Skip to content

Update Standard Logic App templates (June18)#144

Merged
himanshusainig merged 1 commit into
AzureAD:masterfrom
ggarima01:update-scim-20260618-1537
Jun 23, 2026
Merged

Update Standard Logic App templates (June18)#144
himanshusainig merged 1 commit into
AzureAD:masterfrom
ggarima01:update-scim-20260618-1537

Conversation

@ggarima01

@ggarima01 ggarima01 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Description

This PR adds the Federated Identity Test ( Federated_Identity_Test ) to the SCIM Logic App validation template, enabling end-to-end validation of Workload Identity Federation authentication flows.

Changes

 Orchestrator_Parameters.json :

• Added  Federated_Identity_Test  to the  EnabledTests  list.
• Added 7 new federated identity parameters:  federatedEntraTenantId ,  federatedApplicationId ,  federatedApplicationClientSecret ,  federatedTokenEndpoint ,  federatedClientId ,  federatedBaseAddress ,  federatedAudience  — with placeholder values and metadata descriptions.

 Orchestrator_Workflow.json :

• Added  federatedIdentityTestEnabled  flag to the test-enablement compose step.
• Added  federatedIdentityTestResult  to the test-results aggregation.
• Included  FederatedIdentityTestOutputs  in the  overallLogicAppResult  pass/fail evaluation.
• Added  Federated_Identity_Test  entry to  Final_TestResults  with result, error details, recommendation URL, and run link.

 SCIMTests_Workflow.json :

• Implemented the full  Federated_Identity_Test  action with two authentication paths:
RFC-7523 (default): Acquires an Entra token via client credentials, then exchanges it at the ISV's federated token endpoint using a JWT bearer assertion ( client_credentials  grant with  client_assertion ).
RFC-8693 (Google SA flow): Detects Google service account endpoints, performs a 3-step token exchange (Entra → Google STS token exchange → Google SA impersonation) before calling the ISV's SCIM endpoint.
• Both paths validate the final access token by making a GET request to the ISV's SCIM  /Users  endpoint and checking for a 2xx response.
• Includes comprehensive error handling with detailed error output at each step (Entra token, STS exchange, SA token, ISV token, SCIM call).
• Added  FederatedIdentityTestOutputs  to the workflow's local variables with SKIPPED defaults.

 VERSION :

• Bumped from  5.0  to  6.0 .

## Changes

Updates the Standard Logic App workflow definitions and parameters.

### Files modified
| File | Change |
|------|--------|
| `StandardLogicApp/Orchestrator_Parameters.json` | Updated |
| `StandardLogicApp/Orchestrator_Workflow.json` | Updated |
| `StandardLogicApp/SCIMTests_Workflow.json` | Updated |
| `StandardLogicApp/VERSION` | Bumped 5.0 → 6.0 |

### VERSION bump
Workflow JSON files changed → auto-bumped VERSION from **5.0** to **6.0**.

### Notes
- All JSON files validated (valid syntax, correct schema)
- CRLF normalized to LF
- Action counts unchanged (Orchestrator: 23, SCIMTests: 5)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ggarima01

Copy link
Copy Markdown
Contributor Author

@ggarima01 please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

@himanshusainig himanshusainig merged commit e40ad0a into AzureAD:master Jun 23, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants