Skip to content

[Web] Add SCIM 2.0 provider for IdP user provisioning #7148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Fly7113 wants to merge 6 commits into
base: staging
Choose a base branch
from
Open

[Web] Add SCIM 2.0 provider for IdP user provisioning #7148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
88bf045
[Web] Add SCIM 2.0 provider for IdP user provisioning
Fly7113 Mar 16, 2026
086a0fa
Restored the original protocol detection, updated SCIM URL composition
Fly7113 Mar 19, 2026
8005ed3
[Web] Remove redundant skip_ip_check from SCIM tokens
Fly7113 Mar 22, 2026
9e45408
[SCIM] Add per-token mailcow_template attribute -> template mapping
Fly7113 Mar 22, 2026
a06731f
Adjust “require_once” location
Fly7113 Mar 31, 2026
4d3f99f
Fix SCIM option not available when editing mailbox
Fly7113 Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions data/conf/nginx/templates/sites-default.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,10 @@ location ~ ^/api/v1/(.*)$ {
try_files $uri $uri/ /json_api.php?query=$1&$args;
}

location ~ ^/scim/v2/(.*)$ {
try_files $uri $uri/ /scim.php?path=$1&$args;
}

location ~ ^/cache/(.*)$ {
try_files $uri $uri/ /resource.php?file=$1;
}
Expand Down
8 changes: 8 additions & 0 deletions data/web/admin/system.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,11 @@
$f2b_data = fail2ban('get');
// mbox templates
$mbox_templates = mailbox('get', 'mailbox_templates');
// SCIM
$scim_tokens = scim_token('get_all');
$scim_new_token = $_SESSION['scim_new_token'] ?? null;
$scim_base_url = getBaseUrl() . '/scim/v2/';
unset($_SESSION['scim_new_token']);

$template = 'admin.twig';
$template_data = [
Expand Down Expand Up @@ -121,6 +126,9 @@
'is_https' => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on',
'iam_settings' => $iam_settings,
'mbox_templates' => $mbox_templates,
'scim_tokens' => $scim_tokens,
'scim_new_token' => $scim_new_token,
'scim_base_url' => $scim_base_url,
'lang_admin' => json_encode($lang['admin']),
'lang_datatables' => json_encode($lang['datatables'])
];
Expand Down
1 change: 1 addition & 0 deletions data/web/edit.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@
'user_acls' => acl('get', 'user', $mailbox),
'mailbox_details' => $result,
'iam_settings' => $iam_settings,
'scim_tokens' => scim_token('get_all'),
];
}
}
Expand Down
57 changes: 57 additions & 0 deletions data/web/inc/functions.auth.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,63 @@ function user_login($user, $pass, $extra = null){
}
}
break;
case 'scim':
// SCIM is a provisioning protocol; authentication is handled by the configured IAM provider.
// If LDAP is the IAM, verify credentials against LDAP directly.
if ($iam_settings['authsource'] === 'ldap') {
$result = ldap_mbox_login($user, $pass, array('is_internal' => $is_internal));
if ($result !== false) {
$stmt = $pdo->prepare("SELECT * FROM `mailbox`
INNER JOIN domain on mailbox.domain = domain.domain
WHERE `kind` NOT REGEXP 'location|thing|group'
AND `mailbox`.`active`='1'
AND `domain`.`active`='1'
AND `username` = :user");
$stmt->execute(array(':user' => $user));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if (empty($row)) {
return false;
}
$row['attributes'] = json_decode($row['attributes'], true);
$authenticators = get_tfa($user);
if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0 && !$is_internal) {
$_SESSION['pending_mailcow_cc_username'] = $user;
$_SESSION['pending_mailcow_cc_role'] = "user";
$_SESSION['pending_tfa_methods'] = $authenticators['additional'];
unset($_SESSION['ldelay']);
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*', 'Provider: LDAP (SCIM user)'),
'msg' => array('logged_in_as', $user)
);
return "pending";
} else if (!isset($authenticators['additional']) || !is_array($authenticators['additional']) || count($authenticators['additional']) == 0) {
if (!$is_internal) {
unset($_SESSION['ldelay']);
$stmt = $pdo->prepare("UPDATE `tfa` SET `active`='1' WHERE `username` = :user");
$stmt->execute(array(':user' => $user));
if (intval($row['attributes']['force_tfa']) == 1 && !tfa_exists($user)) {
$_SESSION['pending_tfa_setup'] = true;
}
$_SESSION['return'][] = array(
'type' => 'success',
'log' => array(__FUNCTION__, $user, '*', 'Provider: LDAP (SCIM user)'),
'msg' => array('logged_in_as', $user)
);
}
return "user";
}
}
return $result;
}
// For OIDC-based providers (Keycloak, Generic-OIDC), login goes through verify-sso, not here.
$_SESSION['return'][] = array(
'type' => 'danger',
'log' => array(__FUNCTION__, $user, 'SCIM account must authenticate via the configured identity provider'),
'msg' => 'login_failed'
);
return false;
break;
}

return false;
Expand Down
2 changes: 1 addition & 1 deletion data/web/inc/functions.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2866,7 +2866,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$stmt->execute(array(':user' => $info['email']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if ($row){
if (!in_array($row['authsource'], array("keycloak", "generic-oidc"))) {
if (!in_array($row['authsource'], array("keycloak", "generic-oidc", "scim"))) {
clear_session();
$_SESSION['return'][] = array(
'type' => 'danger',
Expand Down
10 changes: 6 additions & 4 deletions data/web/inc/functions.mailbox.inc.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1053,7 +1053,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
return false;
}
if ($_data['authsource'] == "mailcow" ||
in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource']){
in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource'] ||
$_data['authsource'] == 'scim'){
$authsource = $_data['authsource'];
}
if (empty($name)) {
Expand Down Expand Up @@ -1122,7 +1123,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
}
$quota_b = ($quota_m * 1048576);
$attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap', 'scim'))){
$force_pw_update = 0;
}
if ($authsource == 'generic-oidc'){
Expand Down Expand Up @@ -3149,10 +3150,11 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
$attribute_hash = (!empty($_data['attribute_hash'])) ? $_data['attribute_hash'] : '';
$authsource = $is_now['authsource'];
if ($_data['authsource'] == "mailcow" ||
in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource']){
in_array($_data['authsource'], array('keycloak', 'generic-oidc', 'ldap')) && $iam_settings['authsource'] == $_data['authsource'] ||
$_data['authsource'] == 'scim'){
$authsource = $_data['authsource'];
}
if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap'))){
if (in_array($authsource, array('keycloak', 'generic-oidc', 'ldap', 'scim'))){
$force_pw_update = 0;
}
if ($authsource == 'generic-oidc'){
Expand Down
Loading