add some docs

docs/config.md

@@ -0,0 +1,81 @@
+# Configuring the scim service
+
+## Single tenant setup
+In a single tenant setup, scim syncs users to just one tenant, that has been configured. For this, the tenant id and directory read-write API Key need to be configured.
+
+```
+logging:
+  prod: true
+  log_level: info
+server:
+  listen_address: ":8080"
+  auth:
+    basic:
+      enabled: true
+      username: "scim"
+      password: "scim"
+    bearer:
+      enabled: true
+      token: "scim"
+directory:
+  address: "directory.prod.aserto.com:8443"
+  tenant_id: "your_tenant_id"
+  api_key: "your_directory_rw_api_key"
+```
+
+To let the directory handle auth, set the `passthrough` flag to `true`.
+
+```
+      auth:
+        basic:
+          enabled: true
+          passthrough: true
+        bearer:
+          enabled: true
+          passthrough: true
+```
+The bearer token used should be set as base64 encoded `<tenant-id>:<api-key>`
+
+## Multi-tenant setup
+
+For a multitenant setup, the directory config should not contain the tenant-id and api-key. These will be passed using the authorization header.
+
+```
+logging:
+  prod: true
+  log_level: info
+server:
+  listen_address: ":8080"
+  auth:
+    basic:
+      enabled: true
+      passthrough: true
+    bearer:
+      enabled: true
+      passthrough: true
+directory:
+  address: "directory.prod.aserto.com:8443"
+```
+
+## Transform config
+
+The transform config is being read from the tenant the users are being synced to. For this, a object type `scim_config` with id `scim_config` is being read. This config can be used to override the default values for the transformation templat, aswell as the transformation template used when syncing data.
+
+Sample `scim_config` and default values:
+```
+{
+  "group_mappings": [],
+  "group_member_relation": "member",
+  "group_object_type": "group",
+  "identity_object_type": "identity",
+  "identity_relation": "identifier",
+  "manager_relation": "manager",
+  "role_object_type": "group",
+  "role_relation": "member",
+  "source_group_type": "scim.2.0.group",
+  "source_user_type": "scim.2.0.user",
+  "template": "users-groups-roles-v1",
+  "user_mappings": [],
+  "user_object_type": "user"
+}
+```

docs/entra-id.md

@@ -0,0 +1,32 @@
+# Sync users from Entra ID (AzureAD)
+
+## Create the SCIM application
+To setup SCIM provisoning from Entra ID to Aserto, you need to create a new application in Entra ID. Please follow instructions on how to setup a new application:  https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#getting-started
+
+When creating the application, set Tenant URL to https://scim.prod.aserto.com/?aadOptscim062020. The `aadOptscim062020` feature flag is required for SCIM 2.0 compliance (see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior)
+
+For the secret token, you need your Tenant ID and your Directory read/write API Key. You can grab those from the Aserto Console. The secret token needs to be a base64 encoded string in the format `<tenant-id>:<api-key>`. 
+You can use the base64 command: `echo "tenantid:apikey" | base64`
+![Provisioning credentials](./img/credentials.png)
+
+## Provisioning users and groups
+Once the application was created, users and groups can be assigned to this application. Once a user/group was assigned, it becomes available for provisioning.
+To test the provisioning works, go to your SCIM app => Manage => Provisioning => Provision on demand, search for your user/group and click `Provision`
+Please note that automatic provisioning might take some time to trigger, see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users
+
+## Provisioning roles
+Only application specific roles can be provisioned. For this, the provisioning scope needs to be set to `Sync only assigned users and groups`
+![Sync only assigned users and groups](./img/image.png)
+
+By default, roles are not mapped to any SCIM property. To add the mapping:
+1. open your SCIM app, go to Manage => Provisioning => Mappings => open Provision Microsoft Entra ID Users => on the bottom, toggle Show advanced options => Edit attribute list for customappsso
+2. on the bottom, add a new attribute called `roles`, type `String` and make sure `Multi-Value` is checked
+3. back on the Attribute Mapping page, Add New Mapping:
+    - Mapping type: `Expression`
+    - Expression: `AssertiveAppRoleAssignmentsComplex([appRoleAssignments])`
+    - Target attribute: select the new created attribute `roles`
+    ![attribute mapping](./img/role-mapping.png)
+    - click OK
+4. Save attribute mappings
+
+For more info on mappings, see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app

docs/okta.md

@@ -0,0 +1,36 @@
+# Sync users from Okta
+
+## Setup Okta SCIM application
+
+1. Login to your okta admin console, go to Applications => Browse App Catalog, search for `SCIM 2.0 Test App (Basic Auth)` => Add Integration
+2. On the General Settings tab, set application label and click Next
+3. On the Sign-On Options you can leave all default values, scroll down and click Done
+4. On the application page, go to the Provisioning tab => Configure API Integration => Enable API Integration
+    - Set the SCIM 2.0 Base Url to https://scim.prod.aserto.com/
+    - Set Username to your Tenant ID
+    - Set Password to your Directory Read/Write API Key
+    - Test API Credentials
+    - Save
+5. Back on the Provisioning tab, on the To App Settings, click Edit, enable Create Users, Update User Attributes and Deactivate Users and Save
+
+## Provision users
+
+For provitining users, a user needs to be assigned to the SCIM application.
+1. Go to the Assignments tab
+2. Click on Assign => Assign to People => Assign wanted users and click Done.
+Your user should show up in the Aserto Directory
+Any updates to a property that is mapped to a SCIM attribute, should trigger a user update in Aserto.
+
+## Provision groups
+
+For provitining groups, a group needs to be assigned to the SCIM application.
+1. Go to the Assignments tab
+2. Click on Assign => Assign to People => Assign your group and click Done.
+3. Go to Push Groups tab => Push Groups => Frind groups by name => search for your group and click Save
+
+Groups and group membership should be provisioned now.
+
+## Troubleshooting
+Please note that any errors on provisioning groups will pause the group provisioning. If a group was provisioned, Okta does keep a state for that provisioned group, so removing it from Aserto before attempting to unlink it from the Okta app can cause issues. If this happens, the group needs to be unlinked and reassigned to the app.
+
+When provisioning groups and users, if a user is provisioned first and after that the group the user is part of, Okta might do 2 requests, when creating the group with the members already set, and then another PATCH request to add the user to the group members. This might cause an error, since the user was already added on the group create call. To not encounter this issue, make sure to provision the groups first.

