[GH-ISSUE #21280] issue: SCIM externalId is ignored during User Creation and Updates #34958

New Issue

Closed

opened 2026-04-25 09:08:04 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-25 09:08:04 -05:00

Owner

Copy Link

Originally created by @cyronis on GitHub (Feb 9, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21280

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
• I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

0.7.2

Ollama Version (if applicable)

No response

Operating System

Ubuntu 22.04

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When creating or updating a user via the SCIM 2.0 API, the externalId provided in the request payload should be persisted in the database. Subsequent GET requests to the user endpoint should return the stored externalId. This is critical for Identity Provider (IdP) synchronization (e.g., Microsoft Entra ID / Azure AD), which relies on this field to map external directory objects to internal users.

Actual Behavior

The externalId is ignored by the backend. Even if a valid string is sent in a POST or PATCH request, the API response returns "externalId": null. The user is created or updated successfully, but the link to the external identity is lost, causing "Provision on Demand" or synchronization cycles in IdPs to fail or report inconsistencies.

Steps to Reproduce

Using a tool like Bruno or curl, send a POST request to /api/v1/scim/v2/Users with the following payload:

JSON
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"externalId": "my-unique-external-id",
"userName": "test.user@example.com",
"displayName": "Test User",
"name": { "givenName": "Test", "familyName": "User" },
"emails": [{ "value": "test.user@example.com", "primary": true }],
"active": true
}
Observe the HTTP 201 Created response.

Check the returned JSON: externalId is null instead of "my-unique-external-id".

Logs & Screenshots
Analysis of the source code (scim.py):
The issue is caused by a missing mapping in the SCIM router. While the Pydantic models (like SCIMUserCreateRequest) correctly include the externalId field, the actual database insertion logic does not:

Python

Current implementation in scim.py

new_user = Users.insert_new_user(
id=user_id,
name=name,
email=email,
profile_image_url=profile_image,
role="user" if user_data.active else "pending",
db=db,
# externalId is missing and therefore never saved to the DB
)
Additional Information
I am testing this using Microsoft Entra ID (Azure AD) Provisioning on Demand. The IdP expects the returned resource to reflect the externalId it just sent. Because OpenWebUI returns null, the synchronization state becomes unreliable.

Logs & Screenshots

N/A - Verified via API response and source code analysis

MICROSOFT_CLIENT_ID =
MICROSOFT_CLIENT_SECRET =
MICROSOFT_CLIENT_TENANT_ID =
MICROSOFT_REDIRECT_URI =
OPENID_PROVIDER_URL = https://login.microsoftonline.com/****/v2.0/.well-known/openid-configuration
OAUTH_SCOPE = openid email profile User.Read GroupMember.Read.All
OAUTH_EMAIL_CLAIM = email
ENABLE_OAUTH_ROLE_MANAGEMENT = true
OAUTH_ROLES_CLAIM = roles
ENABLE_OAUTH_GROUP_MANAGEMENT = true
ENABLE_OAUTH_GROUP_CREATION = true
OAUTH_GROUPS_CLAIM = groups
SCIM_ENABLED = TRUE
SCIM_TOKEN =

Additional Information

No response

Originally created by @cyronis on GitHub (Feb 9, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21280 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version 0.7.2 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 22.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When creating or updating a user via the SCIM 2.0 API, the externalId provided in the request payload should be persisted in the database. Subsequent GET requests to the user endpoint should return the stored externalId. This is critical for Identity Provider (IdP) synchronization (e.g., Microsoft Entra ID / Azure AD), which relies on this field to map external directory objects to internal users. ### Actual Behavior The externalId is ignored by the backend. Even if a valid string is sent in a POST or PATCH request, the API response returns "externalId": null. The user is created or updated successfully, but the link to the external identity is lost, causing "Provision on Demand" or synchronization cycles in IdPs to fail or report inconsistencies. ### Steps to Reproduce Using a tool like Bruno or curl, send a POST request to /api/v1/scim/v2/Users with the following payload: JSON { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "externalId": "my-unique-external-id", "userName": "test.user@example.com", "displayName": "Test User", "name": { "givenName": "Test", "familyName": "User" }, "emails": [{ "value": "test.user@example.com", "primary": true }], "active": true } Observe the HTTP 201 Created response. Check the returned JSON: externalId is null instead of "my-unique-external-id". Logs & Screenshots Analysis of the source code (scim.py): The issue is caused by a missing mapping in the SCIM router. While the Pydantic models (like SCIMUserCreateRequest) correctly include the externalId field, the actual database insertion logic does not: Python # Current implementation in scim.py new_user = Users.insert_new_user( id=user_id, name=name, email=email, profile_image_url=profile_image, role="user" if user_data.active else "pending", db=db, # externalId is missing and therefore never saved to the DB ) Additional Information I am testing this using Microsoft Entra ID (Azure AD) Provisioning on Demand. The IdP expects the returned resource to reflect the externalId it just sent. Because OpenWebUI returns null, the synchronization state becomes unreliable. ### Logs & Screenshots N/A - Verified via API response and source code analysis MICROSOFT_CLIENT_ID = MICROSOFT_CLIENT_SECRET = MICROSOFT_CLIENT_TENANT_ID = MICROSOFT_REDIRECT_URI = OPENID_PROVIDER_URL = https://login.microsoftonline.com/****/v2.0/.well-known/openid-configuration OAUTH_SCOPE = openid email profile User.Read GroupMember.Read.All OAUTH_EMAIL_CLAIM = email ENABLE_OAUTH_ROLE_MANAGEMENT = true OAUTH_ROLES_CLAIM = roles ENABLE_OAUTH_GROUP_MANAGEMENT = true ENABLE_OAUTH_GROUP_CREATION = true OAUTH_GROUPS_CLAIM = groups SCIM_ENABLED = TRUE SCIM_TOKEN = ### Additional Information _No response_

GiteaMirror added the bug label 2026-04-25 09:08:04 -05:00

GiteaMirror closed this issue 2026-04-25 09:08:06 -05:00

GiteaMirror commented 2026-04-25 09:08:07 -05:00

Author

Owner

Copy Link

@guenhter commented on GitHub (Feb 10, 2026):

Will hopefully be fixed by https://github.com/open-webui/open-webui/pull/21099

<!-- gh-comment-id:3875381020 --> @guenhter commented on GitHub (Feb 10, 2026): Will hopefully be fixed by https://github.com/open-webui/open-webui/pull/21099

GiteaMirror commented 2026-04-25 09:08:08 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Feb 13, 2026):

Should be addressed in dev, let us know if the issue persists!

<!-- gh-comment-id:3899385713 --> @tjbck commented on GitHub (Feb 13, 2026): Should be addressed in dev, let us know if the issue persists!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#34958