Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1424

Support the SCIM user filter for 'emails[type eq "work"].value'

    • 6
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem :

      In Azure AD, admins can configure attributes for matching between the source and target systems. The following attribute mapping setup can be configured.

      Azure Active Directory Attribute AtlassianCloud Attribute Matching precedence
      mail emails[type eq "work"].value 1
      mail userName 2

      In this specific setup, Azure will try to query the emails[type eq "work"].value SCIM attribute for matching purposes but this will fail because we do not support this filter on Atlassian side. 

      Resource : https://api.atlassian.com/scim/directory/DIR_ID/scim/Users?filter=emails[type+eq+"work"].value+eq+"user@email.com" 
      Operation: GET 
      Response Status Code: BadRequest 

       

      This is quite confusing for admins for the following reasons

      • userName is a supported filter on SCIM but there is no userName attribute on the Atlassian Accounts. The SCIM username value is not easily visible to Atlassian organization administrators.  
      • emails[type eq "work"].value is the attribute that dictates the email address value for the Atlassian account. This is visible to Atlassian organization administrators.  

       

      Suggestion :

      Support emails[type eq "work"].value as a filter on the SCIM Users endpoint

       

      Workaround

      Do not match the emails[type eq "work"].value attribute in Azure AD attribute mapping. 

      Azure Active Directory Attribute AtlassianCloud Attribute Matching precedence
      mail userName 1
      mail emails[type eq "work"].value <EMPTY>

       

            [ACCESS-1424] Support the SCIM user filter for 'emails[type eq "work"].value'

            SET Analytics Bot made changes -
            Support reference count Original: 5 New: 6
            SET Analytics Bot made changes -
            Support reference count Original: 4 New: 5
            Leonardo H made changes -
            Labels New: guard-s8
            SET Analytics Bot made changes -
            Support reference count Original: 3 New: 4
            SET Analytics Bot made changes -
            Support reference count Original: 2 New: 3
            SET Analytics Bot made changes -
            Support reference count Original: 1 New: 2
            Ramon M made changes -
            Description Original: h3. *Problem* :

            In Azure AD, admins can configure attributes for [matching|https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems] between the source and target systems. The following attribute mapping setup can be configured.
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |userPrincipalName|emails[type eq "work"].value|1|
            |userPrincipalName|userName|2|

            In this specific setup, Azure will try to query the _emails[type eq "work"].value_ SCIM attribute for matching purposes but this will fail because we do not support this filter on Atlassian side. 
            {code:java}
            Resource : https://api.atlassian.com/scim/directory/DIR_ID/scim/Users?filter=emails[type+eq+"work"].value+eq+"user@email.com"
            Operation: GET
            Response Status Code: BadRequest {code}
             

            This is quite confusing for admins for the following reasons
             * _userName_ is a supported filter on SCIM but there is no userName attribute on the Atlassian Accounts. The SCIM username value is not easily visible to Atlassian organization administrators.  
             * _emails[type eq "work"].value_ is the attribute that dictates the email address value for the Atlassian account. This is visible to Atlassian organization administrators.  

             
            h3. *Suggestion :*

            Support _emails[type eq "work"].value_ as a filter on the [SCIM Users endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-group-users]

             
            h3. *Workaround*

            Do not match the _emails[type eq "work"].value_ attribute in Azure AD attribute mapping. 
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |userPrincipalName|userName|1|
            |userPrincipalName|emails[type eq "work"].value|<EMPTY>|

             
            New: h3. *Problem* :

            In Azure AD, admins can configure attributes for [matching|https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems] between the source and target systems. The following attribute mapping setup can be configured.
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |mail|emails[type eq "work"].value|1|
            |mail|userName|2|

            In this specific setup, Azure will try to query the _emails[type eq "work"].value_ SCIM attribute for matching purposes but this will fail because we do not support this filter on Atlassian side. 
            {code:java}
            Resource : https://api.atlassian.com/scim/directory/DIR_ID/scim/Users?filter=emails[type+eq+"work"].value+eq+"user@email.com"
            Operation: GET
            Response Status Code: BadRequest {code}
             

            This is quite confusing for admins for the following reasons
             * _userName_ is a supported filter on SCIM but there is no userName attribute on the Atlassian Accounts. The SCIM username value is not easily visible to Atlassian organization administrators.  
             * _emails[type eq "work"].value_ is the attribute that dictates the email address value for the Atlassian account. This is visible to Atlassian organization administrators.  

