Getting "Not Found" for /scim/Users
Hello,
Anton's here.
Thank you for putting the effort into building the SCIM bridge! It is awesome!
In short, everything looks good but in the end a call to /scim/Users results into 404.
I wonder what I may be missing and where.
Context:
AWS / EKS / k8s / Helm / Google Workspace
Background:
We have a 1Password business account as well as Google Workspace set up for the company.
We operate a cluster in k8s on AWS EKS. The SCIM bridge is deployed using your Helm chart (v2.10.3) but with some variables overridden with our own custom values.
The credentials and settings file for Google are located in a k8s secret.
The scimsession file as well as the bearer token are also located in a k8s secret.
The Redis pod is running successfully and inside its logs it says everything is perfect.
The bridge pod is also running successfully and the logs show absolutely everything in green, too.
We created our own subdomain where we host the bridge. We have appropriate and working DNS configuration for it.
When we visit the bridge URL the webpage show everything good and green - Status (all green checks), Logs, Google Workspace (with text in green Connected), Workspace Groups with our groups and member numbers.
Regarding the Workspace Groups on the bridge webpage, I performed a sync and it was successful. That is why we seen all our Google Groups and their members count.
On the Integrations page I see our Google Workspace with "Status: Good" in green.
In the terminal, if I curl our bridge domain to "/ping", I get back "pong".
Problem:
So all in all, everything seems super okay. As I said the sync went well.
The one thing that doesn't work is if I curl "/scim/Users". Then I get back 404/Not Found.
Questions:
1. why calling "/scim/Usrs" results in 404?
2. where in your documentation can we find information related to the API the SCIM bridge implements?
3. besides making requests manually and entering the page of the bridge, what else I can use the bearer token for? does it play any role in the bridge config?
4. in the Helm chart v2.10.3, there is a definition for a bearer token but it's located within a Service Monitor key. so is this bearer token different from the bearer token mentioned above?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: macOS 13.3.1 (a)
Browser: Not Provided
Comments
-
Can you help, pls? @Jack.P_1P @hemal.g_1p 🙏
0 -
Hi @antonmladenov,
- The Google Workspace integration is the only integration that does not use the SCIM protocol (https://www.rfc-editor.org/rfc/rfc7644.html), and so any "/scim/" endpoints will not be available.
- As I said normally the API will be the SCIM API, but in the case of GWS we rely on the interval sync and a push notification system (receiving notifications from Google) to sync your users and groups. Unfortunately you won't be able to call these APIs.
- The bearer token is used by the SCIM bridge to authorize requests to 1Password.com from your bridge, and for logging into the page as you said. Making requests manually (with curl, for example) is normally supported, but again with GWS not being SCIM, this won't help you much.
- The serviceMonitor is an optional service that, when enabled, will create a prometheus ServiceMonitor for auto discovery. The bearerTokenSecret specifies the secret that contains the SCIM bridge bearer token, so this is the same bearer token as what you used to sign in the bridge.
I hope this answers some of your questions!
Chas1 -
hey,
thank you, Chas! awesome!
so the "/scim" calls failing are explained now.0