pkg/common/assets/users-groups-roles-v1.tmpl

@@ -110,10 +110,11 @@
     }
     {{ end }}
     {{ end }}
-   {{ else }}
+  {{ else }}
    {{ $members := index .input "members" }}
     {{ if $members }}
-    {{ range $_, $member := $members }}
+    {{ range $i, $member := $members }}
+    {{ if $i }},{{ end }}
     {
       "object_type": "{{ $.vars.group_object_type }}",
       "object_id": "{{ $.input.displayName }}",

pkg/common/assets/users-groups-v1.tmpl

@@ -87,7 +87,8 @@
    {{ else }}
    {{ $members := index .input "members" }}
     {{ if $members }}
-    {{ range $_, $member := $members }}
+    {{ range $i, $member := $members }}
+    {{ if $i }},{{ end }}
     {
       "object_type": "{{ $.vars.group_object_type }}",
       "object_id": "{{ $.input.displayName }}",

pkg/common/patch.go

@@ -110,36 +110,46 @@ func HandlePatchOPRemove(objectProps scim.ResourceAttributes, op scim.PatchOpera
 func HandlePatchOPReplace(objectProps scim.ResourceAttributes, op scim.PatchOperation) (scim.ResourceAttributes, error) {
 	var err error
 
-	switch objectProps[op.Path.AttributePath.AttributeName].(type) {
-	case string:
-		objectProps[op.Path.AttributePath.AttributeName] = op.Value
-	case map[string]interface{}:
-		if op.Path.AttributePath.SubAttribute != nil {
-			objectProps[op.Path.AttributePath.AttributeName].(map[string]interface{})[*op.Path.AttributePath.SubAttribute] = op.Value
-		} else {
-			objectProps[op.Path.AttributePath.AttributeName] = op.Value
+	if op.Path == nil {
+		switch value := op.Value.(type) {
+		case map[string]interface{}:
+			for k, v := range value {
+				objectProps[k] = v
+			}
 		}
-	case []interface{}:
-		if op.Path.ValueExpression == nil {
+	} else {
+
+		switch objectProps[op.Path.AttributePath.AttributeName].(type) {
+		case string:
 			objectProps[op.Path.AttributePath.AttributeName] = op.Value
-		} else {
-			ftr, err := filter.ParseAttrExp([]byte(op.Path.ValueExpression.(*filter.AttributeExpression).String()))
-			if err != nil {
-				return nil, err
+		case map[string]interface{}:
+			if op.Path.AttributePath.SubAttribute != nil {
+				objectProps[op.Path.AttributePath.AttributeName].(map[string]interface{})[*op.Path.AttributePath.SubAttribute] = op.Value
+			} else {
+				objectProps[op.Path.AttributePath.AttributeName] = op.Value
 			}
+		case []interface{}:
+			if op.Path.ValueExpression == nil {
+				objectProps[op.Path.AttributePath.AttributeName] = op.Value
+			} else {
+				ftr, err := filter.ParseAttrExp([]byte(op.Path.ValueExpression.(*filter.AttributeExpression).String()))
+				if err != nil {
+					return nil, err
+				}
 
-			index := -1
-			if ftr.Operator == filter.EQ {
-				for i, v := range objectProps[op.Path.AttributePath.AttributeName].([]interface{}) {
-					originalValue := v.(map[string]interface{})
-					if originalValue[ftr.AttributePath.AttributeName].(string) == ftr.CompareValue {
-						index = i
+				index := -1
+				if ftr.Operator == filter.EQ {
+					for i, v := range objectProps[op.Path.AttributePath.AttributeName].([]interface{}) {
+						originalValue := v.(map[string]interface{})
+						if originalValue[ftr.AttributePath.AttributeName].(string) == ftr.CompareValue {
+							index = i
+						}
 					}
+					if index == -1 {
+						return nil, serrors.ScimErrorMutability
+					}
+					objectProps[op.Path.AttributePath.AttributeName].([]interface{})[index].(map[string]interface{})[*op.Path.SubAttribute] = op.Value
 				}
-				if index == -1 {
-					return nil, serrors.ScimErrorMutability
-				}
-				objectProps[op.Path.AttributePath.AttributeName].([]interface{})[index].(map[string]interface{})[*op.Path.SubAttribute] = op.Value
 			}
 		}
 	}

pkg/model/group.go

@@ -12,7 +12,7 @@ type Group struct {
 // A list of members of the Group.
 type GroupMember struct {
 	Value   string `json:"value"`
-	Ref     string `json:"$ref"`
-	Type    string `json:"type"`
+	Ref     string `json:"$ref,omitempty"`
+	Type    string `json:"type,omitempty"`
 	Display string `json:"display,omitempty"`
 }