             
            h3. *Suggestion :*

            Support _emails[type eq "work"].value_ as a filter on the [SCIM Users endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-group-users]

             
            h3. *Workaround*

            Do not match the _emails[type eq "work"].value_ attribute in Azure AD attribute mapping. 
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |mail|userName|1|
            |mail|emails[type eq "work"].value|<EMPTY>|

             
            SET Analytics Bot made changes -
            Support reference count New: 1
            Ramon M made changes -
            Description Original: *Problem* :

            In Azure AD, admins can set up attributes for [matching purposes|https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems] between the source and target systems. The following attribute mapping setup can be configured.

             
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |userPrincipalName|emails[type eq "work"].value|1|
            |userPrincipalName|userName|2|


            In this specific setup, Azure will try to query the *emails[type eq "work"].value* SCIM attribute for matching purposes but this fail because we do not support this filter on Atlassian side. 
            {code:java}
            Resource : https://api.atlassian.com/scim/directory/DIR_ID/scim/Users?filter=emails[type+eq+"work"].value+eq+"user@email.com"
            Operation: GET
            Response Status Code: BadRequest {code}
             

            This is quite confusing for admins for the following reasons
             * userName is a supported filter on SCIM but there is no userName attribute on the Atlassian Accounts
             * *emails[type eq "work"].value* is the attribute that email address value for the Atlassian account. 


            *Suggestion :*

            Support the ** *emails[type eq "work"].value* as a filter on the [SCIM Users endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-group-users]{*}{*}


            *Workaround*

            Do not match *emails[type eq "work"].value* in Azure AD attribute mapping. 
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |userPrincipalName|userName|1|
            |userPrincipalName|emails[type eq "work"].value|<EMPTY>|

             
            New: h3. *Problem* :

            In Azure AD, admins can configure attributes for [matching|https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems] between the source and target systems. The following attribute mapping setup can be configured.
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |userPrincipalName|emails[type eq "work"].value|1|
            |userPrincipalName|userName|2|

            In this specific setup, Azure will try to query the _emails[type eq "work"].value_ SCIM attribute for matching purposes but this will fail because we do not support this filter on Atlassian side. 
            {code:java}
            Resource : https://api.atlassian.com/scim/directory/DIR_ID/scim/Users?filter=emails[type+eq+"work"].value+eq+"user@email.com"
            Operation: GET
            Response Status Code: BadRequest {code}
             

            This is quite confusing for admins for the following reasons
             * _userName_ is a supported filter on SCIM but there is no userName attribute on the Atlassian Accounts. The SCIM username value is not easily visible to Atlassian organization administrators.  
             * _emails[type eq "work"].value_ is the attribute that dictates the email address value for the Atlassian account. This is visible to Atlassian organization administrators.  

             
            h3. *Suggestion :*

            Support _emails[type eq "work"].value_ as a filter on the [SCIM Users endpoint|https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-users/#api-group-users]

             
            h3. *Workaround*

            Do not match the _emails[type eq "work"].value_ attribute in Azure AD attribute mapping. 
            ||Azure Active Directory Attribute||AtlassianCloud Attribute||Matching precedence||
            |userPrincipalName|userName|1|
            |userPrincipalName|emails[type eq "work"].value|<EMPTY>|

             
            Ramon M created issue -

              rheda FellowJitster
              rmacalinao Ramon M
              Votes:
              4 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: