transitive) groups (`direct` and `indirect`)
+- Fixed missing Docker files: `config/docker/.dockerignore` and `docker-compose-mssql.yml`
-- Preferred installation method changed from "global" to "local"
-- `<Base URL>/[baseEntity]` for multi tenant or multi endpoint flexibility
-- plugin-forwardinc includes examples of baseEntity, custom soap header and signed saml assertion
-- Support groups defined on user object "group member of user"
-- New module dependendcies included: saml, async and callsite
+### v6.1.9
+- `createUser`/`createGroup` responses now correctly include the generated ID
+### v6.1.8 / v6.1.7
+- Fixed incorrect masking of secrets in request info log messages
+- `plugin-entra-id`: fixed edge case where `createUser` with a manager could fail
-**[UPGRADE]**
+### v6.1.6
+- Fixed `plugin-loki` and `plugin-mongodb` returning empty results when using extension schema attributes in search
+- Auth failure due to `readOnly` now returns HTTP 405 instead of 401
+- `postinstall` ensures `"type": "module"` is set in `package.json`
+- `endpointMapper` now generates a custom schema; supports `"x-agent-schema"` for AI MCP tool instructions
-- Use "fresh" install and restore any custom plugins. Custom plugins needs to be updated. Listener method names have changed and method must include "baseEntity" - please see example plugins.
+### v6.1.5
+- Complex filtering (`and`/`or`) handled by the gateway using the plugin's simple filter logic
+- `modifyGroup` now returns HTTP 204 instead of 200
+- New `/auth` endpoint for validating external authentication
+- `plugin-entra-id`: supports `sw` (startsWith) filter
-### v0.2.2 - v0.2.8
-[Doc]
+### v6.1.4
+- Fixed OData paging in `plugin-entra-id` and `helper-rest` — missing users/groups/members in large directories
+- Fixed incomplete group membership when paging not fully iterated
-- Minor readme changes and version bumps
+### v6.1.3
+- Azure Relay: improved recovery on failure
+- `plugin-ldap`: improvements for Active Directory and `objectGUID`/`mS-DS-ConsistencyGuid`
+- `modifyGroup`: adding an existing member or removing a non-existent member now returns 200 OK instead of an error
-### v0.2.1
-[Fixed]
+### v6.1.2
+- Fixed SMTP mail failure caused by an updated dependency
+- Fixed `endpointMapper` when `mapTo` contained multiple comma-separated attributes including a multivalued one
-- plugin-forwardinc explore of empty endpoint
+### v6.1.1
+- `plugin-ldap`: fixed race condition where `createUser` immediately followed by `readUser` could fail on some systems (e.g. Samba AD)
+- Final info log message now includes full JSON serialization (durationMs, status, requestBody, responseBody, …)
-### v0.2.0
-Initial version
+### v6.1.0
+- `tsx` included — SCIM Gateway now runs as ES module (TypeScript) in Node.js: `node --import=tsx ./index.ts`
+- Simplified mandatory plugin initialization using static `import`
+- `index.ts` updated to use static imports
+- Bun binary builds now supported (see [Single Binary Deployment](#single-binary-deployment))
+### v6.0.0 — Major
+- API method response bodies returned as-is (previously wrapped in `{ result: <content> }`) — **clients parsing responses must be updated**
+- New `scimgateway.publicApi()` for unauthenticated `/pub/api` routes
+- `bearerJwtAzure.tenantIdGUID` replaced by `bearerJwt.azureTenantId` — **existing configurations must be updated**
+### v5.x — Previous Major Series
+For v5.x change history (Bun/TypeScript migration, Azure Relay, Bulk Operations, SCIM Stream, HelperRest, Docker, email OAuth, and more), see the [GitHub commit history](https://github.com/jelhub/scimgateway/commits/master/).