Uniqueness of externalId

[mosounov]

This is more of a question rather than an issue.

Currently the externalId is UNIQUE KEY in scim_id table which is a driver for Primary Keys and Meta info for various Resources. That does not work in the following situations:

1. Different Resources have the same externalId supplied by the provisioning client
2. Different provisioning clients supply same externalId

Which leads to a conclusion that uniqueness of externalId must account for ResourceType and clientId (or some other Entity that groups clients i.e. Organization having multiple client end-points.

To further reference RFC: https://tools.ietf.org/html/rfc7643#section-3.1

The service provider MUST always interpret the externalId as scoped to the provisioning domain. While the server does not enforce uniqueness, it is assumed that the value's uniqueness is controlled by the client setting the value.

Please advise. Thanks.

PS. Same applies to scim_group.display_name. It seems that the database is designed for a single Account/Organization use.

[wallner]

Hello @mosounov,
you are right, at the moment we are violating the RFC with regard to enforcing uniqueness, we are going to file an issue for that. However, it is unlikely that just removing the unique constraint is providing us multitenancy out of the box. We simply did not take that into consideration when we started working on OSIAM. The subject of multitenancy came up a few times in the past, without a cohesive conclusion.

I'm not really sure what your question is, but you are right, we do have a problem with scim compliance here.